This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto install used to work but i dont think it does anymore?

Hey there. Firstly i can manually install the clients no problem using the console to push them.

 

It used to be, several years ago, that sophos would try every  ?hour? to install a sophos client on a freshly imaged PC.

I am pretty sure this is no longer occurring and cant recall if i disabled it. We dont use any batch files to do the install, so it would have been something configured in the console i believe. where is this configured from so i can check settings?

 

How does auto install work? the deploy guide has scripts that you can run, but i am sure i remember it "just working" perhaps based on the AD container that the computer was in.

 

Bottom line is how do i make sure that a newly imaged PC gets sophos client automatically, without having to run anything and without using logon scripts. Is there a way? im sure there was!



This thread was automatically locked due to age.
Parents
  • Hello givemecontrol,

    AD sync attempts to install if it detects a new endpoint (but it requires, obviously, AD and furthermore it sync the container OU structure which might or might not be what you want). It tries only once though, AFAIK the repeated attempts were only in the Beta or if in GA only for a short while.

    Why not include it in the image?

    Christian

  • Hmm yes i am recalling actually that it may work for brand new machines, but once a machine is reimaged, it does not re apply. I have all the ou's set up correctly i think in sophos console.

     

    "why not include in the image"

     

    Well i prefer to keep the images small but i could i suppose. Virus scanners have a way of screwing things up especially when they are out of date. but i can look into that maybe. Shame it cant just re try to install on workstations that dont have it, say, once a day.

  • Hello givemecontrol,

    once a machine is reimaged
    yes, automatic install is only attempted for "new" computers (dunno if it's sufficient to delete a computer to trigger an install when it's "found again" in AD - but anyway the timing would be crucial as the computer has to be "ready" when it's found) and only once. In the Beta SEC retried, but not least yours truly questioned this behaviour. The problem is that when the sync interval is shorter than the time needed for the endpoint to install and report success the install is rescheduled resulting in an endless protect loop. A similar reservation applies to install errors (including could not be started because the computer isn't on). You wouldn't be able to discern whether the endpoint is not protected because it was not yet online or because some other error prevented the creation of the started task.
    As said, I can't remember whether it was in GA for a short while but eventually it was set to one try once.
    say, once a day
    Dunno if it is reconsidered for a future version. Put yourself in place of the AD sync Protect automaton - how could you obtain the necessary information to reliably protect a computer and to reliably detect that protection is necessary for a re-imaged computer ?

    [AV has] a way of screwing things up
    won't rule it out, but if installed correctly the image should be good for half a year at least. What about Windows updates, IMO they are more problematic. I've seen endpoints that were on sabbatical leave (collecting dust in a corner or whatever, I'm talking about desktops) for more than a year and when online again updated without problems (and note they weren't clean images but in use for quite some time before).
    Not the recommended procedure but an alternative where the image contains just AutoUpdate (please note that the article hasn't been amended to incorporate the latest components).

    Christian 

  • "Dunno if it is reconsidered for a future version. Put yourself in place of the AD sync Protect automaton - how could you obtain the necessary information to reliably protect a computer and to reliably detect that protection is necessary for a re-imaged computer ?"

     

    well symantec could do it 5+ years ago. So could mcafee. Im sure sophos can figure it out.

     

    If antivirus is on and reporting, then dont install. If its not, then do. Thats pretty simple to me. Simply check if the sophos console can connect to the machine. If it cant, and its on the domain in a protected OU, then attempt to install the client with saved credentials. I believe wmi can tell you even if the product is installed with a simply wmic query. ( https://msdn.microsoft.com/en-us/library/aa394588(v=vs.85).aspx )

     

    I will probably not be messing with the image. Microsoft best practices FYI, is to not install ANY software into the image, and actually install using SCCM or as part of the imaging process. For me that takes too long, so we load office as well as some simple tools into the image. I could do this with sophos as well, but i think i will just make a calendar reminder to push the client every week manually. It is also a shame that you cannot schedule things like that in the console as well.

Reply
  • "Dunno if it is reconsidered for a future version. Put yourself in place of the AD sync Protect automaton - how could you obtain the necessary information to reliably protect a computer and to reliably detect that protection is necessary for a re-imaged computer ?"

     

    well symantec could do it 5+ years ago. So could mcafee. Im sure sophos can figure it out.

     

    If antivirus is on and reporting, then dont install. If its not, then do. Thats pretty simple to me. Simply check if the sophos console can connect to the machine. If it cant, and its on the domain in a protected OU, then attempt to install the client with saved credentials. I believe wmi can tell you even if the product is installed with a simply wmic query. ( https://msdn.microsoft.com/en-us/library/aa394588(v=vs.85).aspx )

     

    I will probably not be messing with the image. Microsoft best practices FYI, is to not install ANY software into the image, and actually install using SCCM or as part of the imaging process. For me that takes too long, so we load office as well as some simple tools into the image. I could do this with sophos as well, but i think i will just make a calendar reminder to push the client every week manually. It is also a shame that you cannot schedule things like that in the console as well.

Children
  • Hello givemecontrol,

    can do it
    the grass is always greener ... [:D].
    Seriously - If antivirus is on and reporting exactly this caused problems, as said, when the sync interval was too short. Simply check if the sophos console can connect it's not required that the return channel is available (ok, it should be in an AD environment). All in all (IMO, IMHO) there's a point of diminishing returns and you just exchange some deficiencies for others.

    As far as AD sync and automatic install is concerned it does work when provisioning new computers. You know that SEC attempts to schedule the task nn minutes after the computer has been joined to the domain and you can allow for this. The re-image case though generally only works if all the stakeholders can be and are informed that the previous incarnation is gone for good.
    If you work with bare images and let SCCM (or similar tools) do the rest then automatic install with AD sync isn't the right choice - instead the deployment tool should take care of triggering the install (at a proper point). If you - for whatever reason - decide to preload then you can either do it with just AutoUpdate or the full product.

    Christian

  • yes well one would think it would check the computer periodically to see if sophos got uninstalled (say by a virus, or a bad user who stupidly had admin privileges) and then remediate that, but im not going to argue endlessly about feature requests. Your product cant handle re-imaging, and thats that.

     

    Apparently part of the cloud system we are moving to means that i cannot deploy clients with the console anymore anyway, so it needs to be rolled into the image. No getting around it with cloud it seems. Or i could run the web installer every time i image a machine which i might do... still thinking about it.

     

    Also burning it into the image consumes a license. or 4 in my case, because i have 4 different images. Licenses, as i am sure you know, are not free. I work with non profits so every dollar counts. I probably will just install after imaging and just have to be mindful of that.

  • Hello givemecontrol,

    Your product
    you know that I'm not Sophos, as the majority of viewers/readers - so it's not mine or ours [:)].
    As you say Central doesn't even have Protect or automatic deployment though. As for licensing - do you refer to Sophos? 

    Christian