SSL VPN client ready for deployment with tools like SCCM?

Due to how Sophos implements OpenVPN, you're going to be forced to either export out of, or import into, Sophos.

• I'm not sure if Sophos requires all SSL VPN users to have Sophos user accounts, but if not, the latter step could be skipped and all that would be required to give the user are the four normal openvpn files: CA cert, user cert, user key, and client config (or a p12 and client config).  Since the CA cert and client config remains unchanged from user to user, the only custom files would be the client cert and key.

• Provided one has the three openssl commands (csr, sign, p12 export) at the ready (a command or shell script could automate all three), from start to finish, each [import/export] takes the same amount of time (a few minutes).  The only way I could see the process being streamlined is if the option is ticked for same common name usage, which should be used extremely carefully and only in very specific environments due to the massive security risk it poses.   If a Sophos user account is required for any accessing OpenVPN, it would be less of a headache for you to simply provide them access to the user portal.

• • I personally dislike the lack of customization in the Sophos openssl.cnf (as well as the reliance on obsolete methods in OpenVPN, such as ns cert type and net30 usage), so I always generate my certs on my PC, then import the p12s into Sophos.  Generating the SSL certs off of Sophos provides the ability to specify SAN and EKU values, and if one does choose to generate certs off of Sophos, one must ensure under the SAN profile that user certs have email.1 listed first, and it must be the user's Sophos user email (this ensures RFC822 is specified under SAN, and without this, it will be impossible for the user to authenticate) and hosts must list their primary DNS name with DNS.1 being the first value (I've had issues with Sophos if this isn't specified as the first value under SAN, especially with the WebAdmin/host cert).  EKU can also be set for server and client auth, and if these are set, and one has a warranty, tech support must be consulted for permission to remove "remote-cert-tls server" from the default openvpn config, adding instead "remote-cert-ku f8" (For an explanation: https://www.v13.gr/blog/?p=386)

Another option may be an ipsec/html5 vpn

Due to how Sophos implements OpenVPN, you're going to be forced to either export out of, or import into, Sophos.

• I'm not sure if Sophos requires all SSL VPN users to have Sophos user accounts, but if not, the latter step could be skipped and all that would be required to give the user are the four normal openvpn files: CA cert, user cert, user key, and client config (or a p12 and client config).  Since the CA cert and client config remains unchanged from user to user, the only custom files would be the client cert and key.

• Provided one has the three openssl commands (csr, sign, p12 export) at the ready (a command or shell script could automate all three), from start to finish, each [import/export] takes the same amount of time (a few minutes).  The only way I could see the process being streamlined is if the option is ticked for same common name usage, which should be used extremely carefully and only in very specific environments due to the massive security risk it poses.   If a Sophos user account is required for any accessing OpenVPN, it would be less of a headache for you to simply provide them access to the user portal.

• • I personally dislike the lack of customization in the Sophos openssl.cnf (as well as the reliance on obsolete methods in OpenVPN, such as ns cert type and net30 usage), so I always generate my certs on my PC, then import the p12s into Sophos.  Generating the SSL certs off of Sophos provides the ability to specify SAN and EKU values, and if one does choose to generate certs off of Sophos, one must ensure under the SAN profile that user certs have email.1 listed first, and it must be the user's Sophos user email (this ensures RFC822 is specified under SAN, and without this, it will be impossible for the user to authenticate) and hosts must list their primary DNS name with DNS.1 being the first value (I've had issues with Sophos if this isn't specified as the first value under SAN, especially with the WebAdmin/host cert).  EKU can also be set for server and client auth, and if these are set, and one has a warranty, tech support must be consulted for permission to remove "remote-cert-tls server" from the default openvpn config, adding instead "remote-cert-ku f8" (For an explanation: https://www.v13.gr/blog/?p=386)

Another option may be an ipsec/html5 vpn