Update, Update Policy via Group Policy

There are 2 communication channels for a SEC managed client:

1. Updating (Sophos AutoUpdate).
2. Remote Management System (RMS).

You can configure updating policy in 2 ways:

1. RMS, management server can send a policy via RMS to AutoUpdate.
2. From the CID using exportconfig/configcid. https://community.sophos.com/kb//13111 and https://community.sophos.com/kb//13112 

Not reporting back to SEC is a different issue than being able to update.

When you install SEC, it creates a file called mrinit.conf.  This file exists in the distribution points or CIDs as they were previously known.
When you install the client software, this file (along with cac.pem) is copied to the client and the values are added to the registry by clientmrinit.exe as part of the RMS installer.

In the first instance I would check:

1. the ParentAddress values on the client in the registry (hklm\software\wow6432node\sophos\messaging system\router\) is pointing at the SEC server and the client can resolve at least one address listed to the management server.
2. port 8192 and 8194 TCP are available to the clients.
3. Can we see the last router log of a failing client (\programdata\sophos\remote management system\3\router\logs)?

If you can regain management of the clients with RMS you can set the updating policy through SEC.

This might also be worth a mention: Re-init the clients as per: https://community.sophos.com/kb/en-us/116737.  

Regards,

Jak

There are 2 communication channels for a SEC managed client:

1. Updating (Sophos AutoUpdate).
2. Remote Management System (RMS).

You can configure updating policy in 2 ways:

1. RMS, management server can send a policy via RMS to AutoUpdate.
2. From the CID using exportconfig/configcid. https://community.sophos.com/kb//13111 and https://community.sophos.com/kb//13112 

Not reporting back to SEC is a different issue than being able to update.

When you install SEC, it creates a file called mrinit.conf.  This file exists in the distribution points or CIDs as they were previously known.
When you install the client software, this file (along with cac.pem) is copied to the client and the values are added to the registry by clientmrinit.exe as part of the RMS installer.

In the first instance I would check:

1. the ParentAddress values on the client in the registry (hklm\software\wow6432node\sophos\messaging system\router\) is pointing at the SEC server and the client can resolve at least one address listed to the management server.
2. port 8192 and 8194 TCP are available to the clients.
3. Can we see the last router log of a failing client (\programdata\sophos\remote management system\3\router\logs)?

If you can regain management of the clients with RMS you can set the updating policy through SEC.

This might also be worth a mention: Re-init the clients as per: https://community.sophos.com/kb/en-us/116737.  

Regards,

Jak

Thank you!

"This might also be worth a mention: Re-init the clients as per: https://community.sophos.com/kb/en-us/116737" is exactly what I needed. I am pushing this out now to our test GPO.