Upgrading to 5.5.2

Hello all,

not really a question but there is no other option in the Enterprise Console forum.

A few weeks ago I migrated the 5.5.1 installations on the 2008 R2s to 2016 servers. So why not upgrade while I still remember how to do a fresh install - just in case [;)]?

If you haven't already done so please read the Release Notes. If your database is still on a SQL 2008 instance (because you came all the way from 5.3.x, you used an existing SQL 2008 installation or instance) - bad luck.
Otherwise the process is pretty simple. Pre-reqs are installed if necessary, after the reboot the installer resumes as usual. The new versions of the components are installed, you reboot. Takes more than a couple of minutes so the CIDs aren't updated but remain available.

As expected the look and feel of the UI hasn't noticeably changed - except for yet another plug for Central: There's an additional How to manage Sophos in the cloud button that takes you to the Migrating To Sophos Central page (and the text Stop discovering computers is now displayed beside the button).

Reports are faster and look a little bit different as the Microsoft Report Viewer is used. There are fewer export formats - Excel, Word, and PDF, for tables also CSV.

The Endpoints view has the new Hide/Unhide actions and the associated Hidden computers view. As I've assumed a status message not only unhides a hidden computer but also undeletes a deleted one (as it used to do).

The new multi-factor authentication requires Sophos Mobile - another incentive to go into the cloud?

So much for today. While upgrading the first server took less than 20 minutes the second one,  installed around the same time, same set of software, more or less identical, played tricks. It's running now - of course.

Christian

Parents
  • I wasn't able to locate anything claiming that MFA requires Sophos Mobile.  The FAQ and enrollment process recommends Sophos Intercept X for Mobile but I don't think it's required.  That being said I tried to enroll with Google Authenticator and it failed about 10 times.  Attempting to enroll with Sophos Intercept X for Mobile failed about 15 times before it successfully enrolled/enabled once.

  • Hi  

    Sophos Intercept X for mobile is part of Managed Sophos Mobile for Enterprise but as you said it is not mandatory. Apart from that this particular feature needs an application that supports the SHA256 algorithm. You can refer to the document mentioned by Shweta above.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello all,

    MFA
    I stand corrected. Must admit that my phone's just smart enough that I could take (eleven years ago) the avatar picture and that autocompletion sometimes produces cryptic words

    As promised more details:

    As usual the installer is all-in-one, runs and resumes until it has installed all pre-reqs and components (or encounters a terminal failure). Perhaps a little bit annoying is that you have to accept the T&Cs again when it resumes. More than a little bit that it checks the SQL version only after installing the pre-reqs. At least this does not break your existing installation.

    You'll notice some changed icons in the console and, as said, minor additions to the menus. What has not changed (if you haven't already given up wishing for it) is that the focus is (in-)frequently stolen when the Dashboard is expanded - most aggravating when you select computers or the find/Ctrl+F windows is open.

    While on the surface not much has changed it looks like development for SEC has regained momentum and 5.5.2 is just an "intermediate" release. Apart from the adaption to current OS and features versions and improved security I wonder what the hide/unhide feature is for. Note that it's not mentioned in the current console help (it's new for 5.5.2). Hidden computers are disregarded for calculating the Dashboard information (they are considered for reports though) and whether a computer is deleted or hidden doesn't make much difference at the moment - except that you can find and unhide the hidden ones in the console.

    Minor complaint: The latest documentation contains, at the end of each chapter under Related information, a summary of the reference links but unfortunately a lot simply referred to as knowledge base article nnnnnn without the descriptive text.

    Should you upgrade? If you are on 5.5.0 (or even an earlier version) definitely. Please note that 5.5.0 is due for retirement end of July. I might be wrong but I expect the next major upgrade (if there is one) mid-2021, when Patch and SCF are retired. Right now this isn't aligned with the retirement date for 5.5.1.

    BTW: There's an updated Deployment Packager 1.3.3

    Christian 

  • Hello all,

    I'm running DataBackupRestore.exe -Action=Backup with a daily scheduled task and just noticed that it didn't back up yesterday.
    So I ran the command from the command line and it immediately said 
    Password is needed to perform action on Credential Store....
    Huh? Ok, the How to use the DataBackupRestore.exe program ... explains this new parameter (together with the new CredentialStore datasourcetype). Makes sense that if you protect the credentials in the running system with an additional layer and the user running  has to be a member of the Sophos Console Power Users group to back them up that you also protect the backup with an additional layer.

    Ok, fine. After adding a password it does again. But now the password is in plain text in the task scheduler, kinda defeats its purpose. Or am I missing something.

    Again the reminder (especially for those who have never or not for a long time upgraded): The Core database name has changed. Tools that do not use the DatabaseConnectionMS registry value might need some change.

    Christian     

  • It looks like this is only required if you're backing up or restoring the data source type of CredentialStore which should not change at all unless service account passwords have changed.  If you set the scheduled task to only backup databases, it will not prompt for credentials.  I was not able to find a way to backup the database, registry, and securestore in one command however so multiple scheduled tasks may be required though I suspect the latter two would also be unchanged from day-to-day usage.

  • Hello all,

    time for an update. Status: Both servers are running without problems.

    Hide computers: I didn't find a use case for the new Hide computer feature - perhaps I'm not inventive enough. You could hide computers that for example won't be switched on for a longer period so no messages will be enqueued in the Envelopes folder that won't be sent anyway. Seems to work like this - at least I didn't see an enqueued message. Surprisingly and IMO misleadingly the console displays Awaiting policy transfer for the hidden computer. Thinking about it - actually this isn't new but owed to the fact that Awaiting doesn't indicate what one might assume. It indicates that the policy assigned to the computer is not the one whose reception the endpoint has acknowledged.
    As for potential use cases with live computers - why would you hide some computers when you can't be sure that they stay hidden?

    Console: Sort by column is broken in several places. First noticed in the Tamper protection tab's status (Tamper protection policy) column. It seems to be incorrect in other tabs/columns when you work on a subset (i.e. the View: drop-down is not All computers) of the endpoints is selected.

    This being a "minor" upgrade I didn't perform extensive tests. There might as well be some other flaws, old or new. Sadly there have been no SEC Betas since 5.1 - can't say why. Mind you, there are no major issues except perhaps the one in conjunction with the new Credential Store. A Beta might or might not have brought forward this problem.

    Christian
    hmmm ... they say it's quarantine time ... and they are not talking of files ...[Z]  

Reply
  • Hello all,

    time for an update. Status: Both servers are running without problems.

    Hide computers: I didn't find a use case for the new Hide computer feature - perhaps I'm not inventive enough. You could hide computers that for example won't be switched on for a longer period so no messages will be enqueued in the Envelopes folder that won't be sent anyway. Seems to work like this - at least I didn't see an enqueued message. Surprisingly and IMO misleadingly the console displays Awaiting policy transfer for the hidden computer. Thinking about it - actually this isn't new but owed to the fact that Awaiting doesn't indicate what one might assume. It indicates that the policy assigned to the computer is not the one whose reception the endpoint has acknowledged.
    As for potential use cases with live computers - why would you hide some computers when you can't be sure that they stay hidden?

    Console: Sort by column is broken in several places. First noticed in the Tamper protection tab's status (Tamper protection policy) column. It seems to be incorrect in other tabs/columns when you work on a subset (i.e. the View: drop-down is not All computers) of the endpoints is selected.

    This being a "minor" upgrade I didn't perform extensive tests. There might as well be some other flaws, old or new. Sadly there have been no SEC Betas since 5.1 - can't say why. Mind you, there are no major issues except perhaps the one in conjunction with the new Credential Store. A Beta might or might not have brought forward this problem.

    Christian
    hmmm ... they say it's quarantine time ... and they are not talking of files ...[Z]  

Children
No Data