Sophos Central: Methods for automating the deployment of software to Windows computers

  • Article ID: 120611
  • Updated: 14 Aug 2017
  • 14 people found this helpful

Overview

This article provides information on deploying the Sophos Central installer to multiple Window computers. It provides a couple of examples to cover common deployment methods.

Before installation, removal of the following software packages is required:

  • Sophos Patch
  • Sophos Client Firewall
  • Sophos Anti-Virus, if the following components have been enabled on the computer:
    • Web control
    • Data control
    • Application control

If a device control policy has been sent to a computer, uninstall of Sophos Anti-Virus requires a restart of the computer in order to unload and re-install the kernel driver sdcfilter.sys.

The following sections are covered:

Applies to the following Sophos product(s) and version(s)
Sophos Cloud

What To Do

  1. Download SophosInstall.exe. From Sophos Central Admin, Download Complete Windows Installer from Protect Devices.
    Note: Do not use a user specific SophosInstall.exe as received via the Email Deployment workflow for the deployment methods. If you do, all devices will be associated to the Sophos Central user that sent the email.
  2. Choose the options below that meets your needs in order to deploy SophosInstall.exe to your computers:

Active Directory (AD) start-up script

SophosInstall.exe is required to run as administrator on the computer. If using logon scripts, the log on user will need to be an administrator on the local computer for the installation to succeed. If your users are not local administrators, then AD start-up scripts should be used.

Create SophosCloudEndpointInstall.bat

  1. Copy the file SophosInstall.exe to a shared location which is accessible by the computers you wish to install to.
  2. In a text editor such as Notepad, paste the following text:
    @echo off
    SET MCS_ENDPOINT=Sophos\Management Communications System\Endpoint\McsClient.exe
    IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
    IF NOT EXIST "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :X86_PROG
    IF NOT EXIST "%ProgramFiles%\%MCS_ENDPOINT%" GOTO INSTALL
    exit /b 0

    :INSTALL
    pushd \\servername\share
    SophosInstall.exe -q
    Popd
  3. Amend the line pushd \\servername\share with the location of the installer package on your network. SophosInstall.exe command line switches describes more information regarding command line switches.
  4. Save the file as SophosCloudEndpointInstall.bat.

Deploy SophosCloudEndpointInstall.bat

To deploy the script via Active Directory you can either create a new group policy or you can edit an existing one to incorporate the commands given here:

  1. Open the Group Policy Management Console
    • On Microsoft Server 2008 do either of the following:
      • Press the Windows logo key + R to open the RUN dialog box. Type gpmc.msc in the text box, and then click OK or press ENTER.
      • Click Start, click All Programs, click Accessories, and then click Run. Type gpmc.msc in the text box, and then click OK or press ENTER.
    • On Microsoft Server 2012 do the following:
      • On the Start screen, click the Apps arrow. On the Apps screen, type gpmc.msc, and then click OK or press ENTER.
  2. In the GPMC console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO and select New.
  3. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
    Example: GPO to deploy Sophos endpoint software via script.
  4. Select the new GPO and click Edit. The Group Policy Object Editor window will open.
  5. In the Group Policy Object Editor in the left pane, browse to Computer Configuration > Windows Settings > Scripts.
  6. On the right-hand side, double-click Startup.
  7. In the Startup Properties dialog box, click Show Files.
  8. Either copy the SophosCloudEndpointInstall.bat into the Startup folder or create a new batch file in the startup folder and copy and paste the script text you have created in step 2 into the newly created file and save it. Then go back to the Startup Properties box to click Add.
  9. In the Add a Script dialog box, click Browse.
  10. Select the script you have created (location you put the script to in Step i.) and click open.
  11. Click OK > Apply > OK.

If required, use Creating and using a login script as general guidance on how to deploy a Logon script via Active Directory, substituting the batch file.

SCCM deployment

  1. Copy the file SophosInstall.exe to a shared location which is accessible by the computers you wish to install to.
  2. Launch SCCM and navigate to Software Library, select Application Management and choose Packages.
  3. Right-click on Packages and select Create Package.
  4. On the Package page of the Create Package and Program Wizard, specify the following information as required:
    • Name: Sophos Central Managed Endpoint
    • Description
    • Manufacturer
  5. Check This package contains source files. Click Browse to open the Set Source Folder dialog box where you can specify the location of the installer file SophosInstall.exe which was setup in Step 3.
  6. Click next for Standard program type and enter the following information:
    • Name: SophosInstall.exe
    • Command Line: SophosInstall.exe
      Note: An example command line might be: SophosInstall.exe -q -tps remove
      For more details on the available command line options see SophosInstall.exe command line switches.
    • Program can run: Only when a user is logged on
    • Run mode: Run with administrative rights
    • Drive mode: Runs with UNC name
    • Run and Start-up fields are optional
  7. On the Requirements section, create a requirement rule that the package runs only on supported Windows platforms.
  8. Run another program first, Estimated disk space and Maximum allowed run time (minutes) are optional.
  9. Complete the wizard to finish creating the package.
  10. The package is now ready to be deployed to your computers.

Related information

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.

Sophos Footer