I recently upgraded from EC 4 to 4.5 and noticed that there is now an Active Directory Synchronization ability. This is nice as I had already set up Sophos to mirror our AD structure. I would just manually place workstations based on VLAN as this structure also pretty much matches our AD Structure.
For a test I linked Sophos to the AD Container for IT and it pulled in all of the workstations. It seems to work great. So thumbs up on this new feature. However I have a couple questions about this.
1. As machines are added to the OU I can see how to set it up to automatically install Sophos should we want to. In our environment we have been deploying a managed Sophos Client to workstations but on laptops we have been using an unmanaged client. However currently our IT OU contains both the workstations and laptops. Is there a way to automatically push Sophos to the workstations but not the laptops? Would we have to split out the OU so that Workstations are held in a separate OU than Laptops so that we could prevent the managed client from being installed when they are brought on site, or is there a better way of ensuring laptops continue to get Sophos updates even though they may not be on our network for extended periods of time? I should add that we are not licensed for the Sophos NAC and have no plans for that in the near future.
2. As computers are removed from Active Directory are they automatically removed from the Sophos Enterprise Console at the next refresh? We may devote the time to creating separate OUs for laptops and workstations to resolve question 1 above but only if it buys us reduced administration overhead. Right now we have a lot of old retired machines left behind in AD as I am sure a lot of organizations do, we have a project ongoing that is working at cleaning up AD and this is being addressed. It would be great if this one project could also help us clean up Sophos. I would guess that we have about 500 machines that I could delete out of the console right now and be pretty safe. By pretty safe I mean that 20-30 may actually be still around but are not updating properly.
3. This next question may be better suited for another area on the forum but I will toss it out there anyhow. We are in the process of deploying Microsoft SCCM. Is there a way that SCCM can be leveraged to do all the deployments of the managed or unmanaged clients? I really don't see why it can't be used. The only part I am not sure about is when installing the managed client we have to enter a username and password into the installer to give it an account that has access to the share where the Sophos files are held. I am less concerned about the unmanaged client as we have successfully developed an installer that runs with an answer file for all settings. I would imagine the same could be done for the managed client. Since SCCM can detect if the device is a laptop or desktop it may also be a resolution for the issue that I am trying to find a solution for on how to get the right version on the right device.
Thanks
Dave
This thread was automatically locked due to age.
