The 1.2 deployment packager has the following short comings.
How have other user worked around these issues?
What other issues have users experienced with this tool?
Thanks,
Doug
Hi,
The manual option would be to zip up the distribution point or previously known as CID and then run setup.exe with the switches required.
Setup switches: https://www.sophos.com/en-us/support/knowledgebase/12570.aspx
This article might provide most of what you need:
https://www.sophos.com/en-us/support/knowledgebase/121318.aspx
It details how you can zip up a "resource", in this case a CID/Distribution point rather than a warehouse and run an exe with switches.
You can extend the VBS if need to call "update now" given the code in: https://www.sophos.com/support/knowledgebase/36262.aspx. I.e. you just need the 2 lines:
dim objALC : set objALC = CreateObject("ActiveLinkClient.ClientUpdate.1")
objALC.UpdateNow 1,1
Hope it helps.
Regards
Jak
Hello Doug,
the DP is for building no-configuration-required packages thus there is no pre-install GUI.
no automatic update option after install
I'm not sure what you think is missing. Do you mean that there is no update location configured. What's on the endpoint immediately after running the package depends on the options selected when building it. How do you intend to use the packages as there's a number of possible combinations (from a minimal less than 10MB "bootstrapper" to a full package)?
Christian
The manual process covered by Jak has been my solution over the past 9 years with Sophos. That solution is completely custom by me. It provides:
Management want to move away from my custom solution and use the SDP option.
The options of install autoupdate with group path for the console seems to be the only choice I have that would address the failed update or notice of completeness at the end of the install.
Yet that would not be a good solution for installs that take place off campus.
I hope to learn how you and others work with this Sophos solution to meet the following:
Thanks,
Doug
Hi Doug,
I think QC covered this pretty well, and just to add to that and address your specific points.
See my answers below
VCU said:
- When an installer from SDP is used there is no easy way to tell the install completes. This means the tech using the installer will not know when to restart the computer.
- The tech using the installer can tell when it completed successfully in a number of ways actually: bootstrapper logs (%temp% folder), msi logs (Windows temp directory), Windows Event Viewer, there is also a visual Windows/Toast notification when installation is complete. The reboot might be required upon successful updates, this can also be verified locally on the client in the Sophos Endpoint Security and Control -> Updating->View Updating log. If a restart is required, you will see a warning in there advising on this.
- It does not provide an update option at the end so full install to save network bandwidth does not easily complete the process.
- SDP DOES provide the option to include the full package or get them via AU. It also provides ways to configure updating using RMS or manually to specify the Update locations.
- The with GUI option does not really provide a GUI
- If you mean here the Installation type, the options actually provide the following:
- silent - no GUI, silent install
- non-interactive - GUI showing progress with no Cancel option
- interactive - GUI showing progress with Cancel option
There are no other configurable options since the design of the tool is to provide "no-configuration-required packages". You could use the standalone installer if you are looking for this.
VCU said:
- Off site full install of Sophos
- on site install of Sophos
As explained, SDP should allow you to configure full packages for both of these scenarios.
Here is a detailed KB on SDP: https://www.sophos.com/en-us/support/knowledgebase/67504.aspx
and here is one on setting up remote/home users: https://www.sophos.com/es-es/support/knowledgebase/63182.aspx
Please let us know if you had any additional questions.
Good day
V
Hello Doug and V,
V said: It also provides ways to configure updating using RMS or manually
[^o)] IMO this has to be taken with a little bit more than a grain of salt (I might be wrong).
Let me first recap how an install is performed:
setup.exe notes the location it is running from. It prepares the information necessary for the install (like which components should be installed) then runs the AutoUpdate installer from the subdirectory named \sau. setup.exe does not install any of the other components, this is done by AutoUpdate (therefore you can't really tell when the "installation" is complete). To do its work AutoUpdate needs the update location - by default setup sets it to its own location. Note that once AutoUpdate is active it runs asynchronously.
SDP offers a number of options, I'll mention only those applicable here: include in the package or download, with or w/o RMS, and specification of the update location(s). Not all combinations give consistent and expected results though.
Include: In order for include to work AutoUpdate (AU from now on) must perform the first update (actually the install of the components) from the temporary directory extracted from the package. This works but doesn't set the actual update location. If you specify one or two locations with SDP they are set by the install script - 45 seconds after completion of the AU installation the locations are set. The result is that AU attempts to install from the remote location instead of the package_temp. In case there's no network SAV (and other components) are not installed. Thus you can't perform a full install from the package and then set the location for updates (though with some additional logic in the install script -which you can't modify - it should be possible).
RMS: If RMS is installed it is assumed that it fetches the appropriate updating policy. The product won't update though before the endpoint has successfully registered (and additionally received a policy, i.e. it is in a group other that Unassigned) - thus an RMS connection must be possible for off-site endpoints. I assume that AU "freezes" the update locations for the duration of a cycle thus the initial install would always be from the package.
@Doug: Management should be aware that an SDP package would need an additional wrapper to provide the functions of your custom solution. SDP is a convenient way to build no-questions-asked packages. For on-site I'd just Configure AU to download components. For bandwidth-friendly full packages please see above.
HTH
Christian
Hi Christian and V,
I had hoped the Sophos installer design had improved since 2006. It appears the Sophos installer design has not changed since 2006. I had the challenge of manually packing all the files together and providing a GUI installer for the managed Sophos antivirus solution since 2006. I was tasked in supporting over 30,000 end users, many with no computer technical skills. Now we have moved to a different design which places me into a position of providing Sophos to computer technical staff for installing without the complex installer design I have been using in the past.
Below is what I have learned from your responses. Let me know if this is correct.
What batch file or VB script solutions have others used to install Sophos for Windows?
Thanks,
Doug
Hello Doug,
my previous response was somehow exaggerated. The perceived shortcomings are by design, the design is not arbitrary though. It's based on AutoUpdate (AU) being responsible for installing and updating all components. There are (mostly undocumented) interfaces which provide the information you see on the local GUI. Providing an installation script using these interfaces would disclose them - apparently Sophos doesn't want to do this for whatever reasons.
As to your points:
I've already mentioned what we use, if you want more info (there isn't much) or discuss some undocumented things (me? I don't know any) feel free to PM me.
Christian
