This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos agent no longer auto installs

Hello All,

I am dealing with an issue in which new PCs introduced to our domain are no longer receiving the Sophos agent and auto-installing. This used to work for years prior to us moving to a new Server 2012 R2. I've reached out to support and have gotten pretty much a repetitive answer that is not solving the issue. All my folders are green and synchronized and they appear on the Sophos dashboard. Is there anywhere else we need to check to verify the auto-install feature? Thanks.



This thread was automatically locked due to age.
Parents
  • HI,

    Can you manually protect one of these computer from the Console?  This would prove that all the deployment requirements are met

    https://www.sophos.com/support/knowledgebase/111180.aspx

    https://www.sophos.com/deployment

    The other thing that comes to mind is the EnableTaskScheduler2 registry key as mentioned here:

    https://www.sophos.com/support/knowledgebase/118354.aspx

    You may have more success with that.

    With push becoming more difficult as the OS versions increase, rather than replying on a push, maybe a startup script would be more reliable to pull the install:

    https://www.sophos.com/en-us/support/knowledgebase/13090.aspx

    Regards,

    Jak

  • Yes I can manually install the endpoints that show up on the Dashboard without any issue which is my current workaround. After researching, I'm noticing that my old install script was pointing to the old Sophos server. I've manually updated the script but now when I deploy it via SCCM, the endpoint tries to update directly from the Primary server and not from the associated secondary server that its attached to. Is there a redirection file or switch in the install software?

  • Hi Robert,

    In your SCCM deployment are you installing this from a package included in SCCM, or by launching the setup.exe from the network share CID of the SUM server?

    You said you could modify the script, so it sounds as you are doing the latter. In this case the clients will obey your settings specified in the Updating Policy. 

    You mentioned you already contacted support, could you please provide me in private with your ticket number and I can have a look?

    Thanks,

    Voicu.

  • Actually after further investigation, Sophos is actually not being managed by my SCCM server. The original administrator of the system stated this has always been managed by our Primary Sophos server and he thinks there is an authentication issue between the endpoints and the server. I attempted to re-authenticate the username and password on all the servers but the PCs continue not to recognize the auto install. I've only been exposed to Sophos for a couple of months after many years as a McAfee admin so this system is quite different than what I'm used to.

  • Hi Robert,

    In this case I think you may be using AD sync. Can you confirm if this is the case? In SEC you should see AD sync enabled folders as a green icon. 

    Any PCs, with an OS that supports auto deployment (that is Windows Workstations, so no Windows servers, Mac or Linux), that you add to the synced OU in DC should appear in the corresponding SEC folder. - You can confirm if you get this far, if you see the PCs in SEC in the AD sync'ed folder?

    Next, in order to get software installed, those PCs should be prepared for installation (certain ports must be opened in their local Firewall, some services need to be on, etc. Link provided by  above:  https://www.sophos.com/support/knowledgebase/111180.aspx ). 

    If you get this far, the next step would be to check if Auto deployment is actually enabled on this Sync group. You can see this in the Synchronization Properties of the Group. Check if the "Install Sophos security software automatically" is checked and if the username and password are correct. These credentials must have local admin rights on the endpoint and access the the shared CID in order to be able to start the installation. 

    At this point you should get the PCs protected via auto-deployment. More details in this pdf: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sec_521_heng.pdf under AD sync chapter.

    Let us know how this goes.

    Good day,

    Voicu.

Reply
  • Hi Robert,

    In this case I think you may be using AD sync. Can you confirm if this is the case? In SEC you should see AD sync enabled folders as a green icon. 

    Any PCs, with an OS that supports auto deployment (that is Windows Workstations, so no Windows servers, Mac or Linux), that you add to the synced OU in DC should appear in the corresponding SEC folder. - You can confirm if you get this far, if you see the PCs in SEC in the AD sync'ed folder?

    Next, in order to get software installed, those PCs should be prepared for installation (certain ports must be opened in their local Firewall, some services need to be on, etc. Link provided by  above:  https://www.sophos.com/support/knowledgebase/111180.aspx ). 

    If you get this far, the next step would be to check if Auto deployment is actually enabled on this Sync group. You can see this in the Synchronization Properties of the Group. Check if the "Install Sophos security software automatically" is checked and if the username and password are correct. These credentials must have local admin rights on the endpoint and access the the shared CID in order to be able to start the installation. 

    At this point you should get the PCs protected via auto-deployment. More details in this pdf: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sec_521_heng.pdf under AD sync chapter.

    Let us know how this goes.

    Good day,

    Voicu.

Children
No Data