16 KiB
GPS -> GuruRMM Coverage Audit
Goal: For every business/client paying for GPS (Guru Protection Service), verify that
GuruRMM is set up correctly — the org/account exists, the machines they pay for are all
enrolled and reporting, and the services they pay for (backups, AV, email) are actually
configured and working. Where the client wiki is missing host/login/provider info, fill
those gaps as we go (credentials -> SOPS vault via /vault).
Source of truth for "should have": Syncro active recurring schedules (device counts +
service line items). Reality: GuruRMM /api/agents, plus backup/AV/email tooling.
- Started: 2026-07-03 (Howard)
- AV STRATEGY (Howard 2026-07-03): migrate Bitdefender -> Datto EDR for ALL clients except Glaztech and Dataforth (those two keep Bitdefender). Target end-state per machine (non-exempt) = GuruRMM agent + Datto EDR + Bitdefender removed. Bitdefender inventory is now only a discovery source (which machines exist), not a coverage target. See memory
project_av_migration_bitdefender_to_edr. - Scope: 40 active GPS clients (4 paused clients excluded: Marcia Ashton, Tucson Mountain Motors, Richard Pittman, Brenda Lopez)
- GPS device count = sum of GPS workstation + server SKUs (excludes AntiVirus add-on, discounts, setup)
Per-client verification checklist (each client)
- 1. RMM org/account exists and is named correctly
- 2. Machine count in RMM matches GPS devices billed (reconcile every host)
- 3. Services billed are actually configured + working: Backup / AV / Email / VoIP
- 4. Client wiki has: host/provider (email, DNS, web — and whether ACG-managed), admin logins (-> vault), key contacts
- 5. Discrepancies logged + remediation started
Legend: MATCH RMM >= billed · SHORT (n) RMM under billed by n · MISSING no RMM org ·
? needs investigation. Svc flags from billing: B=Backup A=AV E=Email V=VoIP.
A. Present in RMM — counts match (verify services + wiki) — 7
| done | Client | Syncro CID | GPS billed | RMM machines | Status | Svc | Notes |
|---|---|---|---|---|---|---|---|
| [ ] | Dataforth Corp | 578095 | 43 | 51 | MATCH (RMM+8) | B A E | RMM has more than billed — reconcile extras |
| [ ] | Cascades of Tucson | 20149445 | 29 | 33 | MATCH (RMM+4) | A E V | |
| [ ] | Valley Wide Plastering | 31694734 | 29 | 28 | MATCH (~) | B | short 1, within reason |
| [ ] | Len's Auto Brokerage | 3289131 | 8 | 8 | MATCH | E | |
| [ ] | Arizona Medical Transit | 7088349 | 1 | 2 | MATCH (RMM+1) | B E V | |
| [ ] | AT Trebesch | 238740 | 1 | 1 | MATCH | - | |
| [ ] | Russo Law Firm | 23331699 | 3 | 3 | MATCH | A E V | Renamed 2026-07-03 from mislabeled "Russo, Steve" (Steve Russo owner, Shannon Trionfo contact) |
Bucket A findings (discovery 2026-07-03)
- Dataforth Corp — 51 agents vs 43 billed GPS (+8). Possible under-billing / uncounted machines — several look like personal boxes (DESKTOP-*, LAPTOP-RD47E88A, Test01). Reconcile host-by-host with Mike; confirm which are billable. Wiki:
dataforth.mdexists. - Cascades of Tucson — 33 agents vs 29 billed (+4).
RECEPTIONIST-PCappears twice in RMM — likely a duplicate/stale agent record to clean up. Wiki:cascades-tucson.mdexists. - Valley Wide Plastering — 28 agents vs 29 billed (short 1). Effectively reconciled. Wiki:
valleywide.mdexists. - Len's Auto Brokerage — 8 agents = 8 billed (MATCH). FLAG: LAB-SVR (production Server 2019) agent offline since 2026-06-18 (~2 wks) — verify box/agent health. Email = 1x M365 Apps for Business; email host/provider not documented in wiki (gap). Wiki:
lens-auto-brokerage.mdthorough. - Arizona Medical Transit — 2 agents (AMT-HYPERV + AMT-PC) vs 1 billed. No wiki article exists — create one (host/provider, logins -> vault).
- AT Trebesch — 1 agent = 1 billed (MATCH). Wiki:
attrebesch.mdexists. - Russo Law Firm — 3 agents = 3 billed (MATCH). Org rename applied today. Sites: Main (has all 3) + empty "Shannon" site — consider moving STRIONFO to the Shannon site. Wiki:
russo-law.mdexists.
Still to verify per client (services + wiki): backups (none billed for most of A except Dataforth/VWP/AMT), AV coverage vs billed AV seats, email host documented, admin logins in vault.
Backup layer (B2/MSP360) findings
- Dataforth —
ACG-Dataforthbucket present w/ data (billed B) [OK dest exists] - Valley Wide —
VWP-Backupbucket present w/ data (billed B) [OK dest exists] - Arizona Medical Transit — billed Data Backup but NO dedicated B2 bucket — destination unknown (Datto? shared bucket?). VERIFY where AMT backup lands.
- Cascades —
ACG-Cascadesbucket present w/ data but no Data Backup line item billed — possible unbilled backup / revenue leak, or legacy. Confirm w/ Mike. - Len's Auto —
ACG-Lensbucket present w/ data but backup not billed (Svc=E only) — same question as Cascades. - Caveat: bucket file lists are name-ordered, not time-ordered — "backup ran today" freshness must be confirmed in the MSP360 console; bucket presence only proves a destination is configured.
- Other buckets not tied to a bucket-A client: ACG-BST, ACG-Brett, ACG-GLAZTECH, ACG-IX, ACG-PST, ACG-REDNOUR, ACG-Rohrbach, ACG-TCA, Horseshoe, ACG-Internal, MSPBackups20200311 (stale — 2021, ex-client FSG).
AV layer findings (AV split across TWO tools — Datto AV is primary for big clients, Bitdefender for smaller)
- Dataforth — billed 43 AV. Datto EDR: 51 agents (org 4a2664bf) — covered [OK]. (Bitdefender also has 5 — legacy/partial; Datto is primary.)
- Cascades — billed 29 AV. Datto EDR: 34 agents (org 2d5ea96e) — covered [OK]. Bitdefender company exists but 0 endpoints — Cascades AV lives entirely in Datto.
- Russo Law Firm — billed ~5 AV. Bitdefender: 6 endpoints (company 60abfa4c) — covered [OK], but STRIONFO listed twice in Bitdefender (dedupe stale record). Not the primary in Datto.
- Lesson for the audit: AV coverage is NOT single-tool — must check BOTH Datto EDR and Bitdefender before declaring an AV gap. Bitdefender company names carry the Syncro CID suffix (
_NNNNN) which makes mapping exact. - Datto "Default RMM Org" (35 agents, 23 sites) is a catch-all — small clients' Datto agents may sit there unsegmented; relevant when we reach buckets B/C.
Email + vault findings
- Vault: all 7 A clients have entries. Dupes to consolidate:
russo+russo-law, andvalleywide+vwp. AMT had a vault entry (RMM keys) but no wiki (now created). - Email hosts (from billing — several need the actual mail host documented):
- Dataforth — Pax8 M365 (Exchange Online P1 + M365 Business Std): ACG-managed M365 [OK]
- Cascades — 45 M365 Business Premium + 235 "Exchange Hosted Email": large hosted-Exchange footprint, host not documented [GAP]
- Len's Auto — only 1 M365 Apps for Business (no mailbox license): actual email host unknown [GAP]
- Arizona Medical Transit — 5 "Exchange Hosted Email": host not documented [GAP]
- Russo Law — 5 "Exchange Hosted Email": host not documented [GAP]
- AT Trebesch — no email billed
- "Exchange Hosted Email" is a recurring unknown across A (and likely B/C) — one host to identify (ACG-hosted Exchange vs a third party). Resolve once, apply everywhere.
Bucket A verification rollup (2026-07-03)
- Machines: reconciled 7/7 (findings above). Backups: mapped 7/7 (3 billing flags held for Winter). AV: verified 3/3 AV-billed clients covered (Datto + Bitdefender). Vault: present 7/7. Wiki: 6 existed + AMT created = 7/7.
- Remaining open (documentation, not coverage gaps): email host for Cascades/Len's/AMT/Russo; Dataforth +8 billing reconcile; Cascades dup agent + Bitdefender dup (STRIONFO); Len's LAB-SVR offline; vault dupe consolidation. All logged; nothing outbound to Winter until the full list is verified.
B. Present in RMM — SHORT (missing agents to deploy) — 8
| done | Client | Syncro CID | GPS billed | RMM machines | Gap | Svc | Notes |
|---|---|---|---|---|---|---|---|
| [ ] | Glaz-Tech Industries | 143932 | 159 | 5 | 154 | B A E | ANOMALY — 149x GPS basic + 10x GPS Pro Server billed; verify billing is real vs legacy before treating as 154 missing |
| [ ] | Instrumental Music Center | 7088508 | 20 | 1 | 19 | A E V | |
| [ ] | Jimmy Company | 18560272 | 12 | 1 | 11 | B A | |
| [ ] | Horseshoe Management | 625269 | 9 | 1 | 8 | B E | |
| [ ] | Safesite LLC | 26563106 | 37 | 31 | 6 | A E | |
| [ ] | Stamback Septic | 11513046 | 8 | 3 | 5 | V | |
| [ ] | Grabb & Durando Law Office | 14232794 | 12 | 9 | 3 | B A E | |
| [ ] | Quantum Wealth Management | 7088747 | 3 | 2 | 1 | B E V |
Bucket B coverage matrix (RMM vs Datto AV vs Bitdefender, 2026-07-03)
| Client | GPS billed | RMM | Datto | Bitdef | Read |
|---|---|---|---|---|---|
| Glaz-Tech Industries | 159 | 5 (all servers) | 5 | 242 | ANOMALY — RMM+Datto = 5 real infra boxes; Bitdefender 242 is years of stale enrollments; 149 GPS-basic billing not backed by real machines. HUMAN review (Mike). |
| Instrumental Music Center | 20 | 1 | 0 | 22 | Real gap — ~22 workstations exist (Bitdefender AV) but only IMC1 in RMM. Deploy ~19 RMM agents. |
| Horseshoe Management | 9 | 1 | 6 | 7 | Real gap — 6-7 machines exist (Datto+BD), only HSM-NewServer in RMM. Deploy ~5-8 agents. |
| Safesite LLC | 37 | 31 | 48 | 16 | Real gap — 48 in Datto, RMM 31. Machines exist; RMM short ~6+. Dedupe RMM MSI (listed twice). |
| Grabb & Durando | 12 | 9 | 0 | 15 | Real gap — 15 in Bitdefender, RMM 9. Deploy ~3-6 agents. |
| Quantum Wealth Mgmt | 3 | 2 | 0 | 4 | Small gap — BD 4, RMM 2. Add ~1-2 agents. |
| Jimmy Company | 12 | 1 | 0 | 1 | BILLING FLAG — only 1 machine managed anywhere (RMM Blaster2 / BD 1). Billed 12 -> either stale billing OR 11 unmanaged+unprotected machines. Investigate. |
| Stamback Septic | 8 | 3 (2 uniq) | 0 | 2 | BILLING FLAG — 2-3 machines managed anywhere, billed 8. Same question as Jimmy. RMM DESKTOP-BTR2AM3 listed twice (dedupe). |
Split: Real RMM-deploy gaps -> IMC, Horseshoe, Safesite, Grabb, QWM (~34-52 agents to push where the box already runs Datto/BD AV). Billing/coverage review (for Winter/Mike, document only) -> Glaz-Tech, Jimmy, Stamback. RMM dedupes -> Safesite MSI x2, Stamback DESKTOP-BTR2AM3 x2.
Bitdefender companies exist for ALL bucket-B (and nearly all bucket-C) clients with the Syncro CID in the name — AV is broadly deployed even where RMM is not.
IMC deep-dive (template client for the deploy pattern, 2026-07-03)
- IMC1 = Primary DC for domain
IMC.local(192.168.0.2), already in RMM; Domain Admin credIMC\guruvaulted (clients/imc/imc1.sops.yaml). RMM site: IMCMain / INNER-BRIDGE-8354. - True active fleet ~22 (AD objects with 2026 logons == Bitdefender's 22). Billed 20 GPS — legit.
- RMM has only IMC1 -> 21 active domain machines need the agent.
- Deploy vehicle: push GuruRMM site MSI (INNER-BRIDGE-8354) from the DC to domain members using the vaulted Domain Admin cred (Invoke-Command or a software-install GPO). This is the reusable pattern for any domain client (DC already in RMM -> AD is the authoritative list -> push from DC).
- AD hygiene finding: ~24 stale computer objects in IMC.local (Windows 7, last logon 2015-2019) never removed — separate cleanup task.
- Deploy targets (in Bitdefender, active, not IMC1): IMC-M-EDSERVICE, IMC-SVCSTR, IMC-L1-STATION9, IMC-MINI, IMC-LESSONS, IMC-STATION2, IMC-STATION1, PURCHASINGCOMP, IMC-L1-GRAPHICS, LAPTOP-DCHQ3F92, LAPTOP-PNVA9G51, PHIL2021LAPTOP, IMC-LUIS, DESKTOP-GHG12G3, DESKTOP-JQ0D38J, DESKTOP-URV3UGR, C2B, IMC-PRINTSERVER, DESKTOP-44L80C0, DESKTOP-MR3ALTK, REPAIRADMIN (21).
IMC DEPLOY EXECUTED 2026-07-03 — via ScreenConnect (channel finding: see memory reference_rmm_deploy_via_screenconnect)
- DC remote-exec is a dead end on IMC's Win10/11 clients: DCOM firewalled (WMI "RPC unavailable"), schtasks/S rejected by Win11 from the 2016 DC ("request not supported"), WinRM off. SYSTEM on the DC also can't create GPOs; SSH to IMC1 blocked (Tailscale route not accepting 192.168.0.0/24 + no local key).
- Working channel = ScreenConnect send-command (runs as SYSTEM on the guest, no creds, no firewall issue). Every IMC machine has an SC agent.
- Pushed
powershell -enc <base64 of: irm '<site>/windows'|iex>to 20 of 21 targets (2 test + 18 rollout). IMC-L1-GRAPHICS has NO SC session (stale 2025 box — handle separately). - Result: RMM IMC agents 1 -> 12 and climbing (online machines enrolled in ~1-3 min; offline ones queued in SC, install on reconnect). Daily check task tracks to completion.
- DA-password attempts via RMM were scrubbed (
DELETE /api/commands/:id, HTTP 204) — no credential persisted. No partial installs from the failed methods.
C. MISSING from RMM entirely (no org found) — 25
| done | Client | Syncro CID | GPS billed | Svc | Notes / verify not under an alias |
|---|---|---|---|---|---|
| [ ] | Reliant Well Drilling and Pump | 10736261 | 9 | B V | |
| [ ] | Zeus Nestora | 1196974 | 8 | - | |
| [ ] | Little Hearts Little Hands | 1144233 | 8 | E | |
| [ ] | PUTT Land Surveying | 7180175 | 7 | A E | |
| [ ] | Curtis Plumbing | 416585 | 6 | B A E | |
| [ ] | The Prairie Schooner | 3664974 | 5 | B E V | |
| [ ] | Mineralogical Record | 207770 | 5 | B A V | |
| [ ] | T & C Sorensen | 344886 | 4 | B E | |
| [ ] | MVAN Enterprises Inc | 29462761 | 4 | A E | |
| [ ] | Ridgetop Group | 9413367 | 3 | B | |
| [ ] | Multicultural Counseling Center | 35483539 | 3 | A E | |
| [ ] | Brett Interiors | 15726057 | 3 | B | |
| [ ] | Heieck, Sheila | 12045942 | 3 | E | individual-named account |
| [ ] | The Marc Group | 869073 | 2 | E | |
| [ ] | Residential and Renovation Engineering | 7088403 | 2 | A V | |
| [ ] | Bill Tedards | 487887 | 2 | B E V | |
| [ ] | Janet Altschuler | 457710 | 2 | B | individual-named account |
| [ ] | Business Services of Tucson LLC | 29338800 | 2 | B | |
| [ ] | Andy's Mobile Fuel | 27364453 | 2 | E | |
| [ ] | Design and Brand Envoys | 26747288 | 2 | B A E | |
| [ ] | Pro-Tech Services | 23702122 | 2 | A | |
| [ ] | Inside Track Productions | 3021358 | 1 | - | |
| [ ] | Gary A Hartman LLC | 29038261 | 1 | B | |
| [ ] | Robyn Pittman | 17031534 | 1 | - | individual-named account |
| [ ] | Marty Ryan | 140717 | 1 | A E | individual-named account |
Daily progress check (automated)
- Windows scheduled task GPS-RMM-Progress runs daily 8:07am (Howard-Home), script
.claude/scripts/gps-rmm-progress-check.sh, targetsprojects/gps-rmm-audit/targets.json. Compares live RMM agent counts (unique hostnames) to GPS device targets and DMs Howard the remaining gaps; reports COMPLETE when all met (then retire viaschtasks /Delete /TN GPS-RMM-Progress). Baseline 2026-07-03: 46/189 devices in RMM, 32 clients short. Glaz-Tech excluded pending billing review.
Rollup
- 7 clients match on machine count (still need service + wiki verification).
- 8 clients present but short — ~50 agents to deploy (excl. Glaz-Tech anomaly).
- 25 clients with no RMM org — ~86 GPS devices billed, zero RMM presence (some may be under an alias / not yet deployed — verify per client).
- Biggest single flag: Glaz-Tech Industries billed 159 GPS but only 5 RMM agents — confirm the billing is current before acting.
Method notes
- GPS SKUs matched: GPS basic/monthly, GPS pro/monthly, GPS Workstation, GPS Server, GPS Pro Server (+ variants). Excluded: GPS AntiVirus Add-on, GPS addon, GPS Discount, GPS Set-up, GPS trial.
- RMM counts from
GET /api/agentsgrouped byclient_name, 2026-07-03. - "MISSING" = no
client_namematch in RMM; each must be double-checked for an alias (person name / DBA) before onboarding a duplicate.