Methods for automating the deployment of Sophos Central software to Windows computers

  • Article ID: 120611
  • Updated: 14 Apr 2016
  • 3 people found this helpful

This article provides information on deploying the Windows Sophos Central installer to multiple computers.  It provides a couple of examples to cover common deployment methods.

Important: Before installation to computers, removal of the following software packages is required:

  • Sophos Compliance Agent.
  • Sophos Patch.
  • Sophos Client Firewall.
  • Sophos Encryption as managed by Enterprise Console.
  • Sophos Anti-Virus, if the following components have been enabled on the computer:
    • Web control.
    • Data control.
    • Application control.

Important: If a device control policy has been sent to the computers, on uninstall of Sophos Anti-Virus the computer may need to be restarted in order to unload and therefore be able re-install the kernel driver sdcfilter.sys. 

Applies to the following Sophos product(s) and version(s)
Sophos Cloud

What To Do

  1. Download 'SophosInstall.exe' from Sophos Central Admin:
    1. In Sophos Central Admin, click on the 'Protect Devices' link.
    2. Download the Windows installer by clicking 'Download Windows Protection Agent'

      Notes      :
      • The workstation and server Windows installer is the same file.  The installer determines the platform at install to influence the downloaded software.  
      • There is no MSI file available, only the SophosInstall.exe is available.
      • Do not use a user specific 'SophosInstall.exe' as received via the 'Email Deployment' workflow for the below deployment methods.  If you do, all devices will be associated to the Sophos Central user sent the email.

  2. Choose the options below that best meets your needs in order to deploy 'SophosInstall.exe' to your computers:

Note: If bandwidth is a concern for the initial deployment, the following articles may prove helpful as part of either a scripted or manual installation:

Active Directory (AD) start-up/log-on script

Important: 'SophosInstall.exe' is required to run as an administrator on the computer. If using 'logon' scripts, the logging on user will need to be an administrator on the local computer for the installation to succeed.  If your users are not local administrators then AD start-up scripts should be used.

  1. Copy the file 'SophosInstall.exe' to a shared location which is accessible by the computers you wish to install to.

  2. In a text editor such as Notepad, paste the following text:

    @echo off
    SET MCS_ENDPOINT=Sophos\Management Communications System\Endpoint\McsClient.exe
    IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
    IF NOT EXIST "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :X86_PROG
    IF NOT EXIST "%ProgramFiles%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :INSTALL
    pushd \\servername\share
    SophosInstall.exe -q
    Popd

  3. Amend the line: 
    pushd \\servername\share
    with the location of the installer package on your network.

    Note: For more information on the command line switches available see article 120613.

  4. Save the file as 'SophosCloudEndpointInstall.bat'.

  5. If required, follow the below articles as general guidance on how to deploy scripts via Active Directory, substituting the batch file created in this article:

    The following Microsoft documentation may also provide assistance: 'Assign computer startup scripts'.

SCCM deployment

  1. Copy the file 'SophosInstall.exe' to a shared location which is accessible by the computers you wish to install to.
  2. Launch SCCM and navigate to 'Software Library', select 'Application Management' and choose 'Packages'.
  3. Right-click on 'Packages' and select 'Create Package'.
  4. On the 'Package' page of the 'Create Package and Program Wizard', specify the following information as required:
    • Name: 'Sophos Central Managed Endpoint'.
    • Description.
    • Manufacturer.
  5. Check 'This package contains source files'. Click 'Browse' to open the 'Set Source Folder' dialog box where you can specify the location of the installer file 'SophosInstall.exe' which was setup in Step 3.
  6. Click next for 'Standard program' type and enter the following information:
    • Name: SophosInstall.exe
    • Command Line : SophosInstall.exe

      Note: An example command line might be:
      SophosInstall.exe -q -tps remove
      For more details on the available command line options see article 120613.

    • Program can run: Only when a user is logged on.
    • Run mode: Run with administrative rights.
    • Drive mode: Runs with UNC name.
    • Run and Start-up fields are optional.
  7. On the 'Requirements' section, create a requirement rule that the package runs only on the the supported Windows platforms.
  8. "Run another program first", Estimated disk space and Maximum allowed run time (minutes) are optional.
  9. Complete the wizard to finish creating the package.
  10. The package is now ready to be deployed to your computers.

Related information

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.