MSI Installer for EndPoint Protection or Intune compatible deployment method

It's not possible.  The only way you could deploy the install as an MSI would be to author an MSI to call SophosSetup.exe.  Would that even help?

Regards,

Jak

Hello,

Not possible or not available?

I don't see what installer could possibly doing that couldn't now be done with an MSI.

I tried out the re-authoring of an MSI that wraps the SophosSetup.exe and it did work but it was unnecessarily complicated and slightly messy.

Regards

Sam

The Sophos endpoint has a number of components depending on license, some are MSI based some are not.

When you run the Central Installer, SophosSetup.exe, it pulls down a stage2 installer which registers with Central, gets policy information such as update cache locations, and is able to pull down a warehouse of files, before decoding them to the individual components under:

C:\ProgramData\Sophos\CloudInstaller\AutoUpdatePreparation\Cache\decoded\

At this point you have a sub directory for each product to install. 

From the Cloud installer log you can see the install order of the potential 17 components:

Install sequence for components is: uninstaller64 sed64 mcsep sse64 sfs64 clean64 esh64 ui64 shs sdu efw64 savxp enc sme64 ntp64 hmpa64 sau 

As mentioned some of these are MSI based some are not but each of them has a setup plugin (setup.dll) which helps the component performing the installation (the stage 2 Central Installer for a fresh install or Sophos AutoUpdate for future updates) call the installer as needed depending on scenario, i.e. pass properties to the MSIs, perform pre-checks, actions before and actions after install. 

AutoUpdate or the stage 2 installer doesn't know about products it manages, it relies on the components setup plugin to provide the logic to help it install the software.  This is why the install logs either have a separate setup log and MSI or install log or they are merged into a single log which has lines from the setup plugin and MSI together.  SAV install log has the setup logging and MSI log in the same file for example.  AutoUpdate has a separate setup log and MSI log.

If you were going to provide a single MSI to use to deploy the endpoint, I guess you would be essentially installing something like the Cloud installer which was able to orchestrate the download and install but then relinquish this management to AutoUpdate post initial install.  I don't ever see there being one MSI to install all 17 components so it would have to just be a downloaded.

Regards,
Jak

Thank you Jak for the detailed explanation.

When I was testing wrapping the EXE with an MSI I did exactly as you mentioned; wrapped the Cloud Installer in an MSI.

It worked and it would be great if Sophos could provide the same thing. It would vastly improve our usability of Sophos.

Hi Sam

Not sure if you will see this, but wondering if you could please give me some pointers on this.  I've tried wrapping the sophossetup.exe in to an msi, but when it distributes through intune it starts the install, I can see the programdata folder fill up, then the folder in the program files x86 starts with the stage 2 setup, then it just craps out and doesn't install.

Did you do anything special with wrapping the .exe to the msi?

Hello

So I only did some quick testing but I wrapped it using a trial of Advanced Installer and it deployed fine.
Wrapping it so that it worked was a feature of their Enterprise SKU.

The biggest problems for me were:

• You have the stub of an application from the wrapper and Sophos with Add/Remove programs but I guess technically it did work
• Is it supported?
• We have to pay for another application to carry on using/deploying Sophos

Regards
Sam

I'll keep at it then and try advanced installer, thanks for taking the time to reply :)

I do agree though, having a cloud based application to surely attract cloud based systems yet not supporting one of the main MDM systems via an msi installer is crazy.

I'll keep at it then and try advanced installer, thanks for taking the time to reply :)

I do agree though, having a cloud based application to surely attract cloud based systems yet not supporting one of the main MDM systems via an msi installer is crazy.

No worries.

It does seem crazy.

I would suggest downloading and install WiX.  You can create a MSI with just a couple of commands and some XML.  For example.

1. Download WiX - http://wixtoolset.org/releases/ and install it.

2. Add the installation path of WiX to your PATH.  E.g. Add the following to your PATH variable:
C:\Program Files (x86)\WiX Toolset v3.11\bin

3. Save the attached file as SophosExeWrapper.wxs to say C:\sophosmsi\.  You could use the .txt but it should be .wxs.

4. Download the correctly configured Cloud installer SophosSetup.exe from Central and save it to C:\sophosmsi\

5. In an admin prompt, CD to \sophosmsi

6. Run:
candle SophosExeWrapper.wxs

7. Run
light SophosExeWrapper.wixobj

You should then have a MSI file.

Things to change in the XML (Product section at the top) first:
1. UpgradeCode, go to: https://www.guidgenerator.com/online-guid-generator.aspx and generate a new GUID.
2. Name if you wish for the package to appear differently.
3. Manufacturer to be your company name for example.

I hope it helps.

There maybe some more tweaking you'd like to do to the XML after reading the WiX documentation but this could be a starting point.

Regards,
Jak

4520.SophosExeWrapper.txt

many thanks for this.  Running the msi alone seems to work unlike my previous tries.  I'm just trying to get intune to play nicely with it now...

ok, it seems to install via intune but doesn't fully install.

The central admin console lists the computer, but no green tick.  Go in to the computer properties in the central admin console and endpoint advanced is under the assigned products, however, there is no status tab.  there is no Sophos icon in the taskbar, but I can see some of the components in the process list.

Can anybody point me in the right direction of what I need to check next?

The installer log for sophossetup. It is in \programdata\sophos\cloudinstaller\logs\. I think cloud installer is the right directory off the top of my head. Can you attach it?

arrgghhh, got in this morning and somebody had re-imaged the machine.  I'll try again and if the same thing happens I'll get the log attached.  

ok, so I think it's sorted now on the install side.  However, I now have the opposite problem.  When I go to programs and features and try to uninstall the sophos endpoint package, I press uninstall, get the UAC prompt, press ok, then nothing happens.  That means that I cannot now uninstall the client.

does anybody have any ideas where to look to troubleshoot this please?

Well the Programs and Features entry in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Agent\
UnintallString 

Should point to: "C:\Program Files\Sophos\Sophos Endpoint Agent\uninstallgui.exe"

I assume that file exists on disk and that component installed OK?

Regards,

Jak

yes, it all appears to be installed correctly, the sophos central is all good for that computer and the registry key is there.  However, clicking uninstall still does nothing, it doesn't even register in the application event log that I tried to uninstall it.  It's very odd.

If that file is there it is very odd.  The only think I can suggest at this point is to run it while running Process Monitor (docs.microsoft.com/.../procmon) to see what happens?  Maybe some of the events in a trace make it obvious.

Regards,
Jak