Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 1983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redirecting/Reprotecting MacOS Endpoints Post-SEC Migration

David D1

Hello,

We are looking to migrate our management SEC server from win 2008r2 to win 2016 while maintaining the historical data (groups,policies,etc). In the server-server migration documentation (https://docs.sophos.com/esg/enterprise-console/5-5/help/en-us/PDF/sec_55_mgeng.pdf) for SEC 5.5.1, step 14 calls to "Redirect endpoints to the new Enterprise Console". The method listed in the documentation is purely for windows endpoints involving a redirect script. The majority of our endpoints are macOS.

 

The best solution I can find is to reinstall Sophos AV on each individual endpoint using the installer that is generated on the SEC host post-migration (https://community.sophos.com/kb/en-us/119744 console managed installer section). This is essentially the same as "re-protecting" each machine as described in the alternate method in the server-server migration guide.

Is this really the only option for redirecting macOS endpoints to the new SEC server? 



This thread was automatically locked due to age.
  • 0

    Hello David D1,

    you can use mrinit.custom to redirect the Macs - provided you use the same certificates on the new server.

    Christian

  • 0 in reply to QC

    QC,

     

    If i'm understanding the documentation correctly, i'll need to configure the custom mrinit.custom file to point to the new management SEC before the actual migration? That way the endpoints can receive the redirect and then after the migration is complete they should begin checking in/reporting to the new console? Thanks for your help.

     

    Regards,

    DD

  • 0 in reply to David D1

    Hello DD,

    with the mrinit.custom pointing to the new SEC the Macs will immediately try to contact it (and no longer the old). They'll appear disconnected in old. Once new is there you'd see these Macs and can make them comply with the appropriate updating policy.

    You can also do it the other way round. From old assign an updating policy pointing to new. Put the mrinit.custom in the new CIDs.

    Christian

  • 0 in reply to QC

    Hello QC,

     

    is there a way to redirect MacOS endpoint to a new server if certificates of old and new server server differ ?

     

    Regards,

     

    Holge

  • 0 in reply to Holger

    Hello Holger,

    my remark about the same certificates comes from deduction. As you see it isn't explicitly mentioned in the article. The ReInit script for Windows has to fiddle with the keys.

    The official way is a reinstall. I'm not a Mac expert, it looks like something similar to EMU could be written (but nobody has done it yet).
    Again just speculating what the basic steps could be:
    • stop (at least) the SophosManagementxxxxxxx daemons, perhaps also SophosServiceManager. (don't ask me how to do it)
    • replace cac.pem in \Library\Sophos Anti-Virus\RMS\
    • delete the three .config and the two .private files
    • run clientmrinit
    • start the daemons
    Guess this can be scripted - assuming it works. The ReInit.vbs created by the EMU sets a marker to avoid repeated execution, optionally the GroupPath, and checks if it's running on a Relay or SUM - doesn't apply to Macs anyway.  

    Heard there's a vacant pedestal in the Hall Of Fame ... or rather two small ones, for the script and the generator, or a tall one for the complete solution [;)]

    Christian

  • 0 in reply to QC

    Hi QC,

    I already have a scripted solution ready. It works this way:

    • download cac.pem and mrinit.conf from a webcid managed by the new server
    • replace both files in /Library/Sophos Anti-Virus/RMS
    • run /Library/Sophos Anti-Virus/RMS/clientmrinit -uninstall
    • run /Library/Sophos Anti-Virus/RMS/clientmrinit -install
    • restart SophosManagementAgent and SophosMessageRouter

    Unfortunately the script needs to be executed on the client. This can be a problem if the user ignores the admin.

    For this reason I'm wondering if there is another approach which doesn't require user cooperation. :-)

     

    Regards,

    Holger

  • 0 in reply to Holger

    Hello Holger,

    gr8! Didn't think of the -uninstall.

    doesn't require user cooperation
    actually on Windows the ReInit also has to be executed on the endpoint. Automatic execution of relies on the ability to (if necessary copy and) run the script remotely, i.e you need administrative rights and some kind of remote access has to be enabled.

    Christian

Unfiltered HTML