How To Remove Device Encryption Sophos Central

How To Remove Unused Devices From Sophos Central

The number of devices managed in your Sophos Central will increase over time, and, as your estate evolves, some devices may not have a recent concluding activity date.

This could be due to a multitude of reasons. The device may have been decommissioned. It was gear up as a quick test machine. Or the user has left the company. The list goes on.

Any the reason, you may already have a robust procedure in place for dealing with such devices. Perchance your tenant is looking spick and span and is a model deployment. Although, I'g sure for many of us out at that place, there's a device that may have slipped through the cyberspace and is lying dormant in Sophos Central.

.

And then WHY Do I Demand TO DO THIS?

Currently the Sophos Primal Active Directory (AD) Sync Utility supports synchronizing AD users and user groups, just not devices and device groups. This means there is currently no native method to clear old devices from Sophos Central automatically. If there are many devices in need of deleting, we practice non desire to manually delete these through the UI of Sophos Cardinal.

We have two options. The beginning is somewhat a manual process using the Sophos Central API to get together device data and manually cross reference those devices against your source of devices. You tin can create a script which will delete devices using the Sophos Central API.

At the end of this blog post there are two demo scripts to allow you to gather inactive devices and and then delete them.

The second option still uses the Sophos Primal API to assemble device data, only with the added benefit of using a Security Data and Result Management (SIEM) and Security Automation and Orchestration (SOAR) tool to brand it every bit automated as possible from terminate to end.

For the 2nd option we need to answer a few questions:

• What data will I need to collect to aid decide whether I tin delete a device?
• What happens if an agile machine is deleted automatically?
• What tools do I have to assist with this process?

To answer these questions, I will cover the basic components of our process as a template for you to implement into your own surround and processes. For a quick overview, below is a process diagram we have in place.

WHAT Information IS NEEDED?

Firstly, and most importantly, we need a source of truth for devices, and for nigh organizations this is Advertising. Yous will need to monitor the latest changes in the Disabled OU or equivalent location dependent on how your organization manages retired devices and rebuild processes. Important fields from this data source are:

• Hostname
• Domain
• Distinguished Name
• Operating System
• Operating Organisation Build Number

Nosotros besides need to establish the current devices in Sophos Central. Nosotros can assemble an inventory list of devices using the Sophos Fundamental API.
The fields will be gathered using the Sophos Central get endpoint API.
Fundamental fields from this information for this procedure are:
– hostname
– id
– lastSeenAt
– bone
– proper noun
– build
– type
– associatedPerson
– proper name
– viaLogin
– tenant
– id
Together, these will class a solid base of operations to help determine which systems are potential candidates for deletion.

HOW CAN We VALIDATE THE AD AND CENTRAL DATA?

The data is correlated using the hostname and domain of the device. In an ideal world, we would want to accept a universally unique identifier (UUID) which ties them together. You lot may have some other method which works in your environment to achieve this correlation.
In one case the 2 information sources are correlated, nosotros need to establish some comparatives earlier we pass the data to a SOAR tool for processing to ensure at that place is some logic to handle the events.

WHAT QUESTIONS Require SOME LOGIC TO Respond?

Our aim for this process is to remove devices from Sophos Fundamental which are no longer agile. To accomplish this without deleting valid devices we demand to think of probable scenarios of when we do non want to delete a device.

Determine device inactive period:

The purpose of this is to let a sensible period of inactivity for a system in the disabled OU. By merely returning those devices inactive to a higher place a sure menstruation of time, nosotros are less likely to delete a device which may non need to be deleted from Sophos Cardinal

• Convert lastSeenAt field to Unix epoch fourth dimension using strptime, lastSeenAt format is: "2019-09-23T12:02:01.700Z"
• Calculate how many days since device was last seen: (now() Unix epoch – lastSeenAt Unix epoch)/86400

Validate whether the Os build matches:

At that place could be a situation where the hostname and domain match a system in the inventory where the Os build does not match. In this instance, this device should have a flag set for transmission intervention to avoid errors. The best method is comparison the OS build of the device in confronting the data from Sophos Central.

AUTOMATE

We now have several systems identified in the data which could be deleted from Sophos Central. Using a SOAR platform volition allow y'all to pass each event through a flow process to determine what should happen to the device.

By checking the data you have from your SIEM against alive Sophos Central Endpoint API data, you can brand a final validation that the device is indeed inactive and tin be deleted.

In improver to the automation attribute of deleting devices, we also need to practise some auditing and perhaps include some scenarios to enforce manual intervention before deletion tin be authorized.

Monitor VIP devices:

To avoid unintentional deletion of devices for VIP users, we would propose flagging these devices for manual intervention to verify whether the device tin be deleted from Sophos Fundamental. One possibility is using a specific user Advertisement grouping to ascertain who these users are.

Active devices:

Afterwards comparison the machine concluding activeness with the information from the SIEM and that obtained through the live Sophos Primal API query, it's calculated that the device has reported back into Sophos Central recently. These machines should be raised for manual validation before they are deleted.

Avoid duplication of processing:

Logging which devices have been deleted allows for auditing and exclusion of these systems when collating the information at the kickoff of the process.

Track active processing which has been passed for transmission intervention:

Where devices crave transmission intervention and a ticket is opened, it is recommended to log these and exclude from future processing while the ticket is open. As part of the SOAR procedure intervention, this tin exist automatic. Once the relevant response is received, the change can be made. Whether the device is deleted or not is noted and the ticket is updated, and the ticket log is removed as active.

Track deletion failures:

Information technology is recommended to as well flag failures to delete or verify device information and then transmission intervention can be practical to these.

WHOOPS, AN ACTIVE DEVICE WAS REMOVED

In a situation where a device is removed incorrectly, the following steps are required to protect the endpoint:

• If the host does not have Sophos Endpoint Protection installed, only download the latest installer from Sophos Key and install it to the endpoint.
• If the endpoint already has Sophos Endpoint Protection installed and Tamper Protection is not enabled, first uninstall Sophos Endpoint Protection and install using the latest installer from the correct Sophos Primal tenant.
• If Sophos Endpoint Protection is installed and Tamper Protection is enabled, please follow the steps beneath:

1. Log on to the correct Sophos Central tenant: HTTPS://Cloud.SOPHOS.COM/MANAGE/LOGIN
2. Become to: Logs & Reports > Endpoint & Server Protection > Recover Tamper Protection passwords (Passwords will remain in this report for 60 days later on deletion)
3. Search for the host name and click on 'View details' to view the latest Tamper Protection password that was agile on the auto prior to deletion
4. Open Sophos Endpoint Protection UI on the device
5. Click on 'Admin login' and enter the Tamper Protection Password
6. Select 'Settings' and tick the box 'Override Sophos Primal Policy for up to 4 hours to troubleshoot'
7. Under 'Command on Users' turn off Tamper Protection
8. Uninstall Sophos Endpoint Protection
9. Reinstall Sophos Endpoint Protection with the latest installer from the correct Sophos Key tenant

Air current IT UP AND Allow It Become

With the basic building blocks in place you are ready to dry run the automation flow. Some key milestones are:

• In your chosen SOAR platform exist certain to disable the last action to delete the device earlier testing.
• Validate whether each device meets its expected event before committing to delete.
• When going live with the automation offset off past deleting devices slowly. This volition allow time to further fine tune your process and find any more than gotchas.
• Reach out to your AD admins and service desk teams for feedback. They can provide valuable insight to the process and could highlight a primal point that may have been overlooked.

For united states of america, this procedure of removing the clutter of unused devices in Sophos Central has been invaluable. It also gives Cardinal admins fourth dimension dorsum to focus on other tasks, which would normally exist taken upwards with a manual process of checking and deleting quondam devices.

SAMPLE PYTHON TO GATHER DEVICES

Get together old device data

To assemble old devices to check against Advertisement please use the following code example (you will need to take the Sophos Central API Connector installed). This will create JSON files of the devices.

You will need to alter 'find_old' and 'client_id' variables.

+ expand source

Delete identified devices in Sophos Key

To delete the identified assets y'all tin edit the JSON that was gathered previously and remove any devices which should not be deleted. The demo script assumes the JSON file is in the same location as the script. Y'all will demand to change 'client_id' variable.

+ aggrandize source

Source: Sophos

Source: https://www.smart.rs/en/security-en/how-to-remove-unused-devices-from-sophos-central/

Share this post