PowerShell script to migrate Sophos endpoint protection from current Sophos Central to new Sophos Central

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes how to create a PowerShell script to migrate your Sophos endpoint protection from the current Sophos Central to the new Sophos Central.  This is a self-destructing script. After the execution, it will be deleted from the computer. The script disables the tamper protection of the Sophos endpoint protection automatically. The script will detect the operating system automatically and deploy it as per the detected platform.

 

Applies to the following Sophos products and versions.

Sophos Central Endpoint Windows
Sophos Central Endpoint Windows Server

Code

<#
disableTP_migrate_clients.ps1
(c) 2019 Programmer

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.  [the rest removed for clarity]

.SYNOPSIS
This script is used to migrate endpoints from central to central.
It avoids the download of full intsaller in the endpoint.

.DESCRIPTION
The script first authenticates to the old Central using the API creds.
Then collects the endpoints list and store it in file "endpointlist.json"
Then the hostname of the endpoint is parsed to match from the endpointlist.json.
If matched, it collects the tamper password and disables the TP in the endpoint.
Then it authenticates to the new central using the APi from new central instance.
Check the OS platform and downloads the installer according to the platform.
A command line parameter is passed with the setup to register the client to the new central.

.NOTES
Please note that this script is a self destructive script.
Make sure to place the script in the root of the drive C:\ and the name of the script is not changed.

.AUTHOR
Ismail Jaweed Ahmed

MAKE SURE TO ADD THE CORRECT CLIENT ID AND CLIENT SECRET WHEREVER REQUIRED

#>


#Authentication for current central 
$curclient_id = " "
$curclient_secret = " "
try
{
$curtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$curclient_id&client_secret=$curclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token
'****** Authenticating OLD Central API Gateway ******'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
$curwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1
'[+] -- Entering Gateway --'
$curdataRegionApiUri = $curwhoami_resp.apiHosts.dataRegion
'[+] -- Collecting data Region -- '
'[+] -- Authentication Successful --'
}
catch
{
'***************Authentication failed, Please Check Credentials***************'
}
#collecting endpoint list
'****** Collecting Endpoints List from OLD Central ******'
$global:PageKey = $null
$cururi = $curdataRegionApiUri+"/endpoint/v1/endpoints?pageSize=500&pageTotal=true&pageFromKey="+$global:PageKey
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" -Uri $cururi | ConvertTo-Json -compress -depth 7 > $env:TEMP\endpointlist.json
$endpointdata = Get-Content $env:TEMP\endpointlist.json | ConvertFrom-Json
$osplatform = $endpointdata.items.os.platform
$hostnames = $endpointdata.items.hostname
write-host " [+] -- Storing Endpoint IDs -- "
$endpointID = $endpointdata.items.id
$c = 0
foreach($OSP in $osplatform)
{ 
if($OSP -eq 'windows') 
{ 
if($hostnames[$c] -eq $env:COMPUTERNAME)
{
write-host "[+] -- Computer Found in List --"
$eidinvk = $endpointID[$c]
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
$response =  Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($curtoken_resp.access_token)"; "X-Tenant-ID"=$curwhoami_resp.id} -ContentType "application/json" ($curdataRegionApiUri+"/endpoint/v1/endpoints/"+$eidinvk+"/tamper-protection") | ConvertTo-Json -compress >  $env:TEMP\endstore.json
'[+] -- Acquiring Tamper Protection Password --'
$endstore = (Get-Content  $env:TEMP\endstore.json | ConvertFrom-Json)
$password = $endstore.password
write-output "$password"
cd 'C:\Program Files\Sophos\Endpoint Defense'
write-host "[+] -- Disabling Tamper Protection --"
.\SEDcli.exe -OverrideTPoff $password
write-host "[+] -- Tamper Protection disabled Successfully --"
break
}
}
else{}
$c +=1 
}    
##############################################################################################################################################################################
try
{
'****** Authenticating to new Central ******'
#Authenticating new central 
$newclient_id = " "
$newclient_secret = " "
'****** Authenticating new Central API Gateway ******'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
$newtoken_resp = Invoke-RestMethod -Method post -ContentType "application/x-www-form-urlencoded" -Body "grant_type=client_credentials&client_id=$newclient_id&client_secret=$newclient_secret&scope=token" -Uri https://id.sophos.com/api/v2/oauth2/token
$newwhoami_resp = Invoke-RestMethod -Method Get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"} https://api.central.sophos.com/whoami/v1
'[+] -- Entering New Central Gateway --'
$newdataRegionApiUri = $newwhoami_resp.apiHosts.dataRegion
'[+] -- Collecting new central data Region -- '
'[+] -- Authentication Successful to the new central --'
}
catch
{
'***************Authentication failed to new central, Please Check Credentials***************'
}
'****** Preapring Platform to download required files ******'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
$reqprod= "coreAgent, interceptX, endpointProtection, mtr"
$platform="windows"
$newuri = ($newdataRegionApiUri+"/endpoint/v1/downloads?requestedProducts="+$reqprod+"&platforms="+$platform+"")
$invokereq = Invoke-RestMethod -Method get -Headers @{Authorization="Bearer $($newtoken_resp.access_token)"; "X-Tenant-ID"=$newwhoami_resp.id} -ContentType "application/json" -Uri $newuri
$durlreq = $invokereq.installers | Select-Object -Property ProductName,type,downloadUrl | Where-Object -Property type -EQ -Value "computer"
$downloadUrl= $durlreq.downloadUrl
#checking Operating System Platform
'[+] -- Check Operating System -- '
$getOS = Get-WmiObject win32_operatingsystem 
if ($getOS.caption -like "*server*")
{
Write-Output " *** Selecting Server Operating System *** "


'[+] Downloading Server Installer'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
#Download Installer and save to temp
New-Item -Path C:\SophosServerInstaller -ItemType directory -ErrorAction SilentlyContinue
Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosServerInstaller\SophosSetup.exe
#uncomment if you want to take a look at the installer.
#explorer.exe C:\SophosDesktopInstaller
'[+] Initializing Registration to New Central'
#Initiating registration to central 
Start-Process -WorkingDirectory C:\SophosServerInstaller\ -FilePath SophosSetup.exe  -ArgumentList '--registeronly --quiet'
'**************REGISTRATTION COMPLETE**************'
}
else
{
Write-Output " *** Selecting Desktop Operating System *** "
'[+] Downloading Desktop Installer'
#Download Installer and save to temp
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
New-Item -Path C:\SophosDesktopInstaller -ItemType directory -ErrorAction SilentlyContinue
Invoke-RestMethod -Uri $downloadUrl -OutFile C:\SophosDesktopInstaller\SophosSetup.exe
#uncomment if you want to take a look at the installer.
#explorer.exe C:\SophosDesktopInstaller
'[+] Initializing Registration to New Central'
#Initiating registration to central
Start-Process -WorkingDirectory C:\SophosDesktopInstaller\ -FilePath SophosSetup.exe  -ArgumentList '--registeronly --quiet'
'**************REGISTRATTION COMPLETE**************'
}
Write-Output " *** Cleaning up files *** "
Remove-Item -LiteralPath "$env:TEMP\endpointlist.json" -Force -Recurse
Remove-Item -LiteralPath "$env:TEMP\endstore.json" -Force -Recurse
Remove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force -ErrorAction SilentlyContinue
'[+] -- Cleanup Complete -- '

Instruction to prepare the script.

  1. Login to your current Sophos Central
  2. Follow the document below to create an API Credential with the “Service Principal Super Admin” role.
    URL: API Credential Management
  3. Make a note of the Client ID and Secret.
  4. Create a new text document anywhere.
  5. Copy the code above and paste it.
  6. In the code, under “Authentication for current central”, enter the client id and secret of your current Sophos Central in between the quotation marks.
  7. No login to your new Sophos Central
  8. Follow the instructions in steps 2 and 3.
  9. In the code, under “Authenticating new central”, enter the client id and secret of your new Sophos Central in between the quotation marks.
  10. Save the file with an extension “.ps1”.

Instructions to run the script.

  1. Log in to a windows endpoint/server that has Sophos central installed in it.
  2. Open command prompt as Administrator.
  3. Type command powershell and press enter.
  4. Navigate to a location where the script is saved.
  5. Run the script with it is name as seen in the screenshot below
  6. Wait for 2 to 5 minutes and then verify if the migrated machine is reporting in your new Sophos Central.

 

Automating the script

You can automate the migration by deploying this script in all windows machines using any deployment tools.
Note: Sophos do not provide any kind of support with deployment tools

Limitations:

  1. As this is a self-destructing script, it cannot be retrieved from the deployed machines by any means unless you have a copy of the script.
  2. The script does not display the result of the migration.


Updated disclaimer
[edited by: Qoosh at 8:05 PM (GMT -7) on 31 Mar 2023]