Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 1991 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redirecting/Reprotecting MacOS Endpoints Post-SEC Migration

David D1

Hello,

We are looking to migrate our management SEC server from win 2008r2 to win 2016 while maintaining the historical data (groups,policies,etc). In the server-server migration documentation (https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/PDF/sec_55_mgeng.pdf) for SEC 5.5.1, step 14 calls to "Redirect endpoints to the new Enterprise Console". The method listed in the documentation is purely for windows endpoints involving a redirect script. The majority of our endpoints are macOS.

 

The best solution I can find is to reinstall Sophos AV on each individual endpoint using the installer that is generated on the SEC host post-migration (https://community.sophos.com/kb/en-us/119744 console managed installer section). This is essentially the same as "re-protecting" each machine as described in the alternate method in the server-server migration guide.

Is this really the only option for redirecting macOS endpoints to the new SEC server? 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Holger

    Hello Holger,

    my remark about the same certificates comes from deduction. As you see it isn't explicitly mentioned in the article. The ReInit script for Windows has to fiddle with the keys.

    The official way is a reinstall. I'm not a Mac expert, it looks like something similar to EMU could be written (but nobody has done it yet).
    Again just speculating what the basic steps could be:
    • stop (at least) the SophosManagementxxxxxxx daemons, perhaps also SophosServiceManager. (don't ask me how to do it)
    • replace cac.pem in \Library\Sophos Anti-Virus\RMS\
    • delete the three .config and the two .private files
    • run clientmrinit
    • start the daemons
    Guess this can be scripted - assuming it works. The ReInit.vbs created by the EMU sets a marker to avoid repeated execution, optionally the GroupPath, and checks if it's running on a Relay or SUM - doesn't apply to Macs anyway.  

    Heard there's a vacant pedestal in the Hall Of Fame ... or rather two small ones, for the script and the generator, or a tall one for the complete solution [;)]

    Christian

  • 0 in reply to QC

    Hi QC,

    I already have a scripted solution ready. It works this way:

    • download cac.pem and mrinit.conf from a webcid managed by the new server
    • replace both files in /Library/Sophos Anti-Virus/RMS
    • run /Library/Sophos Anti-Virus/RMS/clientmrinit -uninstall
    • run /Library/Sophos Anti-Virus/RMS/clientmrinit -install
    • restart SophosManagementAgent and SophosMessageRouter

    Unfortunately the script needs to be executed on the client. This can be a problem if the user ignores the admin.

    For this reason I'm wondering if there is another approach which doesn't require user cooperation. :-)

     

    Regards,

    Holger

  • 0 in reply to Holger

    Hello Holger,

    gr8! Didn't think of the -uninstall.

    doesn't require user cooperation
    actually on Windows the ReInit also has to be executed on the endpoint. Automatic execution of relies on the ability to (if necessary copy and) run the script remotely, i.e you need administrative rights and some kind of remote access has to be enabled.

    Christian

Unfiltered HTML