Sophos Central Windows Endpoint: RE-register a device on Sophos central without reinstalling when accidentally deleted from the dashboard

The steps with deleting the files would force the endpoint to get a brand new endpoint ID from Central. In most cases with accidentally deleted machines less than 90 days ago (they still show up in Recover Tamper Protection Passwords report) is to either do 1) disable tamper protection through endpoint interface 2) run SophosSetup.exe --registeronly (what MEric suggested above) in elevated command prompt which is very quick, or just run SophosSetup.exe overtop of existing install, which will take longer but will accomplish the same (in case of non-technical users it might be easier to instruct them to do remotely.) 

PavSupport

On a Mac, how would it possible to force the endpoint to get a brand new endpoint ID from Central?

I have tried to follow this article, Sophos Central Mac Endpoint: How to re-register Mac.

https://support.sophos.com/support/s/article/KB-000035092?language=en_US

However, after a restart, the endpoint ID is still the same.

I have an open support ticket to resolve endpoints that have duplicate endpoint ID with other endpoints.   

If you override the name as per Installer command-line options for Mac (sophos.com) that would have to work if that's an option

Sophos User930

Per the "Installer command-line options for Mac" link that you have shared, there is a commandline option "--computernameoverride <override for computer name>".  However, it states that "You can only use this option for a new installation."

The other option is to use the file override,  /Library/Preferences/ called com.sophos.mcs-overrides.plist.  I have tried this option by running these commands (new computer name is johndoe-sdafda)

"

sudo defaults write /Library/Perferences/com.sophos.mcs-overrides.plist ComputerNameOverride johndoe-sdafda

sudo launchctl stop com.sophos.mcs

"

The new computer name is displayed on the Sophos Central.  However, the endpoint ID is still the same.

"

cat /Library/Preferences/com.sophos.mcs.plist | grep -i uuid -n5

"

It shows the same SMEMcsEndpointUUID value. 

Hello Tan1,

I will give you general info about this and then answer your exact question:

Why endpoints can get the same Central ID:

For Windows systems, this typically only occurred if an image/copy was made of a system without proper preparation. For Macs, it can occur due to other reasons as well, detailed here:

 #1) Apple has a poor default naming scheme of <FirstName>’s <SystemModel>.  So if you use the same account to do the initial mac setup, like a helpdesk account, you get “Helpdesk’s macbook pro”.  Note: Windows uses random characters, Linux doesn’t have a default hostname.  Windows also warns and flags if it sees another system with the same name on the network (NetBios).

 #2) Apple does not use the concept of “Domain name”, so we just report a default of “workgroup”.

 #3) Central uses the following information to determine if a system needs a new ID, or it is a reinstall of our software on an existing system (or reinstall of the OS); System Name, Domain Name, and Fully Qualified Domain Name/DNS Name.

 So the issue becomes with a common system name (#1), a common domain name (#2), and an FQDN that is the same (on an internal system it would be system name (#1).local), then due to the parameters in #3, it assigns the same Central ID to the Endpoint.

 The only way to prevent this fully is to tackle #1.  Make sure the system is renamed before installing Sophos, which is a workflow change.

 Now what are we (Sophos), doing about this. We are enabling detection of the condition of multiple endpoints using the same ID in Central, referred to as Endpoint De-duplication. This is currently being tested as of mid-September 2021. This detects when multiple different systems are using the same ID to communicate to Central, locks out that ID, and forces all systems trying with that ID to re-register with a flag for a new ID only.  This will split them out.  It unfortunately does not remediate any groups of duplicate users, but it will them prevent more from being created (as the underlying problem has been corrected).

 If the workflow is not adjusted, this de-duplication will still trigger, and result in “locked” endpoints that were the original ID. These can be removed manually from Central by the customer after systems have been split out.

Now answering your question - in order for the machine to get new UUID those exact steps absolutely need to be followed (no workaround):

1) uninstall the endpoint.
2) rename the system
3) reboot
4) reinstall Sophos

only in this order or the Sophos Central record will be updated.

Hope that helps!

Pav Support

Thank you for providing more explanation.  

I have started the process of renaming the computer name to have unique value.  

I believe that I have tried similar steps with just 1 user.  The user's computer name has changed and is unique.  However, besides still having the same endpoint ID, the endpoint is intermittently disappearing from Sophos Central (i.e. sometimes it is searchable under the Devices page).  

I will try again with the exact 4 steps that you have mentioned.

I have tried to call the Endpoint API to find the duplicate endpoint ID.  However, the API returned values do not show any duplicate endpoint ID.

Is there way to programmatically identify duplicate endpoint ID?  Otherwise, it is a pain to manually look for endpoint with the same names on Sophos Central. 

Unfortunately not that I know of myself - I have a Support background, not scripting\dev. That may be possible through Professional Services which is a standalone paid engagement. 

Unfortunately not that I know of myself - I have a Support background, not scripting\dev. That may be possible through Professional Services which is a standalone paid engagement.