This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managing computers with SEC when Computers already have Sophos installed

Hello,

My apologies if this has been covered before, as I haven't been able to find it if it has....

We have Sophos Endpoint Console 4.5.1.0, and while the majority of our computers are already being managed, we have just installed a large number of new computers where Sophos Endpoint Security & Control 9.7 was installed on them as part of the image.

Now I wish to manage those computers using SEC. I see them all as Unmanaged computers and I know I can "Protect" the computers when moving them into the appropriate group, but if I understand correctly, this process will reinstall Sophos on those computers when I tell SEC to "Protect" them. I am hoping there is a simpler process whereby I can just move them into their group and manage them, utilizing the existing installation to help minimize network traffic (of the management server pushing the app out again to reinstall it)

If this is possible, how do I do that?

Thanks!

This thread was automatically locked due to age.

Parents

0 jak over 13 years ago

I wrote a long reply but it took so long I think the session timed out so here goes again.....oh well hopefully this time it'll be more succinct. :)
I understand what you have now, essentially a number of clients without RMS installed.
Typically on an install, setup.exe copies the files: cac.pem and mrinit.conf to the client first. They get copied to:
"C:\Program Files[ (x86)]\Sophos\Remote Management System\"
AutoUpdate is then installed and pulls down the various packages from the CID, e.g.:
\\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\

Setup.exe was run with the switch "-mng yes", which is the default, I.e. to install the RMS component.
http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
This causes the config file:

"C:\ProgramData\Sophos\AutoUpdate\Config\iupd.cfg", or if on 2000/XP/2003:
"C:\Program files[ (x86)]\Sophos\AutoUpdate\Config\iupd.cfg"
to be configured to tell AutoUpdate to get RMS:
;RMS 2000/XP
[iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}]
AllowLocalConfig = 1
Action = 0x400107
So AutoUpdate pulls down the RMS package, along with the other packages it is subscribed to (older packages subscribe to AutoUpdate using this method, the newer ones use the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\AutoUpdate\Products) and then installs them.

RMS is first (so the machine appears in SEC sooner as managed) and as part of this MSI install, a tool called ClientMrinit.exe is called, it expects to find cac.pem and mrinit.conf in the program files directory as mentioned above. If it fails you will get a 1722 error as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/26377.aspx. This configures RMS on the client.
So in theory you should be able to take a iupd.cfg file which is configured to download RMS (Take a template managed client). Take a copy of cac.pem and mrinit.conf from the root of the CID. Maybe then create a batch file which:
1. Creates the Remote Management System directory, ensuring it's in the right location for 32/64 bit.
2. Copies cac.pem and mrinit.conf into it.
3. Replaces the iupd.cfg

On the next update it should pull down and install RMS. You could even introduce the other key to ensure the client goes into the right SEC group and receives policies.
If I was doing it, I would probably create a VBS file to make it easier, the benefits being, you can determine if it's 32/64 bit in order to create the directory in the correct location easier, You could check the install directory of AutoUpdate using hthe key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\DataPath in order to replace the iupd.cfg. Then call UpdateNow at the end. As the VBS code:
Dim objALC
Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/36262.aspx will do it.

Hope this is useful. This is all theory but I assume it will work, do let us know.
To ensure that all the components are managed when adding RMS in this way, check that the registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters
are populated as a standard managed client is.
Regards,
Jak

:26695
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 13 years ago

I wrote a long reply but it took so long I think the session timed out so here goes again.....oh well hopefully this time it'll be more succinct. :)
I understand what you have now, essentially a number of clients without RMS installed.
Typically on an install, setup.exe copies the files: cac.pem and mrinit.conf to the client first. They get copied to:
"C:\Program Files[ (x86)]\Sophos\Remote Management System\"
AutoUpdate is then installed and pulls down the various packages from the CID, e.g.:
\\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\

Setup.exe was run with the switch "-mng yes", which is the default, I.e. to install the RMS component.
http://www.sophos.com/en-us/support/knowledgebase/12570.aspx
This causes the config file:

"C:\ProgramData\Sophos\AutoUpdate\Config\iupd.cfg", or if on 2000/XP/2003:
"C:\Program files[ (x86)]\Sophos\AutoUpdate\Config\iupd.cfg"
to be configured to tell AutoUpdate to get RMS:
;RMS 2000/XP
[iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92}]
AllowLocalConfig = 1
Action = 0x400107
So AutoUpdate pulls down the RMS package, along with the other packages it is subscribed to (older packages subscribe to AutoUpdate using this method, the newer ones use the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\AutoUpdate\Products) and then installs them.

RMS is first (so the machine appears in SEC sooner as managed) and as part of this MSI install, a tool called ClientMrinit.exe is called, it expects to find cac.pem and mrinit.conf in the program files directory as mentioned above. If it fails you will get a 1722 error as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/26377.aspx. This configures RMS on the client.
So in theory you should be able to take a iupd.cfg file which is configured to download RMS (Take a template managed client). Take a copy of cac.pem and mrinit.conf from the root of the CID. Maybe then create a batch file which:
1. Creates the Remote Management System directory, ensuring it's in the right location for 32/64 bit.
2. Copies cac.pem and mrinit.conf into it.
3. Replaces the iupd.cfg

On the next update it should pull down and install RMS. You could even introduce the other key to ensure the client goes into the right SEC group and receives policies.
If I was doing it, I would probably create a VBS file to make it easier, the benefits being, you can determine if it's 32/64 bit in order to create the directory in the correct location easier, You could check the install directory of AutoUpdate using hthe key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\AutoUpdate\DataPath in order to replace the iupd.cfg. Then call UpdateNow at the end. As the VBS code:
Dim objALC
Set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
as mentioned here: http://www.sophos.com/en-us/support/knowledgebase/36262.aspx will do it.

Hope this is useful. This is all theory but I assume it will work, do let us know.
To ensure that all the components are managed when adding RMS in this way, check that the registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters
are populated as a standard managed client is.
Regards,
Jak

:26695
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data