Device Audit

The included scripts are used for auditing our remote connection software, AV, computer lists, and device-based billing. These are specifically built for use with ScreenConnect, Datto RMM, and Sophos. It can optionally update some data in IT Glue and Autotask. The script will grab a full list of devices from each of the systems, then compares them and matches each device together as best it can to make a full list of all devices. Additionally, it will grab data from IT Glue & Autotask and tries to match each device to these services.

After the script has obtained a full list of devices it will run a series of checks:

1. First, it looks for any duplicate devices; if it finds any in RMM or ScreenConnect it will automatically remove the one that was seen less recently. It will not remove Sophos duplicates as Sophos does not like duplicates being removed.
2. Next, it searches for any devices that seem to be under the wrong company based on naming conventions. If something is named weirdly but is correct, you can whitelist it in the config. Otherwise it will alert you and you can manually move the device into the correct organization.
3. The third set of checks are for issues with one system or another. It will look for devices that are broken in one system (e.g. active in RMM recently but not SC) or simply missing in one system (e.g. in RMM but not SC). The script will then attempt to automatically fix these issues by reinstalling RMM or SC (it will not install Sophos, RMM handles that). It will also check for inactive devices that haven't been seen in quite some time and remove software for old devices. The thresholds for this can be modified in the config but by default, devices are deleted from RMM after 4 months inactive, from SC after 6 months, and Sophos after a year. The delay for SC means that if the device comes back online after RMM was deleted, the script can reinstall RMM using SC. Note that the script cannot automatically delete devices from RMM so instead it places them in a group called "Delete Me". We must then manually delete the devices from there.
4. Fourth, usage stats are recorded in a database & device users are updated. The script uses Azure Cosmos DB and keeps a separate usage database for each customer. The user data is then further updated by the User Audit script. This data is then summarized monthly in monthly stat tables that track computer and user usage. The monthly stats are then used to update the assigned user for each computer in IT Glue. This update is done weekly and it looks at both the last months stats and the last weeks usage. It will assign the user who has used a computer the most as the primary user, and then it will also tag secondary users, users who've used the device >25% of the time. If any users have still not been assigned to a computer, they will be assigned to the device they used the most in the past month. During weekly checks, any user who has used a computer more than 25% of the time in the past week will also be tagged to that device.
5. Fifth, a list of all the tamper protection keys are exported from Sophos. This is only refreshed once a week as it requires a query for every device individually. This info is then used in the extended billing report below.
6. Sixth, the system exports a set of reports (if configured to) that show the amount of workstations and servers, warranty info, billed devices, etc. Based on the config file, this report can be automatically moved to a specific location. The device can consider inactive devices as unbilled. This threshold can be configured in the config file, but by default anything inactive for over a month will be unbilled. If the customer is device-billed and changes are found, an email will be sent with the changes so that we know to update their billing. The 3 reports that are exported include:
   • A billing report for customers which shows the list of devices they are being billed for, who is using each device, when the device was last used, a tally of device counts, and a server breakdown for billing purposes.
   • An extended billing report for techs that includes all of the above info, but additionally shows which systems the device is setup in, when it was seen last in each system (RMM, SC, Sophos), and the Sophos Tamper Protection key for each device.
   • An asset report that can be used for auditing hardware, it includes device location, user, purchase date, warranty expiry, and the suggested replacement year.
7. Lastly, if you setup IT Glue and Autotask connections, the script will update the location of each device in Autotask (and will sync through to ITG) and create WAN and LAN overviews in ITG that list each device connected to them. This uses the external IP's found in ITG's Internet / WAN documentation and the Internal IP's listed in the ITG LAN documentation. If multiple locations are assigned to that WAN, it will try to use the internal IP and LAN documentation to narrow down the correct location. If the customer does not have their WANs/LANs documented correctly, this will not work.
8. To finish things off it will update the companies "Scripts - Last Run" asset with the current time. This is used by the MonitoringAgent to alert if the device audit has not run for a company recently.
9. If this script was running for all companies, it will additionally export a device overview document that lists device counts for every single company audited.

For setup, you will find global settings for api keys and configuration in the APIKeys.ps1 and Global-Config.ps1 files (see .template files, the config files are in the "Config Files" folder). APIKeys must be filled out for this script to work. The global-config file will work with the defaults. Each customer must be setup with their own unique configuration file. Copy the Template.ps1 file and rename it to "Config-CompanyAcronym.ps1". These config files are all heavily commented to tell you exactly how they should be filled out.

To setup the Azure/Intune connection, you will need to configure an Azure app for authentication and add each customers Tenant ID to their individual config files. You can use the Config Files/AzureAuthApp.ps1 file to create an Azure app. Simply run the script and login with an Azure account that has admin access to your partner portal. It will then create & configure the app and then export a AzureADApp.csv file containing the details you must enter into APIKeys.ps1. You will also want to find the newly created Azure App registration in your Azure tenant and manually complete the Publisher Verification. You can find this on the Branding & properties tab, see this Microsoft article to learn more.

When running the basic DeviceAudit script you can choose the config file by changing line 9 at the top of the script. The DeviceAudit-Automated script is similar but can be used from the command line and does not have a GUI. For this script you can set the company or multiple companies using the companies flag. E.g. DeviceAudit-Automated.ps1 -companies STS, AVA, MV. You can also set the companies flag to ALL to audit all customers at once. The company acronym used for the companies flag should be the CompanyAcronym portion of the "Config-CompanyAcronym.ps1" file. The DeviceAudit-Automated script is gui-less but will send emails for warnings and billing reports. The script can (and should) be ran daily to keep accurate usage logs and as such won't always send a billing report email. By default, it will send one billing report email during the last week of the month.

To automate the device audits I run a task schedule that runs 3x a day (10AM, 1PM, 4PM). The command is: PowerShell.exe -ExecutionPolicy Bypass -File "C:\seatosky\Device Audit\DeviceAudit-Automated.ps1" -companies ALL The script handles the rest!

Device Audit - Broken Down Version

There are 3 extra broken down copies of the Automated device audit that all do a piece of the audit. This is a WIP. The main script has gotten too big so my hope is to break it down into pieces. The scripts must be ran in the following order:

1. The Initialize script should be run first thing in the morning and will perform the device matching.
2. The Start Cleanup script should be ran next. It will perform a full cleanup and queue any installs it cant perform at this time.
3. The Recurring Cleanup can then be ran periodically throughout the rest of the day, it should run fairly quickly. It will save usage data and attempt any installs in the queue.