Linux machines showing up as Windows OS

Hello GrantS,

There is a FEATURE that the OS is obtained from the AD properties - AFAIK the OS displayed is taken from an endpoint's status message. The value from AD is only obtained with an Import/Discover or AD Sync and in the cases the FEATURE is necessary to decide whether deployment from the console is possible.
As far as SEC is concerned a computer name is not necessarily unique (and also not immutable), OTOH the OS is a distinctive attribute - i.e. a computer object can't change its OS attribute, when an endpoint reports a known name but an OS (or a domain/workgroup) different from that of an existing object a new object is created.

Whether the same hardware booted from different volumes should be considered that same "computer" is IMO more than debatable. Actually if the volumes contain "equivalent" OS (versions) with the same computer name there'll be only one computer object in SEC.

Christian

As I said Sophos calls it a FEATURE that is un-documented.
I should have clarified that this happens when you use the AD sync functionality.
When a client first connects SEC uses the correct OS, but after an AD sync, if the "operatingSystem" attribute contains any data it will use that instead or some derivation of that.
I think Sophos makes some invalid assumptions.
1. That AD knows the host OS better than the host OS.
2. That a machine will never change or upgrade it's OS version.
3. That linux is unable to obtain it's AD domain.

According to Sophos they don't have any one doing an AD sync with Linux machines.

Hello GrantS,

I've already touched on the underlying problem, namely - what is a computer? Or better: What is an appropriate definition of computer in conjunction with management in general and SEC in particular? Your answer seems to be: A certain (hardware) device with a (distinctive but not necessarily immutable) computer name attribute.
Apart from the challenge to reliably identify a device (for "computers" there's no such thing as e.g. the IMEI) SEC doesn't use this definition for other reasons. It aims to support as many environments, topologies, and processes/workflows as possible without requiring complex customization. Naturally there are some restrictions and limitations.

SEC isn't integrated with AD. The Discover options are mainly for initial setup. AD sync has been added at a later time and is basically an Import at regular intervals. The difference is that the structure under the synchronization point is locked.
As to the invalid assumptions:

1. Neither SEC nor AD define computer (or host) as some piece of hardware. And neither claims to know the host OS better than the host OS. When the machine is running Windows and joins the domain its name and OS are recorded in AD: When SEC queries the AD it retrieves these attributes and puts the computer object in the appropriate SEC group. When a Linux endpoint registers with SEC providing the same name SEC (correctly, as this could be some other machine) doesn't match it with the computer in the synchronized group and therefore puts it in the Unassigned group. The invalid assumption is that the Operating System attribute is up-to-date. AD is rather liberal when it comes to non-Windows computers but I wonder whether the Linux incarnation is actually joined to the domain. 
2. As said, the concept of machine doesn't exist. When Sophos is installed an additional identifier is created and with it SEC can track changes of other attributes (e.g. computer name). In case of a reinstall (where this identifier changes) the computer is assumed to be a known one if name, OS (version), and domain/workgroup match. But this is as far as it goes. The drawback of the identifier is that cloned machines (if not correctly prepared) appear as one (with constantly changing name), the logic to detect a reinstall makes it impossible to have two (or more) instances where the mentioned attributes are identical (think of a multi-site environment).
3. The domain/workgroup attribute has no additional meaning for SEC. In particular it can't verify domain membership (furthermore this attribute can be overridden). AD sync also needs the container - something the endpoint can't provide and therefore SEC doesn't second-guess AD and uses it as the authoritative source.  

Anyway, if I understand your setup correctly this is what happens with AD sync:

• A computer is joined to the domain and appears in AD with its OS at this time
• You install Sophos on the endpoint, it appears in the Unassigned group
• If the computer has already been imported from AD and name, domain and OS match it is moved to the correct group, otherwise the next sync will trigger the move. If there's no match there should be two computers with the same name, one in the sync'ed group
• If there is no OS in the AD object the empty attribute wont be imported (I think) and match any OS reported by the endpoint. Guess it'll be first come stays and if the machine subsequently reports a different OS it will go to Unassigned.

Christian

Hello GrantS,

I've already touched on the underlying problem, namely - what is a computer? Or better: What is an appropriate definition of computer in conjunction with management in general and SEC in particular? Your answer seems to be: A certain (hardware) device with a (distinctive but not necessarily immutable) computer name attribute.
Apart from the challenge to reliably identify a device (for "computers" there's no such thing as e.g. the IMEI) SEC doesn't use this definition for other reasons. It aims to support as many environments, topologies, and processes/workflows as possible without requiring complex customization. Naturally there are some restrictions and limitations.

SEC isn't integrated with AD. The Discover options are mainly for initial setup. AD sync has been added at a later time and is basically an Import at regular intervals. The difference is that the structure under the synchronization point is locked.
As to the invalid assumptions:

1. Neither SEC nor AD define computer (or host) as some piece of hardware. And neither claims to know the host OS better than the host OS. When the machine is running Windows and joins the domain its name and OS are recorded in AD: When SEC queries the AD it retrieves these attributes and puts the computer object in the appropriate SEC group. When a Linux endpoint registers with SEC providing the same name SEC (correctly, as this could be some other machine) doesn't match it with the computer in the synchronized group and therefore puts it in the Unassigned group. The invalid assumption is that the Operating System attribute is up-to-date. AD is rather liberal when it comes to non-Windows computers but I wonder whether the Linux incarnation is actually joined to the domain. 
2. As said, the concept of machine doesn't exist. When Sophos is installed an additional identifier is created and with it SEC can track changes of other attributes (e.g. computer name). In case of a reinstall (where this identifier changes) the computer is assumed to be a known one if name, OS (version), and domain/workgroup match. But this is as far as it goes. The drawback of the identifier is that cloned machines (if not correctly prepared) appear as one (with constantly changing name), the logic to detect a reinstall makes it impossible to have two (or more) instances where the mentioned attributes are identical (think of a multi-site environment).
3. The domain/workgroup attribute has no additional meaning for SEC. In particular it can't verify domain membership (furthermore this attribute can be overridden). AD sync also needs the container - something the endpoint can't provide and therefore SEC doesn't second-guess AD and uses it as the authoritative source.  

Anyway, if I understand your setup correctly this is what happens with AD sync:

• A computer is joined to the domain and appears in AD with its OS at this time
• You install Sophos on the endpoint, it appears in the Unassigned group
• If the computer has already been imported from AD and name, domain and OS match it is moved to the correct group, otherwise the next sync will trigger the move. If there's no match there should be two computers with the same name, one in the sync'ed group
• If there is no OS in the AD object the empty attribute wont be imported (I think) and match any OS reported by the endpoint. Guess it'll be first come stays and if the machine subsequently reports a different OS it will go to Unassigned.

Christian

Hey Christian

Thanks for the description. Sorry I've just spent the last 4 months in a battle with Sophos support about this issue and others to do with linux endpoints. I'm trying to save others the pain and anguish.

SEC will take the OS from AD rather than the OS provided by the endpoint, after an AD sync. This has been confirmed form Sophos Support and hence my incorrect assumption 1.

I understand that, Sophos can say that they are not tracking the physical machine. This is Despite the fact that they could use MAC Address, Disk UUID, Bios Serial Number, Bios Asset tag........They do, however make it impossible when using AD sync and linux endpoints, to re-install the agent or re-image your machine.
community.sophos.com/.../9845

According to Sophos Support endpoint uniqueness is determined by satisfying 2 of the following
* Machine name
* AD Domain
* Router address (Unique address created on agent install)

We have over 200 linux endpoints that are joined to the domain and there is no way to provide the AD domain and Sophos doesn't detect it. So there is no way automatic way to handle reinstall of linux os when using AD Sync

I'm also annoyed that after months of non action, I told them the solution to this issue and it still took weeks for them to confirm it officially.

Again this not an attack on you just frustration with the product.

Thanks for your help

Hello GrantS,

I don't think I've been of much help so far and I don't want to add to your frustration so please tell me to stop if you have enough.

When I started using Sophos there was no management at all. Over time it evolved and there were changes I liked and others I'd rather not seen and I had to adapt. There's often more than one way to get an acceptable result therefore allow a few questions:
What is your reason for using AD sync?
What is the role of the dual-boot you've mentioned and why use the same computer name for both OS?
How many endpoints in total?
Are all managed endpoints in the domain?

Depending on your answers I might have some more. Meanwhile I'll take a closer look how SEC behaves with a Linux endpoint (we only have a few servers, so ...)

Christian

   

This reply is for completeness and I don't expect a reply :-)
- The idea with AD sync is so that we can change the Sophos settings using AD rather managing endpoints directly or through SEC. We have automation in place that means that machines are placed into the correct AD group and don't want to double handle things in SEC.
- It's not Dual boot, but, a machine may change it's OS during it's lifetime. We are using sophos on Workstations. Depending on who is allocated to the workstation it may be imaged as windows or linux. The machine name is an "asset tag" and never changes. It's OS may change 20 times over its 3+ year life span. The OS's and deployment systems can do this with no additional admin because we automate it very well. Sophos however is unable to be scripted and only adds complexity/manual tasks outside of it's "normal use"
- We have over 300 linux workstation endpoints
- All managed endpoints are in the domain