Using SCCM 2007 (SMS) to deploy Endpoint Security and Control (Sophos Anti-Virus)

This article is intended for use by network administrators who already use Microsoft Systems Management Server (SMS) or System Center Configuration Manager 2007 (SCCM) to manage, deploy, and update network components, and who now want to use SMS to deploy and manage Endpoint Security and Control or other Sophos products on their network.

More information about SMS and SCCM 2007 is available from the Microsoft SMS web pages.

The following procedures assume that the user is already familiar with the functionality, components and terminology of SMS.

What to do

Deploying Sophos products

1. Creating a new package and program
   Open the SMS Distribute Software Wizard and Create a new package and program for a collection of computer systems. Give the package an appropriate name, for example, "Sophos Endpoint Security and Control".
2. Defining a source directory
   In 'Source Files' select 'Obtain files from a source directory'. In 'Source directory:' select 'Network path (UNC name)'. Enter the location of the update location or Central Installation Directory (CID) files. For example:

Enterprise Console 4:
\\servername\SophosUpdate\CIDs\Sxxx\package name

Enterprise Console 3.x:
\\servername\InterChk\ESXP
\\servername\InterChk\ESNT
\\servername\InterChk\ES9X

If you want groups of computers to update from different locations, these groups and locations can be specified after deployment. This is described more fully below. Click 'Next'.

1. Selecting distribution points
   Select appropriate distribution points for the package. Click 'Next' to display the Program Identification dialog box, check that the 'Name' field displays the program name that you defined in step 1 above.
2. Using the Command line
   You will use the Command line to define two areas:
   
   1. Where computers obtain updates. One of the following will apply:
      • You have groups of computers, and you need to define an update location for each group. You can define these locations either before or after deployment.
      • You want all computers to update from a single location. You can specify this location before deployment, by entering the primary server address in the command line
   2. The information required to identify the new program. This must include:
      • the setup.exe file from the source file specified above
      • the user name and password required to access the server from which you will get updates.
3. Entering the Command line
   Enter a command into the Command line field. According to whether you want to specify the primary server address before or after deployment of setup.exe to the computers, your text should resemble one of the following examples:
   
   • if you intend to specify the primary server address AFTER deployment:
     setup.exe -user <username> -pwd *****
     Where <username> is an account with read-access to the update location/CID.
     When you enter a command in this format, after the installation program is deployed to the computers, the primary server address in the AutoUpdate Configuration on the client computers defaults to the UNC path of the shared SMS package folder on the SMS server, for example \\[SMSservername]\SMSPKGC$\ 12300001\ .
     The client computers will appear as managed and connected in the 'Unassigned' folder in Enterprise Console. However, as the primary server location is not pointing to a managed update location/CID, the computers will not get Sophos updates. You must specify this later.
   • if you intend to specify the primary server address BEFORE deployment:
     setup.exe -user <username> -pwd ***** -mng yes -updp \\servername\InterChk\ (Enterprise Console 3)
\\servername\SophosUpdate\CIDs\Sxxx\[package name]
Where <username> is an account with read-access to the update location/CID.
     When you enter a command in this format, the client computers will appear as managed and connected in the 'Unassigned' folder in Enterprise Console and will get Sophos updates. Click 'Next'.
4. Running the program
   In 'Program properties', choose to run the program, and select 'Whether or not a user is logged on' from the dropdown options.
   Note: After running the program on Windows 95/98/Me platforms, the computer may require rebooting.
5. Advertising the program
   Advertise the program. Select appropriate advertisement targets.
6. Assigning the program
   Assign the program. Choose the option that makes installation mandatory on the computers.
7. Completing the software distribution
   Click 'Next', then 'Finish' to complete and exit the software distribution wizard. If necessary, you can now adjust the properties of the advertisement appropriately, such as making assignments mandatory over slow links.
8. Ensure that the distribution points are updated regularly
   To ensure that new computers install the most recent version of the Sophos software you deployed, make sure that the distribution points update from the update location/CID at least once a month. It is possible to configure the package to automatically refresh the distribution points.
   

Managing client computers after deployment

For computers to receive anti-virus updates, you must ensure that the address you want them to update from is correctly set to the update location/CID on the server. One of the following will apply:

• If you did not specify the required primary server address in the command line of the SMS package, following deployment, the computers appear as connected and managed in the 'Unassigned' folder of Enterprise Console. However, they will not receive Sophos updates, because the primary server on the computers is not pointing to a managed update/CID location.
  In Enterprise Console, you can move them to a configured group and make them comply with the group updating policy. This forces the AutoUpdate primary server address on the computers to point to the correct CID.
• If you specified the correct primary server address in the command line of the SMS package, following deployment, the client computers will appear as connected and managed in the 'Unassigned folder' of the Enterprise Console, and will get Sophos updates. You can move these computers to other groups on the console if required.

Note: The Protect computers wizard that appears when computers are moved from the 'Unassigned' group can be cancelled.