Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5079 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managing computers with SEC when Computers already have Sophos installed

Polaris

Hello,

My apologies if this has been covered before, as I haven't been able to find it if it has....

We have Sophos Endpoint Console 4.5.1.0, and while the majority of our computers are already being managed, we have just installed a large number of new computers where Sophos Endpoint Security & Control 9.7 was installed on them as part of the image.

Now I wish to manage those computers using SEC. I see them all as Unmanaged computers and I know I can "Protect" the computers when moving them into the appropriate group, but if I understand correctly, this process will reinstall Sophos on those computers when I tell SEC to "Protect" them. I am hoping there is a simpler process whereby I can just move them into their group and manage them, utilizing the existing installation to help minimize network traffic (of the management server pushing the app out again to reinstall it)

If this is possible, how do I do that?

Thanks!

:26685


This thread was automatically locked due to age.
  • 0

    HI,

    If the endpoints are already managed, just in the unassigned and protected you can just move them to any SEC group and they will be sent polices of the new group. Cancel any deployment wizard that appears as you don't need to run the protect wizard again.

    If at the client end you wish to redirect them to another group, I think you might find this post helpful:

    /search?q= 24835

    Essentially: create the key with the SEC group path and restart the Sophos Agent service.

    Regards,

    Jak

    :26687
  • 0

    Thanks jak,

    However, as I initially posted, the computers are all UN-managed (and Unassigned) and are currently listed in the Unmanaged category, but are all "grayed out" - (ie - NOT Protected by SEC),  - BUT all the new computers have Sophos installed on them, similar to a stand-alone installation.

    As to the link you provided, yes, I saw that post, but I don't believe that's what I need at the moment.

    Regards,

    :26689
  • 0

    I wrote a long reply but it took so long I think the session timed out so here goes again.....oh well hopefully this time it'll be more succinct. :)

    I understand what you have now, essentially a number of clients without RMS installed.

    Typically on an install, setup.exe copies the files: cac.pem and mrinit.conf to the client first.  They get copied to:

    "C:\Program Files[ (x86)]\Sophos\Remote Management System\"

    AutoUpdate is then installed and pulls down the various packages from the CID, e.g.:

    \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\
     

    Setup.exe was run with the switch "-mng yes", which is the default, I.e. to install the RMS component.

    http://www.sophos.com/en-us/support/knowledgebase/12570.aspx

    This causes the config file:

    "C:\ProgramData\Sophos\AutoUpdate\Config\iupd.cfg", or if on 2000/XP/2003:
    "C:\Program files[ (x86)]\Sophos\AutoUpdate\Config\iupd.cfg"

    to be configured to tell AutoUpdate to get RMS:

    ;RMS 2000/XP
    [iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}]
    AllowLocalConfig = 1
    Action = 0x400107

    So AutoUpdate pulls down the RMS package, along with the other packages it is subscribed to (older packages subscribe to AutoUpdate using this method, the newer ones use the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\AutoUpdate\Products) and then installs them.  

    RMS is first (so the machine appears in SEC sooner as managed) and as part of this MSI install, a tool called ClientMrinit.exe is called, it expects to find cac.pem and mrinit.conf in the program files directory as mentioned above.  If it fails you will get a 1722 error as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/26377.aspx.  This configures RMS on the client.

    So in theory you should be able to take a iupd.cfg file which is configured to download RMS (Take a template managed client).  Take a copy of cac.pem and mrinit.conf from the root of the CID.  Maybe then create a batch file which:

    1. Creates the Remote Management System directory, ensuring it's in the right location for 32/64 bit.

    2. Copies cac.pem and mrinit.conf into it.

    3. Replaces the iupd.cfg
     

    On the next update it should pull down and install RMS.  You could even introduce the other key to ensure the client goes into the right SEC group and receives policies.

    If I was doing it, I would probably create a VBS file to make it easier, the benefits being, you can determine if it's 32/64 bit in order to create the directory in the correct location easier,  You could check the install directory of AutoUpdate using hthe key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\DataPath in order to replace the iupd.cfg.  Then call UpdateNow at the end.  As the VBS code:

    Dim objALC
    Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
    objALC.UpdateNow 1,1

    as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/36262.aspx will do it.

    Hope this is useful.  This is all theory but I assume it will work, do let us know.

    To ensure that all the components are managed when adding RMS in this way, check that the registry keys under:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters

    are populated as a standard managed client is.

    Regards,

    Jak
     

    :26695
  • 0

    Hi jak,

    Holy Moley! If this was the more succinct version.... I shudder to think of the original!   :smileylol:

    jak wrote:

    Setup.exe was run with the switch "-mng yes", which is the default, I.e. to install the RMS component.

    Actually, setup was more than likely just run by double clicking the file and default settings applied.

    As to the rest of your response, I'm going to have to try to get my hands on one of the new PCs to review the registry keys you mention and the file paths and determine where to go from there.

    I have my work cut out for me!!!

    Thanks again!

    :26697
  • 0

    Haha

    There are 2 setup.exe files and they are different.  The setup.exe of the standalone installer (which is what these clients have executed in the past) and the setup.exe that is placed into the CID.  

    Only the one in the CID can be passed variables as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/12570.aspx.  In the example, I was referring to the setup.exe in the CID and what typically happens when you deploy either from SEC or by manually bootrapping the client from the CID.  The setup.exe of the standalone installer is off in another field somewhere in relation to the one in the CID :)

    Regards,

    Jak

    :26699
  • 0

    Hi again jak,

    jak wrote:

    Haha

    There are 2 setup.exe files and they are different.  The setup.exe of the standalone installer (which is what these clients have executed in the past) and the setup.exe that is placed into the CID.  

    Regards,

    Jak

    I am almost....no....make that certain.... that the one that was installed was the standalone version. Does that mean I need to use SEC to "Protect" the computers and basically reinstall the product, or can I use the methods you explained above?

    Regards,

    :26731
  • 0

    HI,

    It shouldn't matter, the above solution, well I hope it's solution, is just adding RMS to an unmanaged client.  How it became unmanaged doesn't has no bearing.

    Regards,

    Jak

    :26737
  • 0

    Thanks for all your help jak!

    As soon as I can get my hands on a couple of the PCs in question which are physically located at another branch, I can review the installation and the registry settings and devise a strategy, hopefully yours if successful, and then push it out to the rest of the PCs at the branch.  I don't want to interrupt the workers, and since we have some extra units there that are currently not in use/not physically installed anywhere/still in the box,  bringing a couple back to head office is no big deal.

    Regards,

    :26837