Tue 27-Nov-2012 16:13
I want to ask, if someone knows if it is possible to configure SEC, that it trys to install the endpoint security again and again(for example every 30 minutes), if the first automatic installation failed until Sophos is installed on the PC
Problem is, we install our PCs with SCCM and after the Installation finisched and the PC is added to our AD, there is many other Software, that will be installed by SCCM. Sophos syncs every 60 minutes with the AD and trys to install Endpoint Security on new PCs. In this time mostly other Software installations are in progress and the Sophos installation failes.
I know, that it is possible to install the Sophos Client via SCCM, but we want to outsource our SCCM Server and after that, the SCCM Server wouldn't have access to the Sophos Server.
Wed 28-Nov-2012 12:03
it isn't. The feature to (re-)attempt with each sync install was there (for a short time, perhaps only in the Beta) but has been removed. The reason is not immediately obvious. During the Beta I noticed that a too short interval can cause an "install loop". My suggestion at this time was to introduce a lower limit for the retries. Evidently further investigation and/or reported issues have lead to the conclusion that retries are not only not as good an idea as initially assumed but rather problematic. First of all, if the install actually fails SEC will keep retrying indefinitely. Thus extra logic would have been needed - at least to limit the number of attempts. Then you can assume that in most cases a subsequent install will fail for the same reason as the first one.
Thus right now there's only one attempt - if it fails it won't be retried, even if you remove the PC from the synched group and/or delete it in SEC (you'd have to delete it from the database).
Wed 09-Jan-2013 18:20
We are having the same issue.
Our understanding for the sync feature would be to allow us to ensure that if a computer exists in AD, it would automatically be protected via this feature.
Our situation (that commonly happens), is that the computer is off for a period of time, and that is why the install attempt failed. Once the computer comes back online, we want to ensure protection is added. This quit after 1 attempt is no way for your protection to stay compliant within the enterprise.
I understand not re-trying every machine in the domain every 5 minutes, but a retry interval should be implemented, perhaps adding a front end check that retries if it failed due to unable to connect, or checks for a connection before retrying, or something similar. Failing to protect a computer just because it was off at the first try is no way to operate a "Security" product.
Thu 10-Jan-2013 11:58
just to make sure, my posts are my personal opinion only, and it's not my (or our) protection - I'm not Sophos.
AD sync with automatic protection is - as I understand it - one way to protect computers. Admittedly there's no detailed description of the process and the lack of retries.
Unfortunately it's not easy (if at all possible) to reliably detect "early failures". The connection could fail because the computer is off or it's not yet configured correctly (firewall). Even if the connection and task creation apparently succeeded a reboot might interrupt the install or, as said in the first post, the install might not run because of a collision. At this point there is no way for the client to report back its status. You could argue that at least a "can't connect" should trigger a retry. But then - how long should the console wait until it flags the install as failed?
Thus you should see it as a convenience (in case you don't use other mechanisms or the features provided by AD) rather than a tool to ensure compliance. Last but not least it's a general question of deployment and roll-out.