Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Overview
This article describes how to create a PowerShell script to migrate your Sophos endpoint protection from the current Sophos Central to the new Sophos Central. This is a self-destructing script. After the execution, it will be deleted from the computer. The script disables the tamper protection of the Sophos endpoint protection automatically. The script will detect the operating system automatically and deploy it as per the detected platform.
Applies to the following Sophos products and versions.
Sophos Central Endpoint Windows
Sophos Central Endpoint Windows Server
Code
<# disableTP_migrate_clients.ps1 (c) 2019 Programmer This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. [the rest removed for clarity] .SYNOPSIS This script is used to migrate endpoints from central to central. It avoids the download of full intsaller in the endpoint. .DESCRIPTION The script first authenticates to the old Central using the API creds. Then collects the endpoints list and store it in file "endpointlist.json" Then the hostname of the endpoint is parsed to match from the endpointlist.json. If matched, it collects the tamper password and disables the TP in the endpoint. Then it authenticates to the new central using the APi from new central instance. Check the OS platform and downloads the installer according to the platform. A command line parameter is passed with the setup to register the client to the new central. .NOTES Please note that this script is a self destructive script. Make sure to place the script in the root of the drive C:\ and the name of the script is not changed. .AUTHOR Ismail Jaweed Ahmed MAKE SURE TO ADD THE CORRECT CLIENT ID AND CLIENT SECRET WHEREVER REQUIRED #> #Authentication for current central $curclient_id = " " $curclient_secret = " " try { $curtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$curclient_id&client_secret=$curclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token '****** Authenticating OLD Central API Gateway ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $curwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1 '[+] -- Entering Gateway --' $curdataRegionApiUri = $curwhoami_resp.apiHosts.dataRegion '[+] -- Collecting data Region -- ' '[+] -- Authentication Successful --' } catch { '***************Authentication failed, Please Check Credentials***************' } #collecting endpoint list '****** Collecting Endpoints List from OLD Central ******' $global:PageKey = $null $cururi = $curdataRegionApiUri+"/endpoint/v1/endpoints?pageSize=500&pageTotal=true&pageFromKey="+$global:PageKey [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" -Uri $cururi | ConvertTo-Json -compress -depth 7 > $env:TEMP\endpointlist.json $endpointdata = Get-Content $env:TEMP\endpointlist.json | ConvertFrom-Json $osplatform = $endpointdata.items.os.platform $hostnames = $endpointdata.items.hostname write-host " [+] -- Storing Endpoint IDs -- " $endpointID = $endpointdata.items.id $c = 0 foreach($OSP in $osplatform) { if($OSP -eq 'windows') { if($hostnames[$c] -eq $env:COMPUTERNAME) { write-host "[+] -- Computer Found in List --" $eidinvk = $endpointID[$c] [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $response = Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" ($curdataRegionApiUri+"/endpoint/v1/endpoints/"+$eidinvk+"/tamper-protection") | ConvertTo-Json -compress > $env:TEMP\endstore.json '[+] -- Acquiring Tamper Protection Password --' $endstore = (Get-Content $env:TEMP\endstore.json | ConvertFrom-Json) $password = $endstore.password write-output "$password" cd 'C:\Program Files\Sophos\Endpoint Defense' write-host "[+] -- Disabling Tamper Protection --" .\SEDcli.exe -OverrideTPoff $password write-host "[+] -- Tamper Protection disabled Successfully --" break } } else{} $c +=1 } ############################################################################################################################################################################## try { '****** Authenticating to new Central ******' #Authenticating new central $newclient_id = " " $newclient_secret = " " '****** Authenticating new Central API Gateway ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $newtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$newclient_id&client_secret=$newclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token $newwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1 '[+] -- Entering New Central Gateway --' $newdataRegionApiUri = $newwhoami_resp.apiHosts.dataRegion '[+] -- Collecting new central data Region -- ' '[+] -- Authentication Successful to the new central --' } catch { '***************Authentication failed to new central, Please Check Credentials***************' } '****** Preapring Platform to download required files ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $reqprod= "coreAgent, interceptX, endpointProtection, mtr" $platform="windows" $newuri = ($newdataRegionApiUri+"/endpoint/v1/downloads?requestedProducts="+$reqprod+"&platforms="+$platform+"") $invokereq = Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"; "X-Tenant-ID"=$newwhoami_resp.id} -ContentType "application/json" -Uri $newuri $durlreq = $invokereq.installers | Select-Object -Property ProductName,type,downloadUrl | Where-Object -Property type -EQ -Value "computer" $downloadUrl= $durlreq.downloadUrl #checking Operating System Platform '[+] -- Check Operating System -- ' $getOS = Get-WmiObject win32_operatingsystem if ($getOS.caption -like "*server*") { Write-Output " *** Selecting Server Operating System *** " '[+] Downloading Server Installer' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 #Download Installer and save to temp New-Item -Path C:\SophosServerInstaller -ItemType directory -ErrorAction SilentlyContinue Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosServerInstaller\SophosSetup.exe #uncomment if you want to take a look at the installer. #explorer.exe C:\SophosDesktopInstaller '[+] Initializing Registration to New Central' #Initiating registration to central Start-Process -WorkingDirectory C:\SophosServerInstaller\ -FilePath SophosSetup.exe -ArgumentList '--registeronly --quiet' '**************REGISTRATTION COMPLETE**************' } else { Write-Output " *** Selecting Desktop Operating System *** " '[+] Downloading Desktop Installer' #Download Installer and save to temp [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 New-Item -Path C:\SophosDesktopInstaller -ItemType directory -ErrorAction SilentlyContinue Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosDesktopInstaller\SophosSetup.exe #uncomment if you want to take a look at the installer. #explorer.exe C:\SophosDesktopInstaller '[+] Initializing Registration to New Central' #Initiating registration to central Start-Process -WorkingDirectory C:\SophosDesktopInstaller\ -FilePath SophosSetup.exe -ArgumentList '--registeronly --quiet' '**************REGISTRATTION COMPLETE**************' } Write-Output " *** Cleaning up files *** " Remove-Item -LiteralPath "$env:TEMP\endpointlist.json" -Force -Recurse Remove-Item -LiteralPath "$env:TEMP\endstore.json" -Force -Recurse Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force -ErrorAction SilentlyContinue '[+] -- Cleanup Complete -- '
Instruction to prepare the script.
- Login to your current Sophos Central
- Follow the document below to create an API Credential with the “Service Principal Super Admin” role.
URL: API Credential Management - Make a note of the Client ID and Secret.
- Create a new text document anywhere.
- Copy the code above and paste it.
- In the code, under “Authentication for current central”, enter the client id and secret of your current Sophos Central in between the quotation marks.
- No login to your new Sophos Central
- Follow the instructions in steps 2 and 3.
- In the code, under “Authenticating new central”, enter the client id and secret of your new Sophos Central in between the quotation marks.
- Save the file with an extension “.ps1”.
Instructions to run the script.
- Log in to a windows endpoint/server that has Sophos central installed in it.
- Open command prompt as Administrator.
- Type command powershell and press enter.
- Navigate to a location where the script is saved.
- Run the script with it is name as seen in the screenshot below
- Wait for 2 to 5 minutes and then verify if the migrated machine is reporting in your new Sophos Central.
Automating the script
You can automate the migration by deploying this script in all windows machines using any deployment tools.
Note: Sophos do not provide any kind of support with deployment tools
Limitations:
- As this is a self-destructing script, it cannot be retrieved from the deployed machines by any means unless you have a copy of the script.
- The script does not display the result of the migration.
Updated disclaimer
[edited by: Qoosh at 8:05 PM (GMT -7) on 31 Mar 2023]