Hi there, I ran into an issue when getting data from two MacBooks. Both devices have different hardware UUID if I look at the system info on the devices but the query returns an identical hardware UUID for both. • Both devices are not VMs • There were no changes in hardware e.g. original motherboards • Both devices are in use I saw a discussion before but it was not happening to many. Can anyone point me to any idea on what's wrong? Did it happen to anyone? Thanks!

Do you perhaps have

--host_identifier=specified

and

--specified_identifier=XXXX…

set in the flags files and that flags file was copied to both machines?

Hrm. A couple of potential oddities. in osquery’s behavior. The uuid is only ever refreshed once, and is then cached in the database. If you ever copy a db between hosts, you can see this. Can you delete the DB and see if it changes? (Note that this will trigger a re-enrollment, as the node key is lost) Can you verify whether the UUIDs are correct? osquery has some behavior where it’ll generate one instead of using the hardware. There’s a little info in https://github.com/osquery/osquery/issues/7509

I think that might be the case. It happened when I switched from an older device to a new one and gave away the older device to another employee. Somehow the UUID was given both to the new and to the old device. though I installed it on a new device, the UUID from the old device was catched…

sounds like some migration assistant related shenanigans

We use UUID as identifier currently. Do you have a recommendation for a better identifier than UUID? FYI: We also have one windows and one linux device, they don't have any similar issues.