How to Deploy Sophos Endpoint Protection Agent using SCCM

This post shows the steps to deploy Sophos endpoint protection agent using SCCM. For a big organization protecting computers is the major task. While there are lot of anti-virus solutions out there, Sophos is also in the top list of AV’s. Sophos also allows security admins to manage all Sophos products from a single, cloud-based console. Sophos provides different methods for automating the deployment of software to Windows computers. SCCM makes it easier to deploy Sophos central installer to multiple window computers. If you have access to Sophos central and looking to deploy agents across your organization, this post should help you.

Sophos Endpoint Protection Command line switches

Sophos provides few command line switches to install endpoint protection agent. The below switches applies to Sophos Cloud Managed Endpoint, Central Endpoint Standard and Endpoint Advanced. Sophos cloud installer switches include:-

SwitchWhat it does
-qInstalls Sophos agent with no user interface.
-tps detect/ignore/removedetect – Stops the installation if Sophos finds another security software.

ignore – Ignore the existing security software and install Sophos protection software.

remove – removes existing security software and then installs Sophos agent.

Deploy Sophos Endpoint Protection Agent using SCCM

Let’s look at steps to deploy Sophos endpoint protection agent using SCCM. Login to Sophos Central console and click on Protected Devices. Under Endpoint Protection, click Download Complete Windows Installer. Save the installer and copy it to sources drive or any shared path. This path should be accessible by configuration manager.

Deploy Sophos Endpoint Protection Agent using SCCMOpen Configuration Manager console, click Application Management. Right click Applications and create a new application. Click Manually specify the application information.

Deploy Sophos Endpoint Protection Agent using SCCMAdd information about the application and click Next.

Deploy Sophos Endpoint Protection Agent using SCCMAdd a new deployment type and select Manually specify the deployment type information. Click Next.

Deploy Sophos Endpoint Protection Agent using SCCMSpecify Content location (path where content is located). In the next step specify install and uninstall commands as shown below. The sophos installer batch file contains the code to install Sophos cloud endpoint. The code is available here. Copy the code into notepad, you need to replace line pushd \\servername\share with the location of the installer package on your network. Save it as a batch file and use it as installation program.

Installation program - "Sophosinstaller.bat"

Uninstall program - "C:\\Program Files\\Sophos\\Sophos Endpoint Agent\\uninstallcli.exe"

Deploy Sophos Endpoint Protection Agent using SCCMLet’s add detection method to detect the presence of this application. We will define 2 detection methods here. Click Add Clause and configure the following.

Setting Type  - File System

Type - File

Path - %ProgramFiles(x86)%\Sophos\Management Communications System\Endpoint

File or folder name - McsClient.exe

Select The file system must satisfy the following rule to indicate the presence of this application.

Property - Version

Operator - Greater than or equal to

Value - 4.6.0.0

Deploy Sophos Endpoint Protection Agent using SCCM

For second detection rule add the following.

Setting Type - File System

Type - File

Path - %ProgramFiles(x86)%\Sophos\Management Communications System\Endpoint

File or folder name - McsClient.exe

Property - Version

Operator - Greater than or equal to 

Value - 4.6.0.0

Deploy Sophos Endpoint Protection Agent using SCCMUnder connector specify Or and click Next.

Specify the app the install for system. Set logon requirement to Whether or not a user is logged on. Specify installation program visibility to hidden. Click Next.

Finally on completion page click Close.

The next steps are simple to perform. Distribute the app to distribution points and deploy this app to device collection. The client computers will need internet connectivity to complete the installation of Sophos endpoint protection agent.

Related Posts
guest
14 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Pan

Hello all,

We are using the Task Sequence for new machines to deploy an OS.
We have specified what programs we would like to be installed during the OSD including Sophos (one package and different programs as we have multiple offices in many countries).

My question is:

Is there any chance to specify in the MDT Custom Settings.ini file a parameter that will check if the machine that we are pushing the OSD is laptop or not? If laptop to send programA and if not to send programB.

Thank you in advance

Paul

Hi,

This looks great. What are the benefits of using the batch file over using the command line switches for the Sophos installer?

and will this same method work for the window server installer?

Paul

and in addition, how can a quiet install and remove tps be invoked, when using the bath file, rather than command line switches? I’m unsure which method is best to use and I see guides on your site for both, either of which would presumably do the trick nicely. I just don’t know which to go for.

Paul

I’ve tried the command line version and it doesn’t seem to work due to the new Sophos thin installer. SophosSetup.exe runs and extracts Sophos.exe, leaving both exe files running in task manager, but neither finishes and the deployment fails. I imagine this will happen with the batch file method, too. Do you have any advice? thanks 🙂

Phil

How did you determine the software version for Endpoint?

The Boss

How do you force sophos to apply the policy or run an update after restart on client?

Brandon

Hi, on your second detection rule, you repeated the “%ProgramFiles(x86)%” text, when your screenshot shows “%ProgramFiles%”

John Sanchez

did you ever find the correct screen shot for the 2nd detection method?

Richard

Hello, Love the website and thank you for the guide – it really helped. I do have a question though that I was wondering if you could help with? We are going to be rolling out Sophos Endpoint Protection in my organisation in the next couple of weeks and on the POC we are currently doing testing out Sophos we have encounted an issue. After Installing Sophos, SCEP is removed but once the PC restarts it comes back on again. I have tried multiple things on SCCM like custom Client Settings and custom anti-malware policies but it just keeps on… Read more »

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More