Auto install used to work but i dont think it does anymore?

Hello givemecontrol,

AD sync attempts to install if it detects a new endpoint (but it requires, obviously, AD and furthermore it sync the container OU structure which might or might not be what you want). It tries only once though, AFAIK the repeated attempts were only in the Beta or if in GA only for a short while.

Why not include it in the image?

Christian

Hmm yes i am recalling actually that it may work for brand new machines, but once a machine is reimaged, it does not re apply. I have all the ou's set up correctly i think in sophos console.

"why not include in the image"

Well i prefer to keep the images small but i could i suppose. Virus scanners have a way of screwing things up especially when they are out of date. but i can look into that maybe. Shame it cant just re try to install on workstations that dont have it, say, once a day.

Hello givemecontrol,

once a machine is reimaged
yes, automatic install is only attempted for "new" computers (dunno if it's sufficient to delete a computer to trigger an install when it's "found again" in AD - but anyway the timing would be crucial as the computer has to be "ready" when it's found) and only once. In the Beta SEC retried, but not least yours truly questioned this behaviour. The problem is that when the sync interval is shorter than the time needed for the endpoint to install and report success the install is rescheduled resulting in an endless protect loop. A similar reservation applies to install errors (including could not be started because the computer isn't on). You wouldn't be able to discern whether the endpoint is not protected because it was not yet online or because some other error prevented the creation of the started task.
As said, I can't remember whether it was in GA for a short while but eventually it was set to one try once.
say, once a day
Dunno if it is reconsidered for a future version. Put yourself in place of the AD sync Protect automaton - how could you obtain the necessary information to reliably protect a computer and to reliably detect that protection is necessary for a re-imaged computer ?

[AV has] a way of screwing things up
won't rule it out, but if installed correctly the image should be good for half a year at least. What about Windows updates, IMO they are more problematic. I've seen endpoints that were on sabbatical leave (collecting dust in a corner or whatever, I'm talking about desktops) for more than a year and when online again updated without problems (and note they weren't clean images but in use for quite some time before).
Not the recommended procedure but an alternative where the image contains just AutoUpdate (please note that the article hasn't been amended to incorporate the latest components).

Christian 

"Dunno if it is reconsidered for a future version. Put yourself in place of the AD sync Protect automaton - how could you obtain the necessary information to reliably protect a computer and to reliably detect that protection is necessary for a re-imaged computer ?"

well symantec could do it 5+ years ago. So could mcafee. Im sure sophos can figure it out.

If antivirus is on and reporting, then dont install. If its not, then do. Thats pretty simple to me. Simply check if the sophos console can connect to the machine. If it cant, and its on the domain in a protected OU, then attempt to install the client with saved credentials. I believe wmi can tell you even if the product is installed with a simply wmic query. ( https://msdn.microsoft.com/en-us/library/aa394588(v=vs.85).aspx )

I will probably not be messing with the image. Microsoft best practices FYI, is to not install ANY software into the image, and actually install using SCCM or as part of the imaging process. For me that takes too long, so we load office as well as some simple tools into the image. I could do this with sophos as well, but i think i will just make a calendar reminder to push the client every week manually. It is also a shame that you cannot schedule things like that in the console as well.

Hello givemecontrol,

can do it
the grass is always greener ... [:D].
Seriously - If antivirus is on and reporting exactly this caused problems, as said, when the sync interval was too short. Simply check if the sophos console can connect it's not required that the return channel is available (ok, it should be in an AD environment). All in all (IMO, IMHO) there's a point of diminishing returns and you just exchange some deficiencies for others.

As far as AD sync and automatic install is concerned it does work when provisioning new computers. You know that SEC attempts to schedule the task nn minutes after the computer has been joined to the domain and you can allow for this. The re-image case though generally only works if all the stakeholders can be and are informed that the previous incarnation is gone for good.
If you work with bare images and let SCCM (or similar tools) do the rest then automatic install with AD sync isn't the right choice - instead the deployment tool should take care of triggering the install (at a proper point). If you - for whatever reason - decide to preload then you can either do it with just AutoUpdate or the full product.

Christian

yes well one would think it would check the computer periodically to see if sophos got uninstalled (say by a virus, or a bad user who stupidly had admin privileges) and then remediate that, but im not going to argue endlessly about feature requests. Your product cant handle re-imaging, and thats that.

Apparently part of the cloud system we are moving to means that i cannot deploy clients with the console anymore anyway, so it needs to be rolled into the image. No getting around it with cloud it seems. Or i could run the web installer every time i image a machine which i might do... still thinking about it.

Also burning it into the image consumes a license. or 4 in my case, because i have 4 different images. Licenses, as i am sure you know, are not free. I work with non profits so every dollar counts. I probably will just install after imaging and just have to be mindful of that.

Hello givemecontrol,

Your product
you know that I'm not Sophos, as the majority of viewers/readers - so it's not mine or ours [:)].
As you say Central doesn't even have Protect or automatic deployment though. As for licensing - do you refer to Sophos? 

Christian

Hello givemecontrol,

Your product
you know that I'm not Sophos, as the majority of viewers/readers - so it's not mine or ours [:)].
As you say Central doesn't even have Protect or automatic deployment though. As for licensing - do you refer to Sophos? 

Christian