This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to automate uninstall "Endpoint Protection" in a managed (SEC 5.5.1) environment for all clients? (German/English)

Hello, I'm new in the Sophos world and have a question,

I would like to switch from on-premise to Central, but no migration should be carried out!
The old product "Sophos Endpoint Protection" which is managed via "Sophos Enterprise Console 5.5.1" should be
cleanly removed from all PCs.
(In a further step, the Sophos Central (Intercept X) installer should then be distributed.)

I was able to find out that the tamper protection has to be removed first.
That could be regulated by a policy, right?

The second step will be to carry out the uninstallation for all clients, but how? This doesn't seem to work via SEC, and I'm afraid I'll have to write a kind of batch file or so? Unfortunately, I can't find anything right for the on-premise solution.

Can someone help me here or has this done before?


Hallo ich bin relativ frisch in der Sophos Welt und habe eine Frage an die Fachleute hier in der Community.

Ich möchte von on-Premise auf Central umstellen, es soll aber keine Migration vollzogen werden!
Es soll das alte Produkt "Sophos Endpoint Protection" welches über "Sophos Enterprise Console 5.5.1" verwaltet wird, auf allen PC's sauber entfernt werden.
(In einem weiteren Schritt soll dann der Sophos Central (Intercept X) Installer verteilt werden.)

Ich konnte nun in Erfahrung bringen, dass das erst mal der Manipulationsschutz (Tamper Protection) entfernt werden muss.
Die könnte man über eine Richtlinie regeln oder?

Als zweiten Schritt frage ich mich jedoch, wie ich nun zentralisiert die Deinstallation vornehmen kann? Über SEC scheint dies nicht zu gehen und ich befürchte, ich muss eine art batch-datei schreiben und irgendwie ausrollen. Ich finde leider nicht richtig etwas für die on-premise Lösung.
Kann mir hier jemand helfen oder hat dies schon mal gemacht?



This thread was automatically locked due to age.
Parents
  • Hello Robert Müller,

    German, English, egal? Ich nehme einmal Englisch

    First of all, may I ask why you do it in two steps?

    SEC provides no way to uninstall. I assume it's because the uninstaller would not be able report success. Well, in theory you could write a dissolvable agent but, frankly, this is an overkill.
    How did you install, Computer schützen? If so you have the necessary credentials and rights to schedule a task on the endpoints to run a simple batch file to uninstall all components.

    Christian

  • First of all, may I ask why you do it in two steps?

    You mean Step 1) uninstall the old Endpoint Protection an Step 2) install the new intercept X?
    I thought it would be a clean solution to go one step after another? Would you suggest another plan?

    How did you install, Computer schützen?

    I did not! The environment is from a customer, but you are right, all necessary credentials and rights are available.
    The link you posted looks good, I tested the Sample batch file and on my "test machine" it looks good. 
    A "uninstalleverysophostoolonthismachine.msi" would be too good to be true Rofl

  • Hello Robert Müller,

    I did not (yet?) migrate so I don't have any first-hand experience but I think the Migration Tool is preferable in most setups - except in very complex installations or if you really want to start from scratch with Central/Intercept X. It's not an afterthought but has been enhanced in parallel with Central and does its job.
    As it relies on SEC's management it will migrate all "healthy" endpoints the next time they are online and the process is synchronised - it executes in place of an update.
    Last but not least, if you have doubts or specials requirements will be happy to discuss them - won't you, Richard?

    Christian

  • FormerMember
    0 FormerMember in reply to QC

    Of course.

    You can just coarse grain migrate by doing an GPO install script to run the central installer - this will overwrite the onprem one and connect it to your Central account. (This will not work for the SEC or any  MRs or Update caches - these will have to be done manually)

    This will also just dump all the endpoints into the one Central bin - no group sorting or anything.

    So, if you need a specific organization of the endpoints - it would take a bit more planning but it can still be done.

  • The customer opted out of migration because the system is complex and he would like to start from scratch. Otherwise, the migration assistant would have been a good idea.

  • his will overwrite the onprem one and connect it to your Central account.

    This is a good info, I never tried it this way, this would be one step less in the process if its running smooth.

    This will also just dump all the endpoints into the one Central bin - no group sorting or anything.

    I wanted to take over the structure with the AD-Sync tool. Can I still do that?
    Should I use the AD-Sync first or should I use it at the end? Is there a best practice way?

  • I see no issues with taking over using the AD Sync tool in Sophos Central.

    I would advise running AD Sync before installing on endpoints as you can configure the policies and apply them to the users/groups you desire before the endpoints are on Sophos Central.  Running AD Sync after won't cause any issues.

  • FormerMember
    0 FormerMember in reply to MEric

    yes, you can run in either order. However, I agree with MEric. Configure things first then install. 

Reply Children
No Data