This article explains how to create a standalone or custom installer package, or off-site installer, that will install endpoint software, without needing an active connection to the updating server or Sophos.
Known to apply to the following Sophos product(s) and version(s)
Sophos Enterprise Manager 4.7.0
Enterprise Console 5.2.0
Enterprise Console 5.1.0
Enterprise Console 5.0.0
Enterprise Console 4.7.0
Enterprise Console 4.5.0
What To Do
Choose one of the following two packager methods
The tool will allow you to do the following:
- Create both managed and unmanaged packages.
- Set a primary and secondary update location, which can include a secondary location of Sophos.
- Include exported preconfigured policies.
- Builds a compressed self-extracting and installing package executable.
- The updating policy (sauconf.xml) cannot be used in conjunction with this tool.
- The Sophos Endpoint package must be version 9.7.6 VDL 4.71G or greater.
The method will allow you to do the following:
- Configure older Sophos packages before 9.7.6 VDL4.71G.
- Use all preconfigured policy types.
Note: If you intend to log on with a user name made up of double-byte characters, please refer to the known issue described below.*
Before you begin - Including preconfigured policies (Optional)
If you wish to create a package that includes one or more preconfigured policies, you will need to export each policy (using ExportConfig.exe) into a distribution point. These XML files must then be applied to the distribution point (Using ConfigCID.exe).
Refer to: Using ExportConfig.exe to create XML configuration files and Using ConfigCID.exe to implement configuration file changes for further details.
Note: The updating policy (sauconf.xml) cannot be used in conjunction with this tool.
- Download the Sophos Deployment Packager utility.
- Follow the instructions supplied in the Deployment Packager guide to create the package. This guide assumes you have already exported and applied any required policy configuration files (Using ExportConfig.exe and ConfigCID.exe).
- Uses a command line tool called ExportConfig.exe to export your existing policies. For more information about this tool, and how to use it, refer to: Using ExportConfig.exe to create XML configuration files.
- Use the command line tool ConfigCID.exe to implement your exported policies into the package. For more information about this tool, and how to use it, refer to: Using ConfigCID.exe to implement XML configuration file changes.
- Assumes that you are using the default installation locations for Enterprise Console/ Manager and your update locations. Please substitute your folder names and paths, if appropriate.
Prepare the installer
- Create a folder on the desktop called savinst.
- Browse to
\\server\SophosUpdate\CIDs\S000\ and copy the SAVSCFXP folder to the folder you created on desktop. Type
"%userprofile%\Desktop\savinst\SAVSCFXP" if using a command prompt.
- Create a copy of the SAVSCFXP folder and rename the copy to SAVSCFXPXML. You should now have two folders inside the 'savinst' folder on the desktop - one called SAVSCFXP and the other SAVSCFXPXML, both with the same contents.
- Using ExportConfig.exe export from the Console the policies you wish to apply to the endpoint. An example for Enterprise Console 4.x is shown below.
"%programfiles%\Sophos\Enterprise Console\exportconfig.exe" -type AU -policy [PolicyName] -output "%userprofile%\Desktop\savinst\SAVSCFXPXML\sau\sauconf.xml"
- Ensure all output files, for each policy exported, are saved to the associated SAVXPSCFXML subfolder. Example: For the updating policy place the sauconf.xml file in:
- Integrate the XML files created in step 4 into the package with the ConfigCID.exe tool. An example for Enterprise Console 4.x is shown below.
"%programfiles%\Sophos\Enterprise Console\SUM\configcid.exe" "%userprofile%\Desktop\savinst\SAVSCFXPXML"
- To save space, you can now delete the following files and folders, if they exist:
- From the savinst\SAVSCFXP folder on the desktop: all of the NAC, RMS, SAVXP and SCF subfolders
- From the savinst\SAVSCFXPXML folder: crt instmsiw.exe setup*.*
- You can also delete any component that will not be installed (e.g. nac, scf) from the SAVSCFXPXML folder.
Create a self-extracting archive that executes setup.exe with the appropriate parameters
See also Command line parameters used by Setup.exe if you would like to customize the setup parameters.
For the purpose of this article WinRAR will be used, but any other tool that accomplishes the same job is acceptable.
- Inside the savinst folder, select both SAVSCFXP and SAVSCFXPXML, then right-click and choose “Add to archive…”
- Under Archiving options, select “Create SFX archive” and select “Create solid archive”
- In the Advanced tab, click the “SFX options…” button
- Specify in the “Path to extract” text field:%SystemRoot%\Temp\savinst
- Do one of the following:
- Managed (client will report to the console):- specify in the “Run after extraction” text field:SAVSCFXP\setup.exe -mng yes -ni -s -crt R -updp %SystemRoot%\Temp\savinst\SAVSCFXPXML
If the client has to report across a WAN network please see: Using Sophos message relays in a public WAN.
- Unmanaged (the client will not report to the console):- specify in the "Run after extraction" text field:SAVSCFXP\setup.exe -mng no -ni -s -crt R -updp %SystemRoot%\Temp\savinst\SAVSCFXPXML
- In the Modes tab, select “Hide all”
- In the Update tab select “Overwrite all files”
- Click OK to accept the options
- Click OK to generate the self-extracting installer
Run the self-extracting installer on all machines where SESC is to be deployed.
* Known issue
If you attempt to install SAV via a ready made installer created by Sophos Deployment Packager and the logged on user name is made up of double-byte characters (e.g. Japanese, Chinese) then the install does not continue.
No errors are generated but nothing seems to happen. The files do get extracted to the %temp%/cid_packager_temp directory but the install never occurs. There is no sign of SAU and nothing is logged to the event logs.