Sophos Central Windows Endpoint: Deploying using Microsoft Intune

FormerMember over 3 years ago

Disclaimer: This information is provided as-is for the community's benefit. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article provides a high-level overview of using Microsoft Intune to deploy the Sophos Central Endpoint Agent on Windows devices.

The steps below are provided assuming that you have already used Intune to deploy packages to Windows devices and are familiar with the general workflows described.

Note: It is recommended to deploy using AutoPilot from Windows enrollment

The following sections are covered:

Creating the .intunewin file from the Sophos Central installer
Creating the Win32 app within Intune
Endpoint deployment

Product and Environment

Microsoft Intune
Sophos Central Endpoint
Windows

Creating the .intunewin file from the Sophos Central installer file

Create the following folders using a Command Prompt with admin privilege:
1. md C:\Temp
2. md C:\Temp\IntunePackageSource
3. md C:\Temp\IntunePackageOutput
4. md C:\Temp\Intune-Win32-App-Packaging-Tool-master
Download the Sophos Central installer SophosSetup.exe from your Sophos Central Admin dashboard and save it at C:\Temp\IntunePackageSource.
Go to Github, and download the Microsoft Win32 app packaging tool (IntuneWinAppUtil.exe) and save it at C:\Temp\Intune-Win32-App-Packaging-Tool-master.
Using a Command Prompt, run the packaging tool from the specified folder above.
When prompted, specify the following:
- Source folder: C:\Temp\IntunePackageSource
- Setup file: SophosSetup.exe
- Output folder: C:\Temp\IntunePackageOutput
- Catalog folder: N

The message INFO File 'C:\Temp\IntunePackageOutput\SophosSetup.intunewin' has been generated successfully will be displayed.

Creating the Win32 app within Intune

Sign in to your Azure AD tenant with an account that can manage Intune.
Search for and click Intune.
In the Microsoft Intune admin center, click Apps.
Click All Apps > Add.
Select Windows app (Win32) for the App type, then click Select.
In the App information click Select app package file.
Select the SophosSetup.intunewin file from C:\Temp\IntunePackageOutput, then click OK.
The app information can then be configured as follows:
- Name: Sophos Central
- Publisher: Sophos Ltd
- Information URL: https://soph.so/XPL1ij
- Privacy URL: https://soph.so/oclS8c
In the Program tab, enter the install and uninstall commands, then click Next.
- Install command: SophosSetup.exe --quiet
- Uninstall command: %ProgramFiles%\Sophos\Sophos Endpoint Agent\uninstallcli.exe
  Leave the Return code and Code type values as default.
  
  Note: For more information on the available command-line options, see Sophos Central Admin: Installer command-line options for Windows.
In the Requirements tab, select the OS architecture and the Minimum OS you want to deploy, then click Next.
In the Detections rule tab, select Manually Configure detection rules from the Rules format drop-down menu. Enter the following on the Detection rule:
- Rule type: File
- Path: %ProgramFiles%\Sophos\Sophos UI
- File or folder: Sophos UI.exe
- Detection method: File or folder exists.
  Click OK followed by Next.
Click Next on the Dependencies and Supersedence tabs.
In the Assignments tab > Required, click Add group, select the group to which you want to assign the app, and then click Next.
Note: The app will be automatically installed on enrolled devices.
In the Review + create tab, check the details of your app and click Create.

The new app will now show in the Apps section of your Microsoft Intune admin center.

Endpoint deployment

Once your devices are configured and enrolled with Windows Autopilot, the Sophos Endpoint Agent will automatically deploy. You may see the following notifications on your devices.

You will also see the Sophos Endpoint Agent icon in the system tray.

Related information

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.

updated Sept 26, 2024 KBT-10114
[edited by: Raymond at 5:05 AM (GMT -7) on 26 Sep 2024]

Top Replies

Kyle Curtis over 3 years ago +7

Where can I find the Mac equivalent instruction of this for the .intunemac package? A co-worker and I have tried to create custom scripted packages since the installer, as it comes, is an .app not a pgk…

Parents

Meir Weiss over 1 year ago

Would creating this PS script work for deploying?

https://github.com/q2srw77/Generic-Installer/blob/master/Windows/Sophos%20Central%20Windows%20Installer%20API%20Script.ps1

# -----------------------------------------------------------------------------------------------
	# Component: Sophos Central Installer
	# Author: Stephen Weber
	# Purpose: Using the new Sophos Thin installer,
	# perform default install of Sophos Central using the defined variables
	# Version 1.2
	# -----------------------------------------------------------------------------------------------

	#Setup Customer Variables
	#CustomerToken - Example - "Customer Token Here"
	#Products - Example - "antivirus,intercept"
	$Global:CustomerToken
	$Global:Products

	# Define Functions

	function Get-SophosInstalled {

	$Global:installed *).DisplayName -contains "Sophos Endpoint Agent"
	$Global:mcsclient Get-Service -name "Sophos MCS Client" -ea SilentlyContinue
	$Global:mcsagent Get-Service -name "Sophos MCS Agent" -ea SilentlyContinue
	}

	# Sophos Central Installation
	Start-Transcript c:\temp\SophosCentralInstallLog.txt
	Write-Host "Starting the Sophos Central Installation based on the variables defined in the site"
	Write-Host ""
	Write-Host "Checking to see if Sophos is Already Installed"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	Exit 0
	}
	}
	else {
	Write-Host "--Sophos Central is Not Installed"
	Write-Host "Sophos MCS Client is Not Running"
	}

	# Check for the Site Variables
	Write-Host ""
	Write-Host "Checking the Variables"

	if ($CustomerToken -eq $null)
	{Write-Host "--Customer Token Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--CustomerToken = "$CustomerToken""}

	if ($Products -eq $null)
	{Write-Host "--Sophos Products Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--Products = "$Products""}

	# Sophos parameters are defined from the site specific variables
	$arguments "--products=""" + $Products
	$arguments $arguments + """ --quiet"

	# Check to see if a previous SophosSetup Process is running
	Write-Host ""
	Write-Host "Checking to see if SophosSetup.exe is already running"
	if ((get-process "sophossetup" -ea SilentlyContinue) -eq $Null){
	Write-Host "--SophosSetup Not Running"
	}
	else {
	Write-Host "Sophos Currently Running, Will Kill the Process before Continuing"
	Stop-Process -processname "sophossetup"
	}

	#Force PowerShell to use TLS 1.2
	[Net.ServicePointManager]::SecurityProtocol Net.SecurityProtocolType]::Tls12

	# Download of the Central Customer Installer
	Write-Host ""
	Write-Host "Downloading Sophos Central Installer"
	Invoke-WebRequest -Uri "central.sophos.com/.../$CustomerToken/SophosSetup.exe" -OutFile SophosSetup.exe
	if ((Test-Path SophosSetup.exe) -eq "True"){
	Write-Host "--Sophos Setup Installer Downloaded Successfully"
	}
	else {
	Write-Host "--Sophos Central Installer Did Not Download - Please check Firewall or Web Filter"
	Stop-Transcript
	Exit 1
	}

	# This Section starts the installer using the arguments defined above
	Write-Host ""
	Write-Host "Installing Sophos Central Endpoint:"
	Write-Host ""
	Write-Host "SophosSetup.exe "$arguments""
	Write-Host ""

	start-process SophosSetup.exe $arguments

	$timeout new-timespan -Minutes 30
	$install diagnostics.stopwatch]::StartNew()
	while ($install.elapsed -lt $timeout){
	if ((Get-Service "Sophos MCS Client" -ea SilentlyContinue)){
	Write-Host "Sophos MCS Client Found - Breaking the Loop"
	Break
	}
	start-sleep -seconds 60
	}
	Write-Host ""
	Write-Host "Sophos Setup Completed"

	# Verify that Sophos Central Endpoint Agent Installed
	Write-Host ""
	Write-Host "Verifying that Sophos Central Endpoint installed and is Running"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed Successfully"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	if ($mcsagent.Status -eq "Running"){
	Write-Host "--Sophos MCS Agent is Running"
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 0
	}
	}
	}
	else {
	Write-Host "--Sophos Central Install Failed"
	Write-Host ""
	Write-Host "Please check the Sophos Central Install Logs for more details"
	Write-Host ""
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 1
	}

Reply

Meir Weiss over 1 year ago

Would creating this PS script work for deploying?

https://github.com/q2srw77/Generic-Installer/blob/master/Windows/Sophos%20Central%20Windows%20Installer%20API%20Script.ps1

# -----------------------------------------------------------------------------------------------
	# Component: Sophos Central Installer
	# Author: Stephen Weber
	# Purpose: Using the new Sophos Thin installer,
	# perform default install of Sophos Central using the defined variables
	# Version 1.2
	# -----------------------------------------------------------------------------------------------

	#Setup Customer Variables
	#CustomerToken - Example - "Customer Token Here"
	#Products - Example - "antivirus,intercept"
	$Global:CustomerToken
	$Global:Products

	# Define Functions

	function Get-SophosInstalled {

	$Global:installed *).DisplayName -contains "Sophos Endpoint Agent"
	$Global:mcsclient Get-Service -name "Sophos MCS Client" -ea SilentlyContinue
	$Global:mcsagent Get-Service -name "Sophos MCS Agent" -ea SilentlyContinue
	}

	# Sophos Central Installation
	Start-Transcript c:\temp\SophosCentralInstallLog.txt
	Write-Host "Starting the Sophos Central Installation based on the variables defined in the site"
	Write-Host ""
	Write-Host "Checking to see if Sophos is Already Installed"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	Exit 0
	}
	}
	else {
	Write-Host "--Sophos Central is Not Installed"
	Write-Host "Sophos MCS Client is Not Running"
	}

	# Check for the Site Variables
	Write-Host ""
	Write-Host "Checking the Variables"

	if ($CustomerToken -eq $null)
	{Write-Host "--Customer Token Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--CustomerToken = "$CustomerToken""}

	if ($Products -eq $null)
	{Write-Host "--Sophos Products Not Set or Missing"
	Stop-Transcript
	Exit 1}
	else
	{Write-Host "--Products = "$Products""}

	# Sophos parameters are defined from the site specific variables
	$arguments "--products=""" + $Products
	$arguments $arguments + """ --quiet"

	# Check to see if a previous SophosSetup Process is running
	Write-Host ""
	Write-Host "Checking to see if SophosSetup.exe is already running"
	if ((get-process "sophossetup" -ea SilentlyContinue) -eq $Null){
	Write-Host "--SophosSetup Not Running"
	}
	else {
	Write-Host "Sophos Currently Running, Will Kill the Process before Continuing"
	Stop-Process -processname "sophossetup"
	}

	#Force PowerShell to use TLS 1.2
	[Net.ServicePointManager]::SecurityProtocol Net.SecurityProtocolType]::Tls12

	# Download of the Central Customer Installer
	Write-Host ""
	Write-Host "Downloading Sophos Central Installer"
	Invoke-WebRequest -Uri "central.sophos.com/.../$CustomerToken/SophosSetup.exe" -OutFile SophosSetup.exe
	if ((Test-Path SophosSetup.exe) -eq "True"){
	Write-Host "--Sophos Setup Installer Downloaded Successfully"
	}
	else {
	Write-Host "--Sophos Central Installer Did Not Download - Please check Firewall or Web Filter"
	Stop-Transcript
	Exit 1
	}

	# This Section starts the installer using the arguments defined above
	Write-Host ""
	Write-Host "Installing Sophos Central Endpoint:"
	Write-Host ""
	Write-Host "SophosSetup.exe "$arguments""
	Write-Host ""

	start-process SophosSetup.exe $arguments

	$timeout new-timespan -Minutes 30
	$install diagnostics.stopwatch]::StartNew()
	while ($install.elapsed -lt $timeout){
	if ((Get-Service "Sophos MCS Client" -ea SilentlyContinue)){
	Write-Host "Sophos MCS Client Found - Breaking the Loop"
	Break
	}
	start-sleep -seconds 60
	}
	Write-Host ""
	Write-Host "Sophos Setup Completed"

	# Verify that Sophos Central Endpoint Agent Installed
	Write-Host ""
	Write-Host "Verifying that Sophos Central Endpoint installed and is Running"

	Get-SophosInstalled
	if ($installed -eq "True") {
	Write-Host "--Sophos Central Endpoint Agent Installed Successfully"
	if ($mcsclient.Status -eq "Running"){
	Write-Host "--Sophos MCS Client is Running"
	if ($mcsagent.Status -eq "Running"){
	Write-Host "--Sophos MCS Agent is Running"
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 0
	}
	}
	}
	else {
	Write-Host "--Sophos Central Install Failed"
	Write-Host ""
	Write-Host "Please check the Sophos Central Install Logs for more details"
	Write-Host ""
	Write-Host "Log Location - <system>\programdata\Sophos\Cloudinstaller\Logs\"
	Stop-Transcript
	Exit 1
	}

Children

No Data