This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MSI Installer for EndPoint Protection or Intune compatible deployment method

Hello

 

Is there any possibility of an MSI for deploying Endpoint Protection?

 

We are an MSP with a Managed Devices offering that is underpinned by Microsoft Intune.

We have been using Sophos Endpoint Protection as part of the solution and are very happy with its functionality.

Unfortunately the Endpoint Protection deployment method is proving a major barrier to wider adoption and larger deployments.

Currently we are having to install manually as part of the enrolment.

Intune only supports deploying MSI installers so we either need an MSI or an 'Intune compatible' method.

With the advent of Microsoft Autopilot, if we cannot better automate the Sophos deployments we will have to consider using Windows Defender as our protection.

 

Regards

Sam



This thread was automatically locked due to age.
  • It's not possible.  The only way you could deploy the install as an MSI would be to author an MSI to call SophosSetup.exe.  Would that even help?

    Regards,

    Jak

  • Hello,

    Not possible or not available?

    I don't see what installer could possibly doing that couldn't now be done with an MSI.

     

    I tried out the re-authoring of an MSI that wraps the SophosSetup.exe and it did work but it was unnecessarily complicated and slightly messy.

     

    Regards

    Sam

  • The Sophos endpoint has a number of components depending on license, some are MSI based some are not.

    When you run the Central Installer, SophosSetup.exe, it pulls down a stage2 installer which registers with Central, gets policy information such as update cache locations, and is able to pull down a warehouse of files, before decoding them to the individual components under:

    C:\ProgramData\Sophos\CloudInstaller\AutoUpdatePreparation\Cache\decoded\

    At this point you have a sub directory for each product to install. 

    From the Cloud installer log you can see the install order of the potential 17 components:

    Install sequence for components is: uninstaller64 sed64 mcsep sse64 sfs64 clean64 esh64 ui64 shs sdu efw64 savxp enc sme64 ntp64 hmpa64 sau 

    As mentioned some of these are MSI based some are not but each of them has a setup plugin (setup.dll) which helps the component performing the installation (the stage 2 Central Installer for a fresh install or Sophos AutoUpdate for future updates) call the installer as needed depending on scenario, i.e. pass properties to the MSIs, perform pre-checks, actions before and actions after install. 

    AutoUpdate or the stage 2 installer doesn't know about products it manages, it relies on the components setup plugin to provide the logic to help it install the software.  This is why the install logs either have a separate setup log and MSI or install log or they are merged into a single log which has lines from the setup plugin and MSI together.  SAV install log has the setup logging and MSI log in the same file for example.  AutoUpdate has a separate setup log and MSI log.

    If you were going to provide a single MSI to use to deploy the endpoint, I guess you would be essentially installing something like the Cloud installer which was able to orchestrate the download and install but then relinquish this management to AutoUpdate post initial install.  I don't ever see there being one MSI to install all 17 components so it would have to just be a downloaded.

    Regards,
    Jak

  • Thank you Jak for the detailed explanation.

     

    When I was testing wrapping the EXE with an MSI I did exactly as you mentioned; wrapped the Cloud Installer in an MSI.

    It worked and it would be great if Sophos could provide the same thing. It would vastly improve our usability of Sophos.

  • Hi Sam Smith1,

    We currently do not have any option for MSI installers. I see that you have already got a feature request raised for the same.

    Other's who would like to vote for this feature request, vote here.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Sam

     

    Not sure if you will see this, but wondering if you could please give me some pointers on this.  I've tried wrapping the sophossetup.exe in to an msi, but when it distributes through intune it starts the install, I can see the programdata folder fill up, then the folder in the program files x86 starts with the stage 2 setup, then it just craps out and doesn't install.

     

    Did you do anything special with wrapping the .exe to the msi?

  • Hello

    So I only did some quick testing but I wrapped it using a trial of Advanced Installer and it deployed fine.
    Wrapping it so that it worked was a feature of their Enterprise SKU.

    The biggest problems for me were:

    • You have the stub of an application from the wrapper and Sophos with Add/Remove programs but I guess technically it did work
    • Is it supported?
    • We have to pay for another application to carry on using/deploying Sophos

    Regards
    Sam

  • I'll keep at it then and try advanced installer, thanks for taking the time to reply :)

     

    I do agree though, having a cloud based application to surely attract cloud based systems yet not supporting one of the main MDM systems via an msi installer is crazy.

  • No worries.

    It does seem crazy.

  • I would suggest downloading and install WiX.  You can create a MSI with just a couple of commands and some XML.  For example.

    1. Download WiX - http://wixtoolset.org/releases/ and install it.

    2. Add the installation path of WiX to your PATH.  E.g. Add the following to your PATH variable:
    C:\Program Files (x86)\WiX Toolset v3.11\bin

    3. Save the attached file as SophosExeWrapper.wxs to say C:\sophosmsi\.  You could use the .txt but it should be .wxs.

    4. Download the correctly configured Cloud installer SophosSetup.exe from Central and save it to C:\sophosmsi\

    5. In an admin prompt, CD to \sophosmsi

    6. Run:
    candle SophosExeWrapper.wxs

    7. Run
    light SophosExeWrapper.wixobj

    You should then have a MSI file.

    Things to change in the XML (Product section at the top) first:
    1. UpgradeCode, go to: https://www.guidgenerator.com/online-guid-generator.aspx and generate a new GUID.
    2. Name if you wish for the package to appear differently.
    3. Manufacturer to be your company name for example.

    I hope it helps.

    There maybe some more tweaking you'd like to do to the XML after reading the WiX documentation but this could be a starting point.

    Regards,
    Jak

    4520.SophosExeWrapper.txt