Sophos Central Windows Endpoint: Deploying using Microsoft Intune

FormerMember over 2 years ago

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This knowledge base article provides a high-level overview on how to use Microsoft Intune to deploy the Sophos Central Windows endpoint software.

The steps below are provided with the assumption that Intune has already been used to deploy packages to Windows endpoints and you are already familiar with the general workflows described.

The following sections are covered:

Table of Contents

Applies to the following Sophos product(s) and version(s)
Central Windows Endpoint
Sophos Endpoint Security and Control

What to do

Create the .intunewin file from the Sophos Central installer file

Note: It is recommended to deploy using AutoPilot from Windows enrollment

Create the following folders using a Command Prompt with admin privilege:
1. md C:\Temp
2. md C:\Temp\IntunePackageSource
3. md C:\Temp\IntunePackageOutput
4. md C:\Temp\Intune-Win32-App-Packaging-Tool-master
From your Sophos Central account, download SophosSetup.exe and save it at C:\Temp\IntunePackageSource.
From Github, download the Microsoft Win32 app packaging tool (IntuneWinAppUtil.exe) and save it at C:\Temp\Intune-Win32-App-Packaging-Tool-master.
Using a Command Prompt, run the packaging tool from the specified folder.
When prompted, specify the following:
- Source folder: C:\Temp\IntunePackageSource
- Setup file: SophosSetup.exe
- Output folder: C:\Temp\IntunePackageOutput
- Catalog folder: N

The message INFO File 'C:\Temp\IntunePackageOutput\SophosSetup.intunewin' has been generated successfully will be displayed.

Create the Win32 app within Intune

Log in to your Azure AD tenant with an account with the required access to manage Intune.
Search for and click Intune.
In the left navigation column, click Apps.
In the opened Apps section click All Apps.
Click on the Add button.
Click the drop-down for app type then select Windows app (Win32) followed by select.
From the App information tab select SophosSetup.intunewin file from C:\Temp\IntunePackageOutput then click OK.
The app information can then be configured as follows:
- Name: Sophos Central
- Description: Advanced endpoint protection coupled with a simple, intuitive user experience
- Publisher: Sophos Ltd
- Information URL: www.sophos.com/.../sophos-central.aspx
- Privacy URL: www.sophos.com/.../product-privacy-info.aspx
Enter the install and uninstall commands in the Program tab, then click Next.
- Install command: SophosSetup.exe --quiet
  
  Note: For more information on the available command-line options, please see: Sophos Central Endpoint: Installer command line options for Windows and Mac.
- Uninstall command: %ProgramFiles%\Sophos\Sophos Endpoint Agent\uninstallcli.exe
- Leave the return codes and scope (tags) as default
Enter the OS architectures you wish to deploy from the Requirements tab, then click Next.
Enter the detection rule in the Detections Rule by selecting Manually configure detection rules from the Rules format drop-down menu
and enter the following parameters, then click the Ok button followed by the Next button.
- Rule type: File
- Path: %ProgramFiles%\Sophos\Sophos UI
- File or folder: Sophos UI.exe
- Detection method: File or folder exists.
Once your app is ready and you are on the Assignments tab, assign it to a ‘Required’ group by clicking on Add Group to assign the
application to your group, then click Next.
Note: This will be installed automatically on enrolled devices.
Review the details of your app and click on create.
From Apps section you will now see the newly created application.

Endpoint deployment

Once your endpoint is configured and enrolled with Windows Autopilot the software will automatically deploy to your device. The end-user may see the following notifications if these were configured in the above application creation.

The end-user will also see the Sophos endpoint Agent icon in the system tray:

Related information

Updated disclaimer
[edited by: Qoosh at 9:32 PM (GMT -7) on 31 Mar 2023]

Top Replies

Kyle Curtis over 1 year ago +7

Where can I find the Mac equivalent instruction of this for the .intunemac package? A co-worker and I have tried to create custom scripted packages since the installer, as it comes, is an .app not a pgk…

BossSayBootz over 2 years ago

Nice Article. Alas,,, what about removing Windows Defender; Is it not as important, to not be running two endpoint protection applications at the same time?

My understanding is that Defender will automatically enter into a passive state when it detects another AV product installed... However is that true and for Microsoft Servers as well?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
FormerMember over 2 years ago in reply to BossSayBootz

Hi BossSayBootz,

Sorry for the late response, the information you are looking for can be found here in Microsoft's documentation.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

Thanks!
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel
Kyle Curtis over 1 year ago

Where can I find the Mac equivalent instruction of this for the .intunemac package? A co-worker and I have tried to create custom scripted packages since the installer, as it comes, is an .app not a pgk file. Our best result so far gets rejected by intune because the MacOSLobChildApp (aka the sophos client installer) has an null or empty BuildNumber.
Cancel
Vote Up +7 Vote Down

Sign in to reply

Cancel
Meir Weiss over 1 year ago

Thank you for the clear how to. It saved us hours.

Recently (over the past month) the installation stopped working on all new computers/ clients. I opened a ticket with Sophos but they weren't able to help me out. Anyone have any ideas? Did this happen to you?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Bryce Miller 10 months ago in reply to Meir Weiss

Meir,

We had the same issue. What fixed it for me was to download the latest version of sophos and build the intune package by uploading a new .intunewin file. Best of luck!
Cancel
Vote Up +3 Vote Down

Sign in to reply

Cancel
Sophos User5849 1 month ago

Hi,

This article works great on our Windows 11 enterprise deployments (azure joined) Dell XPS hardware, but we can't get it working on Windows 11 enterprise azure joined hosted by parallels on Apple MacBooks with M1/M2 chip.

Even with the latest installer, when sophos is pushed out by Intune, we keep getting the error that there is no ARM64 support in the logs. If we try the installer directly on the parallels image, it has no problem.
Anyone have this error too?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Charles Cresswell 23 days ago in reply to Bryce Miller

so does the installation not auto-update once installed via InTune or is it stuck at the deployed version?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Meir Weiss 23 days ago

Would creating this PS script work for deploying?

https://github.com/q2srw77/Generic-Installer/blob/master/Windows/Sophos%20Central%20Windows%20Installer%20API%20Script.ps1

# -----------------------------------------------------------------------------------------------
	# Component: Sophos Central Installer
	# Author: Stephen Weber
	# Purpose: Using the new Sophos Thin installer,
	# perform default install of Sophos Central using the defined variables
	# Version 1.2
	# -----------------------------------------------------------------------------------------------

	#Setup Customer Variables
	#CustomerToken - Example - "Customer Token Here"
	#Products - Example - "antivirus,intercept"
	$Global:CustomerToken
	$Global:Products

	# Define Functions

	function Get-SophosInstalled {

	$Global:installed *).DisplayName -contains "Sophos Endpoint Agent"
	$Global:mcsclient Get-Service -name "Sophos MCS Client" -ea SilentlyContinue
	$Global:mcsagent Get-Service -name "Sophos MCS Agent" -ea SilentlyContinue
	}

	# Sophos Central Installation
	Start-Transcript c:\temp\SophosCentralInstallLog.txt
	Write-Host "Starting the Sophos Central Installation based on the variables defined in the site"
	Write-Host ""
	Write-Host "Checking to see if Sophos is Already Installed"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	Exit 0
	}
	}
	else {
	Write-Host "--Sophos Central is Not Installed"
	Write-Host "Sophos MCS Client is Not Running"
	}

	# Check for the Site Variables
	Write-Host ""
	Write-Host "Checking the Variables"

	if ($CustomerToken -eq $null)
	{Write-Host "--Customer Token Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--CustomerToken = "$CustomerToken""}

	if ($Products -eq $null)
	{Write-Host "--Sophos Products Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--Products = "$Products""}

	# Sophos parameters are defined from the site specific variables
	$arguments "--products=""" + $Products
	$arguments $arguments + """ --quiet"

	# Check to see if a previous SophosSetup Process is running
	Write-Host ""
	Write-Host "Checking to see if SophosSetup.exe is already running"
	if ((get-process "sophossetup" -ea SilentlyContinue) -eq $Null){
	Write-Host "--SophosSetup Not Running"
	}
	else {
	Write-Host "Sophos Currently Running, Will Kill the Process before Continuing"
	Stop-Process -processname "sophossetup"
	}

	#Force PowerShell to use TLS 1.2
	[Net.ServicePointManager]::SecurityProtocol Net.SecurityProtocolType]::Tls12

	# Download of the Central Customer Installer
	Write-Host ""
	Write-Host "Downloading Sophos Central Installer"
	Invoke-WebRequest -Uri "central.sophos.com/.../$CustomerToken/SophosSetup.exe" -OutFile SophosSetup.exe
	if ((Test-Path SophosSetup.exe) -eq "True"){
	Write-Host "--Sophos Setup Installer Downloaded Successfully"
	}
	else {
	Write-Host "--Sophos Central Installer Did Not Download - Please check Firewall or Web Filter"
	Stop-Transcript
	Exit 1
	}

	# This Section starts the installer using the arguments defined above
	Write-Host ""
	Write-Host "Installing Sophos Central Endpoint:"
	Write-Host ""
	Write-Host "SophosSetup.exe "$arguments""
	Write-Host ""

	start-process SophosSetup.exe $arguments

	$timeout new-timespan -Minutes 30
	$install diagnostics.stopwatch]::StartNew()
	while ($install.elapsed -lt $timeout){
	if ((Get-Service "Sophos MCS Client" -ea SilentlyContinue)){
	Write-Host "Sophos MCS Client Found - Breaking the Loop"
	Break
	}
	start-sleep -seconds 60
	}
	Write-Host ""
	Write-Host "Sophos Setup Completed"

	# Verify that Sophos Central Endpoint Agent Installed
	Write-Host ""
	Write-Host "Verifying that Sophos Central Endpoint installed and is Running"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed Successfully"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	if ($mcsagent.Status -eq "Running"){
	Write-Host "--Sophos MCS Agent is Running"
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 0
	}
	}
	}
	else {
	Write-Host "--Sophos Central Install Failed"
	Write-Host ""
	Write-Host "Please check the Sophos Central Install Logs for more details"
	Write-Host ""
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 1
	}