Citrix App Layering recipe for Sophos Endpoint Protection

In this guide I discuss the steps involved for a successful deployment of Sophos Endpoint Protection in a Citrix App Layer.

There are two layers you need to work on to successfully layer Sophos. An Application Layer of course and also the OS Layer.

As you may or may not know, the SAM Database is only writeable in the OS Layer and any user or group created in Application Layers are not captured. To layer Sophos we need to create a local user and couple of local groups and for this reason the OS Layer is used for user/group creations and the Application Layer is used to store the Endpoint Protection software, all configurations and definition updates.

To begin, open a new version of your OS Layer and create the following local Groups:

  • SophosAdministrator
    • Add Domain Admins or other groups who should be Sophos administrators to this local group.
  • SophosOnAccess
  • SophosPowerUser
    • Add groups that should be designated as Sophos Power Users to this local group.
  • SophosUser
    • Add your Domain Users group here.

Next create a user account. Keep a secure note of the password and make sure the password is long. Check Password never expires and click Create.

Add this local account to the SophosUser group. Click OK. At this stage you should finalise the OS layer.

Create a new Application Layer for Sophos and install Endpoint Protection using your normal methods. Configure Sophos settings and any exclusions as desired. Next browse to %ProgramData%\Sophos\AutoUpdate\Config and open iconn.cfg in notepad.

Next to AllowLocalConfig = for PPI.WebConfig_Secondary change the value from 0 to 1. Save and close the configuration file.

Open Sophos and browse to the Secondary location tab under Configure Updating. Enter any value next to fields Address and User name. Click Change next to Password.

Enter the password value you used when creating the local Sophos user account in the OS Layer. Click OK.

Click OK.

A new file is created in the %ProgramData%\Sophos\AutoUpdate\Config directory named iconnlocal.cfg. Open this file in a text editor.

Copy the value beside UserPassword=

Open Sophos again, navigate to the Secondary location tab and remove any values in Address/User name/Password fields and click OK.

Open iconn.cfg again, this time changing the value of AllowLocalConfig back to 0. Save and close the file.

You should make sure to delete the iconnlocal.cfg file as it is no longer needed.

Open RegEdit and navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service. Now double click REG_SZ Download Password.

Replace the existing value with the value you copied from iconnlocal.cfg. Next click Download User and replace the existing value with the name of the local Sophos account you created in the OS Layer.

Open services.msc and manually stop the Sophos AgentSophos AutoUpdate Service and Sophos Message Router.

Navigate to %ProgramData\Sophos\AutoUpdate\data and delete machine_ID.txt.

Within RegEdit, navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Messaging System\Router\Private and delete both pkc and pkp REG_BINARY objects.

Navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Remote Management\ManagementAgent\Private and again delete both pkc and pkp REG_BINARY objects.

Finish off the layer by running the App Layering Preparation Script: https://jgspiers.com/citrix-app-layering-preparation-script/

Finally run Shutdown For Finalize. You are now ready to publish Sophos as a layer.


15 Comments

  • RICHARD HUGHES-CHEN

    July 31, 2017

    Will try this as had found installing in the OS layer worked but means any future changes to Sophos meant making changes in the OS layer

    Reply
  • sharif

    August 14, 2017

    Most OS layer’s are created on a system that is not a domain joined machine, that is part of the sysprep process when machines are created. So how would you add a domain account to the local Sophos Groups on a OS Layer machine??

    Reply
    • George Spiers

      August 14, 2017

      You temporarily join the OS Layer to the domain, add the groups, remove machine from domain and then finalise the image.

      Reply
      • Calvin

        April 13, 2021

        hi George, not sure if you will see this. But we’re just implementing Sophos SEP now and having trouble, and I’ve been working with an escalation engineer from Sophos on the issue. Issue are failing components, permission denies, window\temp denies, and many more. We’ve been following the recipe from Citrix and Sophos KB but they aren’t getting us anywhere. Then I came across your blog here, which involves both the OS and App layer… My question to you is… Is this recipe still viable? Are you still using Sophos? We’re on 1912 LTSR CU2, with PVS, and latest App Layering.. Windows 10 v1909.

        Reply
  • Sharif

    August 14, 2017

    Gotcha! I will give that a go.

    Reply
  • dalip

    August 23, 2017

    HI
    SophosupdateACC is missing in the application layer.
    Also the secondary address location is greyed out

    Reply
    • George Spiers

      August 23, 2017

      The secondary address location will be greyed out by default until you edit file iconn.cfg and change AllowLocalConfig = from 0 to 1. You also create the SophosUpdateAcc account in the OS Layer, so complete this step first before creating a Sophos layer.

      Reply
      • dalip

        August 23, 2017

        HI George

        I had picked wrong OS layer.
        I have been able to install Sophos. However when I publish I am getting error could not contact the server.
        All the services are up
        error there was a problem establishing connection to the server windows API call returned error 1326

        Reply
  • George Spiers

    August 23, 2017

    Hi Dalip. Not seen that error before but it is best you recreate the Sophos layer and follow the steps carefully. Also review the OS Layer version and make sure the correct groups/user is created and membership is correct.

    Reply
  • Matt G

    November 14, 2017

    Hi George,

    I know this is a few months old, but just wondering if this has been tested on Sophos Cloud AV?

    Thanks

    Matt

    Reply
    • George Spiers

      November 14, 2017

      Sophos Cloud is just moving management to cloud? If you are still deploying Sophos Endpoint Protection on the VDA then I cannot see any issues with using this method.

      Reply
  • KSyed

    November 13, 2019

    Hi Gorge,

    Whats the procedure to update Sophos Layer with new updates?

    Thanks,
    K

    Reply
    • George Spiers

      December 3, 2019

      You can apply updates within the Sophos Application layer.

      Reply
      • Ksyed

        March 16, 2020

        Hi George,

        I am still not able to figure out how to install updates in Sophos Application Layer? Can you please point me in right direction?

        Reply
        • George Spiers

          May 19, 2020

          What is preventing it? What is the update log saying? Have you tried including a Platform layer for Packaging?

          Reply

Leave a Reply to George Spiers Cancel reply