Is it possible to configure CID's to deploy policies?

Hi,

You can configure most components from the CID.  You would typically define a policy in SEC, use ExportConfig to export that policy to an XML file.  You place that in the CID and then run ConfigCID.exe to update the checksum file.  On the next update the clients pull down the config and apply it.

ExportConfig info is here, that's a good place to start:

http://www.sophos.com/support/knowledgebase/article/13111.html

Then take a look at ConfigCID.exe.

Sauconf.xml and savconf.xml would be the files for configuring AutoUpdate and SAV respectively.  There are others.

Regards,

Jak

Allow me a remark: Setting policies by means of configuration files in the CID is one-time, that means the policy is applied only when the .xml file is downloaded (this normally happens whenever it is changed or the cache is cleared on the client). If the setting is changed on the client the policy does not revert to the specified settings on an update but will do so if one of the aforementioned conditions is met. If the client is managed it will usually fetch the policies from the console.

It's also a good idea to "refresh" the .xml whenever new features are added to a component.

Christian

Thanks for the inputs.

Please let me know if I understand this properly.

Based on the kb article provided, it seems like that the purpose of using ExportConfig.exe is basically to let unmanaged nodes to get policy updates from a CID, right?  I guess this isn't what I was intending to do, please do accept my apologies if I failed to make my self clear.

What I was trying to know is whether a CID could deploy policies for managed nodes.  This is to somehow prevent nodes from going back to the console everytime they check for the latest policy as we are running on a limited bandwidth.

Thanks!

Hi,

You can still use that method with managed clients to deploy policies but it's not a substitute for policies being sent through the Remote Management System (RMS).  In terms of RMS and policies however; this exchange takes place under the following circumstances:

1. Any edit to a policy that is linked to a group that contains a machine.  
2. Move a machine or machines to a new group, those policies will be sent.
3. When a client is freshly installed, the client will send in a policy status of "no-ref" for all policies, i.e.. No cached policy.  The management server recognizes this message and will send the policies.
4. For a given machine or machines at SEC issue a comply with policy.

These will generate a set configuration for the policy type edited or required to be sent.  If the server message router can connect to port 8194 of the client it will immediately tell the client there is an outstanding message waiting for it and that it should check,  The client router then checks and retrieves the policy.   If the server cannot reach the client on 8194, i.e.. The client has a firewall blocking incoming traffic, but the client's router can still contact the server, the client will eventually pick up the message as by default it polls for messages every 15 minutes.  So message delivery would be delayed by up to 15 minutes.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router \ 

DWORD
GetterInterval

Time in seconds

Controls this poll by the router.

Typically they aren't very big although some policy types can vary more than other in size.  SCF having the potential to be up to 2MB especially if you have a primary and secondary policy configured. The other are typically under 50K.

So essentially once you've configured the policy and the client has it, there is no auto-comply going on, and a new policy would only be sent under the conditions you mention. 

Regards,

Jak