This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

migration to Sophos Central encryption?

Hi,

We have about 100+ endpoints deployed with Windows 10 and SafeGuard 8. We are now licensing the encryption module for Sophos Central and I'm wondering if there's any convenient way to migrate these users to the cloud managed product? We have endpoint suites managed by Central already deployed to these devices but I don't believe they have the encryption component included. Is this going to be a long, painful manual process or are there some shortcuts we can utilize? Any insight would be most appreciated.

kind regards,

Gary



This thread was automatically locked due to age.
Parents
  • Hi Gary

     

    Did you get an answer to your question? I'm looking for an remote method to remove the three SafeGuard components and install the complete Endpoint with Device Encryption.

     

    Thanks, Lee

  • So it turns out that if you're running SafeGuard 8.x you can uninstall the client after deploying an uninstall policy and moving an XML file in to the right location. Then when you install the Sophos Central client it will find that your drive is Bitlocker encrypted and take over management of its keys. If you are running SafeGuard 7.x, however, it won't let you uninstall without decrypting your entire volume. In that case, we've found it quicker to upgrade to 8.x first. Either way, it will require some reboots of the system so you'll definitely want to involve the end user if you're trying to do this remotely. We've found it easier to run them concurrently and whenever we get a SafeGuard system in for maintenance we'll also convert it to Sophos Central at the same time -- which is even easier if we're just re-imaging a machine since our new WIn10 image includes Sophos Central. It's also possible to use SafeGuard and Sophos Central concurrently and have policies in place for all users. You'll quickly see which systems are still using SafeGuard because they'll alert you that it can't run the device encryption service. Please let me know if I've left out any important details.

  • Thanks Gary. We are already using 8. Since my post I've been testing and what I've found is that I uninstall the SafeGuard programs using the MSI file and msiexec commands with /norestart, then install Endpoint with the Device Encryption component using -quiet command. All of our clients already have Sophos Central Endpoint (without the device encryption component), so before doing anything I turn off tamper protection in Sophos Central. I found the Bitlocker key was then regenerated and available in SC and the user wouldn't see anything or be prompted to take action. The Endpoint client still needs a restart, as does SafeGuard to complete the removal, but this can happen at any time. I didn't need to to do anything else so curious to know what the XML file is and the purpose of moving it.

     

    Lee

Reply
  • Thanks Gary. We are already using 8. Since my post I've been testing and what I've found is that I uninstall the SafeGuard programs using the MSI file and msiexec commands with /norestart, then install Endpoint with the Device Encryption component using -quiet command. All of our clients already have Sophos Central Endpoint (without the device encryption component), so before doing anything I turn off tamper protection in Sophos Central. I found the Bitlocker key was then regenerated and available in SC and the user wouldn't see anything or be prompted to take action. The Endpoint client still needs a restart, as does SafeGuard to complete the removal, but this can happen at any time. I didn't need to to do anything else so curious to know what the XML file is and the purpose of moving it.

     

    Lee

Children
No Data