This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I deploy Sophos Endpoint with SCCM 2012

Hi Guys,

 

I need to create an SCCM package for Sophos Endpoint for use with Desktops and Servers - can someone please point me in the direction of a guide as i understand there is no .msi for Sophos?

 

Thanks



This thread was automatically locked due to age.
Parents
  • I spent a lot of time getting this process to work right, especially when it came to installing the Outlook Add-in. I'm hoping this post helps others.

    What I found that works best for me is to create a script Application and have it run the installer using the required variables. As for the Sophos Outlook Add-in, I created a batch file that I run as the install program. If you're on CB you can use either the Application or Package method as the installer - if you're on an older version, I'd stick with a Package. 

    To create the Sophos Endpoint Application/Package...

    1. Copy the original installer files from: \\YourServer\SophosUpdate\CIDs\S000\SAVSCFXP\
    2. Put these files in a folder in your preferred software share
    3. Create the Application as a script installer and  use the following as the "Installation Program" (This is all on one line):
      setup.exe -mng yes -crt R -updp \\YourServer\share\Sophos\10.7\SAVSCFXP -ouser YourObfuscatedUsername -opwd YourObfuscatedPassword -s -mngcfg \\YourSCCMServer\ConfigFiles\Folder\
      (Command line parameters used by setup.exe: https://community.sophos.com/kb/en-us/12570)
      (Obfuscating the username and password: https://community.sophos.com/kb/en-us/13094)
    4. As a Detection Method, I used a registry check from a PC that had it installed manually to look up the Product Version and make sure it was "equal":
      HLM\SOFTWARE\WOW6432Node\Sophos\AutoUpdate

     

    To create the Sophos Outlook Add-in Application/Package...

    As I mentioned above, I created a batch file to call up everything I needed. One particularly irritating problem that I ran into is that the MSI for the add-in does not include the required Visual Studio Tools for Office Runtime (VSTO) the add-in needs. It is included in the exe but there is no way to run it silently because it's installer forces the user to read the EULA in order to proceed. I tried extracting the exe with 7zip but I didn't find VSTO so I just downloaded it directly from Microsoft (https://www.microsoft.com/en-us/download/details.aspx?id=48217). I have the batch file installing it first then the Sophos Outlook Add-in MSI will install correctly. Using my Googlefoo, I found a command switch to install VSTO silently because Microsoft doesn't publish it! We also wanted to make some changes to the way the add-in behaves in Outlook. I found that the easiest way to get this accomplished was to do it through a reg file containing the changes we needed (these are well documented by Sophos in the Deployment Guide http://esa.sophos.com/docs/esa/pdf/OutlookAddIn.pdf). I used a great little program called Registry Converter (http://www.sordum.org/8478/reg-converter-v1-0/)  to change the reg files into .vbs files that I could kick off from the batch. 

    I copied all of the files I mentioned above to my SCCM software share. I then created the batch file in that same folder and named it "install.bat". Then I created a script installer in SCCM that uses install.bat as the installation program. Obviously, you can customize the batch file to your needs, just be sure that you don't alter the first line. That string makes the sequence run from the directory that SCCM client caches that contains all the required files.

    Install.bat file:

    PUSHD %~dp0

    REM Install Required Runtime - /afterreboot is undocumented and forces it to skip the EULA
    "vstor_redist.exe" /afterreboot /q

    REM Install Sophos Outlook
    msiexec /i "SophosOutlookAddInSetup.msi" /q

    REM Uninstall command if you need it: msiexec /x {34C40A8A-6D85-4519-9F89-FB14B1D1EB03} /q

    REM Run registry settings script
    "SophosRegSettings.vbs"

  • Great info above. 

     

    In SCCM I would use the above to install the latest on all your devices if their already deployed. If your installing from a task sequence during a new build, in theory if you had update points around your network to assist with locations with slow network bandwidth, I would use the above script. 

     

    If your a smaller company with only one update point, I would create a custom installer using the Deployment Packager. Then in SCCM create "Package" with the EXE it created and run in your task sequence. I do this and the smaller deltas, I let the clients update on their own and larger changes I update the EXE and refresh the package. 

    Also to note in the task sequence, will set the reboot flag, so you either need to reboot or clear that flag.

Reply
  • Great info above. 

     

    In SCCM I would use the above to install the latest on all your devices if their already deployed. If your installing from a task sequence during a new build, in theory if you had update points around your network to assist with locations with slow network bandwidth, I would use the above script. 

     

    If your a smaller company with only one update point, I would create a custom installer using the Deployment Packager. Then in SCCM create "Package" with the EXE it created and run in your task sequence. I do this and the smaller deltas, I let the clients update on their own and larger changes I update the EXE and refresh the package. 

    Also to note in the task sequence, will set the reboot flag, so you either need to reboot or clear that flag.

Children
No Data