Sophos Protection for Windows: Automate deployment using Ansible

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article provides a high-level overview of deploying Sophos Endpoint Agent to a Windows environment using Ansible. It also includes an example YML playbook to install Sophos. The steps below are provided with the assumption that the following infrastructure is present in the environment.

  • Ansible master server

 

Deployment preparation:

To start deployment, we’ll need to enter the target IPs by editing the host file:

 

 

vi    / etc / ansible  / hosts

# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#" character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.

[windows]
192.168.21.x

[windows:wars]
ansible_user=ansible
ansible_password=<password>
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore

[Linux]
192.168.31.130

-- INSERT --

 

Note: [windows] and [linux] are the host groups, under that, we can put our target IPs. We’ll also need to make our inventory functional for which we need to change the config file:

vi /etc/ansible/ansible.cfg

Uncomment the below lines:

inventory=/etc/ansible/hosts sudo-user=root

 

Host Requirements

For Ansible to communicate to a Windows host and use Windows modules, the following requirements must meet on the Windows host:

  1. Ansible requires PowerShell 3.0 or later and at least .NET 4.0 to be installed on the Windows host. Ansible can generally manage Windows versions under current and extended support from Microsoft. Ansible can manage desktop OSs including Windows

8.1, and 10, and server OSs including Windows Server 2012, 2012 R2, 2016, 2019, and 2022.

  1. A WinRM listener must be created and activated. Ansible connects to Windows machines and runs PowerShell scripts by using Windows Remote Management (WinRM) (as an alternative to SSH for Linux/UNIX machines), a WinRM listener must be created and activated.

Setting Up WinRM: 

There’s a Configure Remoting for Ansible script you can run on the remote Windows device (in a PowerShell console as an Admin) to turn on WinRM. To set up an HTTPS listener, build a self-signed cert and run PowerShell commands, just run the script like in the example below.

Script to download:  Configure Remoting for Ansible  

Move the script to the current directory, and run it via Powershell

Powershell.exe -ExecutionPolicy ByPass -File '.\Configure Remoting for Ansible.ps1'

WinRM Listener:

The WinRM services listen for requests on one or more ports. Each of these ports must have a listener created and configured.

To view the current listeners that are running on the WinRM service, run the following command on the windows host device: winrm enumerate winrm/config/Listener

 

Output:

 

 

Now to test the connection we must ping the windows host from our ansible node.

To achieve that run the below command: ansible

windows -m win_ping

Output:

 

Now we are all set, windows machine is now communicating to ansible node. 

Next is to write a playbook for installing Sophos, written in YAML code.

 

Deploying Sophos Agent:

To begin deploying the Sophos Agent, we’ll be creating an Ansible playbook that has an extension. yml.

vi windows.yml (you can give any file name)

You can write your own playbook now.

Playbook for Sophos installation:

--- #sophos Install
- hosts: windows
  user: ansible
  become: false
  connection: winrm
  tasks:
        - name: Download  Sophos
          win_get_url:
             url: "Sophos endpoint Download link"
             dest: C:\Windows\Temp\SophosSetup.exe

       - name: Install Sophos
         win_package:
             path: C:\Windows\Temp\SophosSetup.exe
             product_id: 'Sophos'
             arguments: --quiet
             state: present

 

To run the playbook, need to run the below command:

Ansible-playbook windows.yml

Output:

 

Sophos Endpoint Agent Deployment is now complete.

 



Updated the article content
[edited by: Gladys at 7:31 AM (GMT -7) on 12 Sep 2022]