Sophos agent no longer auto installs

HI,

Can you manually protect one of these computer from the Console?  This would prove that all the deployment requirements are met

https://www.sophos.com/support/knowledgebase/111180.aspx

https://www.sophos.com/deployment

The other thing that comes to mind is the EnableTaskScheduler2 registry key as mentioned here:

https://www.sophos.com/support/knowledgebase/118354.aspx

You may have more success with that.

With push becoming more difficult as the OS versions increase, rather than replying on a push, maybe a startup script would be more reliable to pull the install:

https://www.sophos.com/en-us/support/knowledgebase/13090.aspx

Regards,

Jak

Yes I can manually install the endpoints that show up on the Dashboard without any issue which is my current workaround. After researching, I'm noticing that my old install script was pointing to the old Sophos server. I've manually updated the script but now when I deploy it via SCCM, the endpoint tries to update directly from the Primary server and not from the associated secondary server that its attached to. Is there a redirection file or switch in the install software?

Hi Robert,

In your SCCM deployment are you installing this from a package included in SCCM, or by launching the setup.exe from the network share CID of the SUM server?

You said you could modify the script, so it sounds as you are doing the latter. In this case the clients will obey your settings specified in the Updating Policy. 

You mentioned you already contacted support, could you please provide me in private with your ticket number and I can have a look?

Thanks,

Voicu.

Actually after further investigation, Sophos is actually not being managed by my SCCM server. The original administrator of the system stated this has always been managed by our Primary Sophos server and he thinks there is an authentication issue between the endpoints and the server. I attempted to re-authenticate the username and password on all the servers but the PCs continue not to recognize the auto install. I've only been exposed to Sophos for a couple of months after many years as a McAfee admin so this system is quite different than what I'm used to.

Hi Robert,

In this case I think you may be using AD sync. Can you confirm if this is the case? In SEC you should see AD sync enabled folders as a green icon. 

Any PCs, with an OS that supports auto deployment (that is Windows Workstations, so no Windows servers, Mac or Linux), that you add to the synced OU in DC should appear in the corresponding SEC folder. - You can confirm if you get this far, if you see the PCs in SEC in the AD sync'ed folder?

Next, in order to get software installed, those PCs should be prepared for installation (certain ports must be opened in their local Firewall, some services need to be on, etc. Link provided by jak above:  https://www.sophos.com/support/knowledgebase/111180.aspx ). 

If you get this far, the next step would be to check if Auto deployment is actually enabled on this Sync group. You can see this in the Synchronization Properties of the Group. Check if the "Install Sophos security software automatically" is checked and if the username and password are correct. These credentials must have local admin rights on the endpoint and access the the shared CID in order to be able to start the installation. 

At this point you should get the PCs protected via auto-deployment. More details in this pdf: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sec_521_heng.pdf under AD sync chapter.

Let us know how this goes.

Good day,

Voicu.