Sophos Endpoint Client Auto-Install to Syncronized Groups
Sophos Endpoint Console only installs the endpoint client to machines in synchronized groups under very specific circumstances.
Problem 1. Sophos Endpoint Console does not attempt to install the endpoint client on machines after first failed attempt.
Problem 2. Sophos Endpoint Console only allows for an interval of minutes to synchronize instead of specific deadlines.
Our imaging task sequence adds the computer to the appropriate Active Directory OU at the beginning of the imaging process. In later portions of the task sequence, Microsoft SCCM (system center configuration manager) installs additional software while still booted
from Windows PE, then also applies Windows updates to it and finally restarts multiple times before the target machine boots from it’s own operating system for the first time.
This process takes time, sometimes an hour or longer if there a lot of updates. In most cases it was taking longer than the synchronization interval in Sophos (originally set to 60 minutes,) or took long enough that the process was likely to span a time duration that included the synchronization interval within it.
The problem is further compounded by the fact that group policies that configure the machine to allow for remote client installation (firewall rules etc) do not apply to the machine until a user logs in and restarts at least once.
So in our sequence computers were being added to the OU before they were completely deployed, they were detected and synchronized by Sophos before they even came online. At this point Sophos would attempt to install to a computer it could not find or reach because the computer wasn’t even “on” or it had not been logged in for the first time.
Increasing the interval significantly (in our case we selected 180 minutes) provides enough time to ensure the computer completes our imaging task sequence and gives our IT team enough time to log into the machine which applies group policy that enables the client installation to complete.
As it stands now, it is still possible to have this issue if the user kicks off the imaging task sequence slightly before synchronization deadline... or fails to log into the machine after imaging completes and before the next synchronization deadline is reached.
Dragging out the interval decreases the likelihood this problem might occur, but it is still possible.
I’d like to make this an official feature request. If Sophos Endpoint Console would simply attempt to install (if not already installed) at every synchronization interval this problem would not occur. It would also remove any timing issues with imaging and client deployment that may occur in a production environment. At the very least being able to specify dedicated times would allow a deployment team to plan accordingly.