Sophos Central Windows Endpoint: Deploying using Microsoft Intune

Overview

This knowledge base article provides a high-level overview on how to use Microsoft Intune to deploy the Sophos Central Windows endpoint software.

The following information could also be used as a guide when deploying the Sophos Enterprise Console (SEC) managed client.

The steps below are provided with the assumption that Intune has already been used to deploy packages to Windows endpoints and you are already familiar with the general workflows described.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)
Central Windows Endpoint
Sophos Endpoint Security and Control


 What to do 

 Create the .intunewin file from the Sophos Central installer file

  1. Create the following folders using a Command Prompt with admin privilege:

    1. md C:\Temp
    2. md C:\Temp\IntunePackageSource
    3. md C:\Temp\IntunePackageOutput
    4. md C:\Temp\Intune-Win32-App-Packaging-Tool-master
  2. From your Sophos Central account, download SophosSetup.exe and save it at C:TempIntunePackageSource.
  3. From Github, download the Microsoft Win32 app packaging tool (IntuneWinAppUtil.exe) and save it at C:\Temp\Intune-Win32-App-Packaging-Tool-master.
  4. Using a Command Prompt, run the packaging tool from the specified folder.
  5. When prompted, specify the following:

    • Source folder: C:\Temp\IntunePackageSource
    • Setup file: SophosSetup.exe
    • Output folder: C:\Temp\IntunePackageOutput
    • Catalog folder: N

The message INFO File 'C:\Temp\IntunePackageOutput\SophosSetup.intunewin' has been generated successfully will be displayed. 

 Create the Win32 app within Intune

  1. Log in to your Azure AD tenant with an account that has the required access to manage Intune.
  2. Search for and click Intune.
  3. In the left navigation column, click Client apps.
  4. Under the Manage section click Apps.
  5. Click on the Add button.
  6. Click the drop-down for app type then select Windows app (Win32).
  7. Select SopphosSetup.intunewin file from C:\Temp\IntunePackageOutput then click OK.
  8. The app information can then be configured as follows:

  9. Enter the install and uninstall commands then click OK.

  10. Enter the OS architectures you wish to deploy to then click OK.
  11. Enter the detection rule then click the succeeding OK buttons.

    • Rule type: File
    • Path: %ProgramFiles%\Sophos\Sophos UI
    • File or folder: Sophos UI.exe
    • Detection method: File or folder exists.
    Note: There are potentially several markers that indicate Sophos Cloud endpoint is already installed. The example above is a component that is only installed as part of the Sophos Central product compared to the on-premise solution. Therefore, this would allow for migrations to Sophos Central. You may wish to add additional rules for other Sophos Central components such as the files of the Sophos Management Communication System (MCS) to harden the detection method.


  12. Leave the return codes and scope (tags) as default then click Add.
  13. Once your app is ready, click on Assignments.
  14. Click Add Group then assign the application to your required group.

Related information

Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.



edited links 2
[edited by: Marlon Deza at 4:23 AM (GMT -8) on 10 Mar 2021]

Top Replies