Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 5980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoints Not shown in Sophos Central

Muhammad Hashir

Good Day!

Some of my Sophos endpoint devices are not been found in the Sophos Central. Why does this happen?

These endpoints agent cannot be re-installed too, because the tamper protection has already gone through the device.

Please advice!

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    It might be worth checking if the computers exist in Sophos Central using the specific URL to the device rather than using the name,

    For example, when a client registers with Sophos Central it gets back an Endpoint ID.  This is stored in the file

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\EndpointIdentity.txt

    E.g.

    0089d6b7-83c0-149f-2a0e-188e5237df4

    Given that GUID, In Central, the device can be found here:

    https://cloud.sophos.com/manage/endpoint/devices/computers/0089d6b7-83c0-149f-2a0e-188e5237df4

    If it was a server it would be:

    https://cloud.sophos.com/manage/server/devices/servers/0089d6b7-83c0-149f-2a0e-188e5237df4 

    So the first thing would be to gather the EndpointID of the device and then try and access the device using that to form the URL.

    I assume you get "This computer had been deleted" in the bottom right.  You will get this for any GUID that doesn't resolve regardless of if the device ever existed.

    So that would be the first check.

    The next check would be to check:
    https://cloud.sophos.com/manage/reports/deleted-devices/create

    Does the device exist here so you can recover the password?

    Beyond that, I think you will need to follow:

    Service and Support (sophos.com)

    This will allow you to remove Sophos so you can re-install.

  • 0 in reply to Sophos User930

    Hi!

    Thanks for your response.

    I have already checked it using the Endpoint ID and it shows that "This computer had been deleted" as you rightly said. But when I checked the list of deleted devices, nothing is to be found. I have already raised a support ticket and waiting for their response now. 

    Please advice if someone has faced this issue as well. Thank you!

  • 0 in reply to Muhammad Hashir

    That's odd, when you installed them, the log file: "\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_[date Time].log" would have been created and you would see lines such as

    INFO : About to execute command: Register
    ...
    INFO : Sending HTTP 'POST' request to: sophos/management/ep/install/register
    ...
    INFO : Retrieved endpoint id: 2fcd71bc-3921-a4fc-0a00-3cdd0f5dadff

    For example, this is where the endpoint id would have originally been obtained from Central and assigned.

    MCS would then use this. 

    What does:
    "C:\ProgramData\Sophos\Management Communications System\endpoint\logs\McsClient.log"
    ...have to say as this is the log of the MCS Client service and the component in communication with Sophos Central?

    If that's OK, the only thing i would check is if they are "talking" to the right Central account.

    Does
    C:\ProgramData\Sophos\Management Communications System\endpoint\persist\CustomerIdentifier.txt
    Contain the same ID as a working machine for this account?

    Back in the Central install log it would log this as:
    INFO : MCS Customer Id: 22b90f2d-2483-4f1e-872d-34eb6df8cdea
    and
    INFO : Model:: MCS customer id value changed to: 22b90f2d-2483-4f1e-872d-34eb6df8cdea

    This would be the same value as in CustomerIdentifier.txt.  I just want to make sure everything lines up.

    Also in the Audit log in Central or the Events report in Central do you see anything for these computers?

Reply
  • 0 in reply to Muhammad Hashir

    That's odd, when you installed them, the log file: "\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_[date Time].log" would have been created and you would see lines such as

    INFO : About to execute command: Register
    ...
    INFO : Sending HTTP 'POST' request to: sophos/management/ep/install/register
    ...
    INFO : Retrieved endpoint id: 2fcd71bc-3921-a4fc-0a00-3cdd0f5dadff

    For example, this is where the endpoint id would have originally been obtained from Central and assigned.

    MCS would then use this. 

    What does:
    "C:\ProgramData\Sophos\Management Communications System\endpoint\logs\McsClient.log"
    ...have to say as this is the log of the MCS Client service and the component in communication with Sophos Central?

    If that's OK, the only thing i would check is if they are "talking" to the right Central account.

    Does
    C:\ProgramData\Sophos\Management Communications System\endpoint\persist\CustomerIdentifier.txt
    Contain the same ID as a working machine for this account?

    Back in the Central install log it would log this as:
    INFO : MCS Customer Id: 22b90f2d-2483-4f1e-872d-34eb6df8cdea
    and
    INFO : Model:: MCS customer id value changed to: 22b90f2d-2483-4f1e-872d-34eb6df8cdea

    This would be the same value as in CustomerIdentifier.txt.  I just want to make sure everything lines up.

    Also in the Audit log in Central or the Events report in Central do you see anything for these computers?

Children
No Data
Unfiltered HTML