Policy Behavior for clients in Unassigned group?

I guess I want to know what settings a client will use if it is installed by manually running setup.exe from the CID folder.  I assume they will just use whatever the default settings are for a standalone installation (?)

I'm trying to wrap my mind around what happens when I install Sophos on linux clients.  They don't appear to be able to update themselves.

I know for Windows machines, when manually running setup I can specify a Group for the Client machine to add itself to.  I don't immediately see that option for Linux clients -- does anyone know if it exists?

To make things 'worse' for my testing, I have found that if I delete a computer from the Enterprise Console, if I then reinstall the client on a computer it re-appears in the Enterprise Console under the same group I deleted it from (instead of the "Unassigned" group as I would expect)?   So I'm not sure what settings are preserved when a computer is "deleted" from the Enterprise Console.   

It appears that a Windows client will continue to try and update itself  from the setup install location if it is "installed" into the "Unassigned" group in the Enterprise Console (by running the setup.exe program directly from the CID share).

A linux client appears to "forget" its configured update location once it finds itself in the "Unassigned" group and therefore stops updating until the linux client is moved to another Group in the Enterprise Console.    (even though the customized savinstpkg.tgz file has the "--update-source-path" parameter defined in the 'sophos-av/sav-linux/installOptions' file. )

So it would seem to appear that for linux clients, I need to either:

1.  Figure out if there is a command line parameter I can pass to the installer that will put the client into a specified Group that has a Update policy defined.

2.  Make sure to immediately move any installed linux clients out of the "Unassigned" group.  (need to coordinate with my linux admins).

Does the above analysis seem sound?

Hello Lestat,

The clients don't "find" themselves in a console group (although they can - at least on Windows - "request" to be put into a specific one). If a computer is deleted from SEC the client is not notified. Basically delete just sets a flag in SEC to make it "invisible" and both client and SEC keep their information. So if the "same" (there are some slightly complex rules) client later contacts SEC it "reappears".

OTOH - if you uninstall SAV on the client it is not deleted from SEC.   

A linux client appears to "forget" its configured update location

Right - just checked (not that I did doubt your words). Time for a support request I'd say (and as you have found it I leave it to you :smileywink:)

Christian

Support ticket #2316127 opened for this linux issue.

Hi Letstat

I can't comment on the Linux part of the query but with regards to your Windows machines, if left in the unassigned folder (after manual installation), they will assume the default policy, ie. as Sophos ships. so the policies as they exist upon your initial install of the SEC, will apply to the unassigned folder. Since the policies the SEC "ships" with isn't, imo, the most secure, it is highly advisable that you move your endpoints to the correct groups to apply the policies you have implemented.

Hi QC

As far as I know, if you delete a machine from SEC, it will only stay "invisible" until an update or policy change is applied. Once that has occurred, the RMS will send a message to the console and it will pop back into view. Test it, it's true ;-)

---

Lestat wrote:

Support ticket #2316127 opened for this linux issue.

---

Heard back from support regarding the linux question I had:

"Regarding the feature of being able to assign a Linux client to a particular group in Enterprise Console via the installation command/script, there is currently no way to do this, however, an official suggestion for this functionality to be added to Linux and OS X clients already exists. "