This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SGN Client automatic upgrade or central deployment methodology that works?

Hi there.

Long time user of SafeGuard Enterprise. Initially purchased for laptop FDE, now being used for Data Exchange and File Encryption.

We're in a race against time to complete the rollout of version 7.00.2 to all machines in the enterprise (1300+ at the last count).

This is a mixture of fresh deployments to desktops (where FDE was not needed) and an upgrade of some notebooks which are running various legacy versions of SGN, as far back as 5.6.

I know that there's no direct upgrade path to 7.00.2 from some of the older versions, that's not the reason (directly) for this post.

So, to the point: has anyone found a good way to automatically deploy SGN?

To date, we're stuck using scripts which are run manually on each machine call the 3 msi files in sequence. Typically, the client will eventually be installed using this method (usually 3+ attempts with reboots in between). Pre-reqs and config files typically install without issue.

I'm open to suggestions about how we can better accomplish this!

To say that this current practice is a ball-ache is something of an understatement, especially when we need to upgrade where we usually have the same process again - this is one reason why we've got such a legacy of installed versions.

When I was at Sophos HQ last week, I was shown the persistent file encryption option and (as it fits with a project that I'm currently working on) asked for some more details. At which point I was told that it needed SGN 8.

I rolled my eyes at this and mentioned the fact that upgrade process for us can take several months because of its manual nature. I also pointed out that I was likely to get lynched upon my return if I suggested another SGN upgrade before mid-2017. 

The senior tech that was running through the demo exclaimed that 'it was easy' and then proceeded to click the 'Synchronise' button in SGN which he assured me meant that the machine would download the latest client version from the server and that it would be updated automatically.

Has anyone seen this witchcraft working? Is what I was shown is true then it looks like future upgrades could be very straightforward, however I can't see anything in the (v7) SGN Console that hints as to how this might be achieved.

Any info is gratefully received!

Kind regards,

Mark



This thread was automatically locked due to age.
  • I think what the tech was showing you in relation to synchronize is the manual AD/LDAP sync that will not upgrade your agents as far as I am aware. I would love to see this type of functionality as well.

  • FormerMember
    +1 FormerMember

    Hello Mark,

    I'm afraid that is Witchcraft indeed, during synchronization the states of the clients are reported to the SafeGuard Enterprise backend, policies are updated and the user-machine assignment is checked, only the following things are changed on the client:

    • Policies that were changed in the Management Center
    • On a Mac, users that have been deleted or blocked in the Management Center are also removed from the list of FileVault 2 users

    In regards to an upgrade of the endpoints this is still an easy process, the pre-install, Client and Configs are all just MSIs (.Zips on a Mac) so can be pushed out via GPO, SCCM, LANDESK or other similar systems. 

    We do have basic documentation for Central Installations (https://docs.sophos.com/esg/sgn/8-0/admin/win/en-us/webhelp/index.htm#concepts/ClientInstallCentralCommand.htm) but if you're looking for some help putting a script together it would be well worth having a chat to our Pro Services team which can be booked in via your account manager.

    I hope that helps Mark but do let me know if you have any questions on that.

  • I'm familiar with the SGN admin console - this is not what he demonstrated / claimed...

    It can't be too much of a stretch to include some sort of central updating tool into SGN, surely.

    How can I submit a feature request? As I said, updates to the client base are a royal pain at the moment - there has to be a better way. We can't be the only organisation that struggles with this...!

  • Hi Toby

    We have a script which was provided by our Sophos partner for deployment but it is hit-and-miss, as I mentioned.

    Even manually installing the client itself can take 2-3 attempts or more so we have little confidence in an automatic deployment from the MSI but perhaps we'll try it again.

    We'll give this a try over the next few days and report back.

    Thanks,

    Mark 

  • To more-or-less close this out, we opted for deployment via GPO, initially for our desktop machines with no existing SGN footprint, then as a step-by-step upgrade from 5.6 (with ConfigProtection) through 6.1 to 7.00.2

    Initial testing looks good and we're starting a larger-scale roll-out as I type this.

    The process has not been helped by the need to create our own MST files for the installations. Ultimately, this is not a complex task but it is pretty fiddly and time consuming if you don't have someone in the team with the necessary knowledge and experience. This is definitely one areas where Sophos could help, e.g. by providing a transform creator.

    Also, because we have not kept up-to-date with the client versions (our fault), the upgrade process from 5.6 (with CP) to 7.00.2 is a little cumbersome, even when automated (4 reboots and around 20 minutes end-to-end).

    Still, we've got a working platform and I've learned a lot about WMI, GPOs and MST files in the last few days.

    Happy to provide some guidance if anyone is interested. Reply to this post and I'll get back to you when I can.

    Cheers,

    Mark

  • FormerMember
    0 FormerMember in reply to MarkWheeler

    Hello Mark,

    Many thanks for the update.

    I know there's been a request in the past for central deployment, and the development team are looking into whether or not this is feasible, however any organisations that need to push out software like this to a number of machines will typically use GPO, or whatever else they rely on for the rest of their software applications.

     

    MST files are very rarely needed, you can specify the features you want installed via the MSIEXEC command, all this is in the link I sent earlier on in this post.
    In terms of Configuration Protection luckily that is a once-off removal.

    All the best with it Mark and do let me know if you need any further assistance on this.

  • Hi Toby

    Whilst I agree that you can install the packages using scripted MSI Exec commands (we were doing this in the past), if you want to use a standard software deployment GPO, there isn't a way to do this without using a transform (unless I'm missing something).

    The reason, we believe, that we have had so many problems with the scripted method is that this is run once the user is logged on and there seems to be a background process (perhaps specific to our environment) which causes the client installation to fail at least 2/3rds of the time. This results in multiple reboots and lots of frustration and is not an approach that I would want to use for a large-scale deployment.

    In the same vein, our deployment tool (Empirum) typically runs installations after the user has logged on, and therefore would suffer the same issue as with the scripted approach - hence the choice of (quick and cheap) GPO deployment.

    Regards,

    Mark

  • FormerMember
    0 FormerMember in reply to MarkWheeler

    Hi Mark,

    So with the central deployment options you can run any of the SGN components like this:

    msiexec /i <path+msi package name> / <SGN Features> <SGN parameter>

    If you review the ADDLOCAL options (docs.sophos.com/.../index.htm you'll see you can pass in various parameters for what you'd like installed. For example, you could specify "Client, NextGenDataProtection" which would install the Client and Application Encryption features.

    There shouldn't be any need to play around with MST files unless you want to force a particular override, for example to force the product to install in a language different to the OS locale.

    In terms of reboots there are frequently 2-3 to be done depending on the OS, what's installed etc.

  • Yes. I know this. However, it doesn't work reliably in our environment as I've mentioned two or three times now.