Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
"Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment."
This article describes how to create a PowerShell script to migrate your Sophos endpoint protection from the current Sophos Central to the new Sophos Central. This is a self-destructing script. After the execution, it will be deleted from the computer. The script disables the tamper protection of the Sophos endpoint protection automatically. The script will detect the operating system automatically and deploy it as per the detected platform.
Applies to the following Sophos products and versions.
Sophos Central Endpoint WindowsSophos Central Endpoint Windows Server
<# disableTP_migrate_clients.ps1 (c) 2019 Programmer This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. [the rest removed for clarity] .SYNOPSIS This script is used to migrate endpoints from central to central. It avoids the download of full intsaller in the endpoint. .DESCRIPTION The script first authenticates to the old Central using the API creds. Then collects the endpoints list and store it in file "endpointlist.json" Then the hostname of the endpoint is parsed to match from the endpointlist.json. If matched, it collects the tamper password and disables the TP in the endpoint. Then it authenticates to the new central using the APi from new central instance. Check the OS platform and downloads the installer according to the platform. A command line parameter is passed with the setup to register the client to the new central. .NOTES Please note that this script is a self destructive script. Make sure to place the script in the root of the drive C:\ and the name of the script is not changed. .AUTHOR Ismail Jaweed Ahmed MAKE SURE TO ADD THE CORRECT CLIENT ID AND CLIENT SECRET WHEREVER REQUIRED #> #Authentication for current central $curclient_id = " " $curclient_secret = " " try { $curtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$curclient_id&client_secret=$curclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token '****** Authenticating OLD Central API Gateway ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $curwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1 '[+] -- Entering Gateway --' $curdataRegionApiUri = $curwhoami_resp.apiHosts.dataRegion '[+] -- Collecting data Region -- ' '[+] -- Authentication Successful --' } catch { '***************Authentication failed, Please Check Credentials***************' } #collecting endpoint list '****** Collecting Endpoints List from OLD Central ******' $global:PageKey = $null $cururi = $curdataRegionApiUri+"/endpoint/v1/endpoints?pageSize=500&pageTotal=true&pageFromKey="+$global:PageKey [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" -Uri $cururi | ConvertTo-Json -compress -depth 7 > $env:TEMP\endpointlist.json $endpointdata = Get-Content $env:TEMP\endpointlist.json | ConvertFrom-Json $osplatform = $endpointdata.items.os.platform $hostnames = $endpointdata.items.hostname write-host " [+] -- Storing Endpoint IDs -- " $endpointID = $endpointdata.items.id $c = 0 foreach($OSP in $osplatform) { if($OSP -eq 'windows') { if($hostnames[$c] -eq $env:COMPUTERNAME) { write-host "[+] -- Computer Found in List --" $eidinvk = $endpointID[$c] [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $response = Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" ($curdataRegionApiUri+"/endpoint/v1/endpoints/"+$eidinvk+"/tamper-protection") | ConvertTo-Json -compress > $env:TEMP\endstore.json '[+] -- Acquiring Tamper Protection Password --' $endstore = (Get-Content $env:TEMP\endstore.json | ConvertFrom-Json) $password = $endstore.password write-output "$password" cd 'C:\Program Files\Sophos\Endpoint Defense' write-host "[+] -- Disabling Tamper Protection --" .\SEDcli.exe -OverrideTPoff $password write-host "[+] -- Tamper Protection disabled Successfully --" break } } else{} $c +=1 } ############################################################################################################################################################################## try { '****** Authenticating to new Central ******' #Authenticating new central $newclient_id = " " $newclient_secret = " " '****** Authenticating new Central API Gateway ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $newtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$newclient_id&client_secret=$newclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token $newwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1 '[+] -- Entering New Central Gateway --' $newdataRegionApiUri = $newwhoami_resp.apiHosts.dataRegion '[+] -- Collecting new central data Region -- ' '[+] -- Authentication Successful to the new central --' } catch { '***************Authentication failed to new central, Please Check Credentials***************' } '****** Preapring Platform to download required files ******' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 $reqprod= "coreAgent, interceptX, endpointProtection, mtr" $platform="windows" $newuri = ($newdataRegionApiUri+"/endpoint/v1/downloads?requestedProducts="+$reqprod+"&platforms="+$platform+"") $invokereq = Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"; "X-Tenant-ID"=$newwhoami_resp.id} -ContentType "application/json" -Uri $newuri $durlreq = $invokereq.installers | Select-Object -Property ProductName,type,downloadUrl | Where-Object -Property type -EQ -Value "computer" $downloadUrl= $durlreq.downloadUrl #checking Operating System Platform '[+] -- Check Operating System -- ' $getOS = Get-WmiObject win32_operatingsystem if ($getOS.caption -like "*server*") { Write-Output " *** Selecting Server Operating System *** " '[+] Downloading Server Installer' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 #Download Installer and save to temp New-Item -Path C:\SophosServerInstaller -ItemType directory -ErrorAction SilentlyContinue Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosServerInstaller\SophosSetup.exe #uncomment if you want to take a look at the installer. #explorer.exe C:\SophosDesktopInstaller '[+] Initializing Registration to New Central' #Initiating registration to central Start-Process -WorkingDirectory C:\SophosServerInstaller\ -FilePath SophosSetup.exe -ArgumentList '--registeronly --quiet' '**************REGISTRATTION COMPLETE**************' } else { Write-Output " *** Selecting Desktop Operating System *** " '[+] Downloading Desktop Installer' #Download Installer and save to temp [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 New-Item -Path C:\SophosDesktopInstaller -ItemType directory -ErrorAction SilentlyContinue Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosDesktopInstaller\SophosSetup.exe #uncomment if you want to take a look at the installer. #explorer.exe C:\SophosDesktopInstaller '[+] Initializing Registration to New Central' #Initiating registration to central Start-Process -WorkingDirectory C:\SophosDesktopInstaller\ -FilePath SophosSetup.exe -ArgumentList '--registeronly --quiet' '**************REGISTRATTION COMPLETE**************' } Write-Output " *** Cleaning up files *** " Remove-Item -LiteralPath "$env:TEMP\endpointlist.json" -Force -Recurse Remove-Item -LiteralPath "$env:TEMP\endstore.json" -Force -Recurse Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force -ErrorAction SilentlyContinue '[+] -- Cleanup Complete -- '
You can automate the migration by deploying this script in all windows machines using any deployment tools. Note: Sophos do not provide any kind of support with deployment tools
Why would you do it this way instead of using the new migration API's? Also, it doesn't seem wise/secure to be storing the client id and client secrets in a script that's being executed on the endpoint (even with the script being deleted after execution).