Citrix App Layering recipe for Sophos Endpoint Protection

In this guide I discuss the steps involved for a successful deployment of Sophos Endpoint Protection in a Citrix App Layer.

There are two layers you need to work on to successfully layer Sophos. An Application Layer of course and also the OS Layer.

As you may or may not know, the SAM Database is only writeable in the OS Layer and any user or group created in Application Layers are not captured. To layer Sophos we need to create a local user and couple of local groups and for this reason the OS Layer is used for user/group creations and the Application Layer is used to store the Endpoint Protection software, all configurations and definition updates.

To begin, open a new version of your OS Layer and create the following local Groups:

  • SophosAdministrator
    • Add Domain Admins or other groups who should be Sophos administrators to this local group.
  • SophosOnAccess
  • SophosPowerUser
    • Add groups that should be designated as Sophos Power Users to this local group.
  • SophosUser
    • Add your Domain Users group here.

Next create a user account. Keep a secure note of the password and make sure the password is long. Check Password never expires and click Create.

Add this local account to the SophosUser group. Click OK. At this stage you should finalise the OS layer.

Create a new Application Layer for Sophos and install Endpoint Protection using your normal methods. Configure Sophos settings and any exclusions as desired. Next browse to %ProgramData%\Sophos\AutoUpdate\Config and open iconn.cfg in notepad.

Next to AllowLocalConfig = change the value from 0 to 1. Save and close the configuration file.

Open Sophos and browse to the Secondary location tab. Enter any value next to fields Address and User name. Click Change next to Password.

Enter the password value you used when creating the local Sophos user account in the OS Layer. Click OK.

Click OK.

A new file is created in the %ProgramData%\Sophos\AutoUpdate\Config directory named iconnlocal.cfg. Open this file in a text editor.

Copy the value beside UserPassword=

Open Sophos again, navigate to the Secondary location tab and remove any values in Address/User name/Password fields and click OK.

Open iconn.cfg again, this time changing the value of AllowLocalConfig back to 0. Save and close the file.

You should make sure to delete the iconnlocal.cfg file as it is no longer needed.

Open RegEdit and navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service. Now double click REG_SZ Download Password.

Replace the existing value with the value you copied from iconnlocal.cfg. Next click Download User and replace the existing value with the name of the local Sophos account you created in the OS Layer.

Open services.msc and manually stop the Sophos AgentSophos AutoUpdate Service and Sophos Message Router.

Navigate to %ProgramData\Sophos\AutoUpdate\data and delete machine_ID.txt.

Within RegEdit, navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Messaging System\Router\Private and delete both pkc and pkp REG_BINARY objects.

Navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Remote Management\ManagementAgent\Private and again delete both pkc and pkp REG_BINARY objects.

Finish off the layer by running preparation jobs such as NGEN.

Finally run Shutdown For Finalize. You are now ready to publish Sophos as a layer.


Leave a Reply