Large Download Notification for April

Hi Jonathan,

Thw download will go first to SUM and then to every CID with a subscription to this particular product version and then as the endpoints update they will all downlaod the changed elements depending on what they have installed. All will get SAV, SAU and the CRT but only those with patch and firewall will get those updates.

In terms of a "heads up" that's what the KBA was intended to do, this is a major upgrade for the product hence the forewarning of a large download, if you have a license that gives you access to multiple subscriptions we would advise that you try out version 10.3.7 (currently in the Preview subscription) and then if you need to control it' rollout due to WAN bandwidth constraints etc then switch small groups of computers at a time to the Preview subscription and then swtch them all back to Recommended before the end of April to avoid the next Preview Upgrade.

The switch back to Recommended will not result in any chnages as the same product will exist in both subscriptions.

Hope this helps!

Darren.

Darrens advice is better than that supplied in the KB - http://www.sophos.com/en-us/support/knowledgebase/120492.aspx

I stupidly followed this bit of advice...

• Change the 'Recommended' package to the 'Previous Recommended' package before April.
• Before May revert this change to upgrade to 10.3.7.  The 'Previous Recommended' package will also be upgraded to 10.3.7 in May.

Then ended up with 2000 PCs not complying with policy because the Recommended subscription is using VDL 4.8 whereas Previous Recommended is using VDL 4.7.  I reverted back to Recommended and 48 hours later I'm thankfully down to ~120 not complying, but SAV has reinstalled twice on all those PCs.  So much for reducing WAN usage!

Going down the Preview route now, which is usually the route I follow, but I keep having to clear out the servers as we end up with loads of CID Sxxx folders with old subscriptions.

Thank you! 

So if I make a test group with test update policy, etc. and put 1 computer in this group, then set update manager for that policy to Preview.. The preview will only download to that group and not affect all the other groups that have separate Reccomended policy? You guys are great I appreciate your assistance/advice!

Hello Jonathan_IT,

it's adding a new subscription first, selecting the Preview package, subscribing in the SUM configuration and then you can use this subscription to configure an additional update policy. Of course you can "reuse" an existing test policy - in this case you simply select the Preview package (instead of the one already there) in the test subscription.

Christian

Hi,

Here is some info, that might help someone.

The number of Sxxx entries is related to the number of subscriptions you have.  In addition to that, the DWORD entry:

HKLM\SOFTWARE\Sophos\EE\Management Tools\SubscriptionShortTagCounter

keeps track of the Sxxx numbers.  So it is possible to predict the Sxxx number creates by adding a new subscription.

If you add and then delete a subscription, the number will not be re-used, it is for this reason there may be gaps in the numbering. S001, S004, etc...

When changing an existing subscription, even though the update location remains the same for the endpoints, the updating policies that reference that subscription, the RevID of the updating policy changes, causing the updating policy to be re-sent.  

Obvioulsy for computers that are online, the clients are notified of the policy change and come and fetch the message instantly.  So the state goes to "Awaiting policy transfer" and then shortly after the status message goes back from the client for that RevID to the policy, e.g. Res="Same" can be seen in the agent log.

For computers that are offline when this happens, the computers will switch to and stay in the state of "Awaiting policy transfer".  The outstanding set-configuration message will stay on the server (in the envelopes directory) until the clients comes back online and checks in for outstanding messages.  If the client does not come back online withing 4 days of the policy being created then the message on the server will be deleted by the server router (The TTL will expire the message) and the client will stay in "Awaiting policy transfer" to remind the admin to perform a manual comply with policy.

If you wish to change that 4 days TTL you can as per: http://www.sophos.com/en-us/support/knowledgebase/113417.aspx

Regards,

Jak

So back to DarrenTeagles suggestion.. 

If I'm connected to AD then I should be able to setup new Update group with preview subscription then go into each OU within Sophos and 'View/Edit Group Policy Details...' then change 'Updating:' dropdown to new Updating Group correct? Then after April 5 change them all back to current Updating group which is set to Recommended?

Also, does everyone agree on timing that I will not break things by slowly doing preview over the next few nights then after April 15 switch back to Recommended?

Hello Jonathan_IT,

please let's stick to the "official" terms, otherwise it could be confusing. Allow me to add a few comments to make sure I understand you correctly.

If I'm connected to AD

AD shouldn't come into play here unless you use active sync and the existing group structure is not appropriate for a staged deployment. But then it's unlikely that you can move the computer objects around in AD at will.

setup new Update group with preview subscription

Unless you really need to and can set up groups in AD all necessary steps are done working with the Console:

1. In the Update Managers view in the Software Subscriptions pane Add a subscription and select the Preview package
2. Select the update manager in the Update managers pane, View/Edit Configuration, tab Subscriptions move the new subscription from Available: to Subscribed to:, click OK
3. In the Endpoints view, pane Policies, add or duplicate an updating policy and give it suitable name
4. View/Edit this policy, tab Subscription select the newly added subscription in the subscription dropdown. Please note that the name of the subscription has nothing to do with its contents (it is good practice to use a name which gives at least an idea what's in it - but you could also set Recommended to whatever package is available)
5. Now you can start assigning the new subscription to the desired groups: change 'Updating:' dropdown to new Updating Group  policy

Then after April 15 change them all back to current Updating group which is set to Recommended?

Again, it's the policy you are likely referring to. It is not necessary to reassign policies though. But before I go on a word about April 15 : The roll-out is staged and not on the exact date for all customers. Thus you should make sure that 10.3.7 is actually already available in Recommended for you. Either in View/Edit Subscription click the Details ... button or from the menu-bar View select Bootstrap Locations ....  

Depending on the number of groups reassigning the updating policy can be rather tedious. Instead you can just edit your new updating policy and set the subscription back to Recommended (good practice would be to also rename it to reflect the change - don't worry, all assignments are done by internal IDs). If you do not intend to make use of Preview in the near future you can unsubscribe the update manager (the reverse of step 2) to avoid downloading a package you don't use.

You might want to use the same procedure when the next larger update is due. IMO the easiest way is to use two updating policies (other than Default as you can't rename it) exchanging the "roles" of the policies.

HTH

Christian