Copyright © 2024 Sophos Ltd

Getting Started with

Sophos Central Agent
Deployment

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP1505: Getting Started with Sophos Central Agent Deployment

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Central Agent Deployment - 1

Copyright © 2024 Sophos Ltd

Getting Started with Sophos Central Agent Deployment

In this chapter you will learn how to install the RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Endpoint Agent on Windows and
macOS. ✓ How to access and navigate Sophos Central
✓ Experience using Windows and macOS devices

DURATION 6 minutes

In this chapter you will learn how to install the Sophos Central endpoint agent on Windows and
macOS.

Getting Started with Central Agent Deployment - 2

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Deployment Options

Download the Installer

Email a setup link

Bulk deployment using a script

Include the agent in an image

There are four ways to deploy the Sophos Central Endpoint agent, these are; Downloading the installer
directly from Sophos Central to the device, emailing the setup link to the device owner, using a script
to deploy the agent to multiple devices, and including the Sophos Central agent in an image.

[Additional Information]
For more information about software deployment methods, please see knowledge base article KB-
000034831. https://support.sophos.com/support/s/article/KB-000034831

Getting Started with Central Agent Deployment - 3

Copyright © 2024 Sophos Ltd

Download the Installer

Select Installers from the drop-down menu

To download the installer from Sophos Central, select Devices in the top menu and then select
Installers.

For Endpoint, Server, and Encryption products, the installer menu is also available when you select the
product from the My Products menu. When the installer is run, it detects what operating system it is
being installed on. The appropriate packages are then installed based on the device type, endpoint or
server.

Getting Started with Central Agent Deployment - 4

Copyright © 2024 Sophos Ltd

Agent Download

Only licensed components will be available

The installers page is divided into sections for each product. In the ‘Endpoint Protection’ section there
are options to either download the complete installer or to select the components you want to install
for both Windows and macOS devices. Please note that you will only be able to select the components
you are licensed for.

In the example shown here you can choose whether to install Intercept X Advanced with XDR, Device
Encryption, or both.

Getting Started with Central Agent Deployment - 5

Copyright © 2024 Sophos Ltd

Agent Email Setup Link

Optionally include a setup link to the self-

service portal

If your users have local administrator rights, they can install protection on their own devices using a
link emailed to them. To send an installation link, navigate to People > Manage Users & Groups. Select
the users you want to send the link to, then click Email Setup Link.

You can choose which setup links to send to a user. You can select to send an installation link for
deploying the Sophos agent, and a setup link for the self-service portal. The self-service portal allows
users to manage their devices, view their quarantined emails, read emails using an emergency inbox,
and retrieve recovery passwords for device encryption.

When emailing an installation link to users you cannot select individual components, all licensed
components will be included.

Getting Started with Central Agent Deployment - 6

Copyright © 2024 Sophos Ltd

Windows Installation Process

Installer performs pre- Installer registers with

installation checks and Sophos Central
SophosSetup.exe is launched
downloads and runs stage 2 The device will now appear in
installer Sophos Central

AutoUpdate is installed, and

Downloaded packages are AutoUpdate downloads the
installer retrieves updating
installed files and unpacks them
policy

Manual installation on Windows is very simple, but let’s consider what steps the installer is taking in
the background.

1. Installation starts when SophosSetup.exe is launched.

2. The installer performs pre-installation checks and downloads and runs a second stage installer.
3. The second stage installer takes over the installation process and registers with Sophos Central.
4. AutoUpdate is installed and the installer retrieves the updating policy, which includes the details
required to download.
5. AutoUpdate downloads the files and unpacks them.
6. The downloaded packages are installed.

Getting Started with Central Agent Deployment - 7

Copyright © 2024 Sophos Ltd

Simulation: Installation on Windows

In this simulation you will install the Sophos Endpoint

Agent on a Windows device.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/ce/simulation/WindowsInstall/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

Getting Started with Central Agent Deployment - 8

Copyright © 2024 Sophos Ltd

MacOS Installation Process

Installer is run. Installer downloads and

You may be prompted to allow it Software registers with
installs the Sophos endpoint
access to files in the ‘Downloads’ Sophos Central
folder
agent

Software prompts to enable Software downloads

extensions configuration

The macOS installer works in a very similar way to Windows but does things in a different order.

1. You start by running the installer. Here you may be prompted to allow the installer access to the
files in ‘Downloads’. This is required to proceed with the installation.
2. The installer downloads and installs the Sophos Endpoint agent.
3. The Endpoint agent registers with Sophos Central so it can be managed.
4. The Endpoint agent downloads the configuration.
5. At the end of the installation the software will prompt for you to enable the extensions required
for Sophos to provide protection. This is done in ‘System Preferences’.

Getting Started with Central Agent Deployment - 9

Copyright © 2024 Sophos Ltd

MacOS Installation Process

When prompted to enable extensions, open Security Preferences and select Privacy and Security.
Click Details… You will need to enter the password for the device to make any changes.

Ensure both extensions are enabled and click OK.

Getting Started with Central Agent Deployment - 10

Copyright © 2024 Sophos Ltd

Simulation: Installation on MacOS

In this simulation you will install the Sophos Central

Endpoint Agent on a macOS device.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/ce/simulation/MacInstall/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

Getting Started with Central Agent Deployment - 11

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Bulk Installation to Existing Devices
Windows macOS

▪ Active Directory Group Policy ▪ JAMF Pro

▪ Microsoft Endpoint Configuration ▪ Others…
Manager
▪ Microsoft Intune
▪ Others…

▪ Use the installer from the Central Admin Dashboard

▪ The same installer can be used for all Windows devices (endpoint/server)
▪ Use third party tools to run the installer on target devices with administrator rights

If you need to deploy the Sophos Endpoint agent to multiple devices, you can create a script that will
automatically deploy and install it. You can either use Active Directory scripts in your Group Policy, or
alternatively you can choose to use an RMM tool. For example, Microsoft Endpoint Configuration
Manager to distribute and install the Sophos Endpoint agent.

It is important to note that bulk deployments should NOT be created using an installer that has been
sent using the email setup link. If this installer is used, all devices will be associated with the Sophos
Central account that sent the email.

[Additional Information]
The steps required to force devices to re-register with Sophos Central can be found in knowledge base
article KB-000035040. https://support.sophos.com/support/s/article/KB-000035049

Getting Started with Central Agent Deployment - 12

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Including Sophos Central in a ‘Gold’ Image

▪ Device identity is set during install

▪ Multiple images of the same device will try to use the same identity

To resolve this…

Install using --goldimage to detect name change and Install then remove the identity causing it to register on next
register a new identity boot

WINDOWS WINDOWS macOS

For organizations using virtual machines, it is common to create a gold image and run multiple
instances of that image. During the installation of the Sophos Endpoint Agent the device identity is set,
this is used by Sophos Central to identify individual devices. If you run multiple images using the same
identity, all devices will report to Sophos Central as the same device. To prevent this issue, new images
created from the gold image must register for a new identity. There are a couple of ways this can be
done.

On Windows you can run the install with the --goldimage option. When the device name changes
when a new instance is created from the image, the Sophos Endpoint Agent will register for a new
identity. You can remove the identity, which causes the Sophos Endpoint agent to register for a new
identity when it next starts.

[Additional Information]
Removing identity from Windows to create a gold image KB-000035040:
https://support.sophos.com/support/s/article/KB-000035040

Getting Started with Central Agent Deployment - 13

Copyright © 2024 Sophos Ltd

Chapter Review

Sophos can be installed on devices by manually download and running the installer, this requires
administrator rights. Endpoint protections allows you to select which of your licensed components you
want to install.

You can send a setup link via email to the device owner to install if they have administrator rights. You
can include links for deploying the software and setting up access to the self-service portal.

The Sophos Endpoint agent can be deployed to multiple devices using a script, third-party RMM tools, or
included in a gold image.

Here are the three main things you learned in this chapter.

Sophos can be installed on devices by manually downloading and running the installer, this requires
administrator rights. Endpoint Protection allows you to select which of your licensed components you
want to install.

You can send a setup link via email to the device owner to install if they have administrator rights. You
can include links for deploying the software and setting up access to the self-service portal.

The Sophos Endpoint agent can be deployed to multiple devices using a script, third-party RMM tools,
or included in a gold image.

Getting Started with Central Agent Deployment - 17

Copyright © 2024 Sophos Ltd

Getting Started with Central Agent Deployment - 18

Copyright © 2024 Sophos Ltd

Getting Started with

Sophos Server
Protection for Linux

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP1512: Getting Started with Sophos Server Protection for Linux

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Server Protection for Linux - 1

Copyright © 2024 Sophos Ltd

Getting Started with Sophos Server Protection for Linux

In this chapter you will learn what Sophos
Server Protection for Linux is and the features
it includes. You will learn what the system
requirements are and how to install Sophos
Server Protection for Linux.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How to access and navigate Sophos Central
✓ Experience managing Linux servers

DURATION 5 minutes

In this chapter you will learn what Sophos Server Protection for Linux is and the features it includes.
You will learn what the system requirements are and how to install Sophos Server Protection for Linux.

Getting Started with Server Protection for Linux - 2

Copyright © 2024 Sophos Ltd

What is Server Protection for Linux?

SPL provides detection and response for Linux servers and Linux workloads
and containers hosted in the Cloud

Minimize Time to Improve Security Get Performance

Detect and Respond Operations without Friction

▪ Visibility into server and

container workloads
• Investigate and respond to ▪ Identify Linux security incidents
▪ Identify malware, exploits, and threats as they happen
anomalous behaviours
• Single agent managed from ▪ Optimize application uptime
▪ Prioritized detections and Sophos Central with a single agent
connected security events for
faster response

Sophos Server Protection for Linux provides detection and response capabilities for Linux servers and
Linux workloads and containers hosted in the Cloud.

You can protect both physical and virtual Linux servers against threats and view those servers in one
place. This optimizes performance and integration with security and development operation
workflows.

Getting Started with Server Protection for Linux - 3

Copyright © 2024 Sophos Ltd

Agent and Sensor Features

SOPHOS SERVER PROTECTION FOR
FEATURES LINUX AGENT SOPHOS LINUX SENSOR
Deep learning malware detection ✓
Anti-malware File Scanning
✓
(on-access/on-demand/scheduled)
Live Protection ✓
Quarantine
(malware detections only, does not currently include ✓
machine learning detections)
Cloud Security Management ✓ Requires Advanced license
Runtime detections ✓ Requires XDR or MDR license ✓
Live Discover ✓ Requires XDR or MDR license
Live Response ✓ Requires XDR or MDR license
Cross product querying ✓ Requires XDR or MDR license

There are two types of deployment of Sophos Server Protection for Linux, agent or sensor. The type of
deployment you choose, and the license will determine the features available. The features included in
the agent and sensor are outlined in this table. Please note that some features of the agent require an
advanced, an XDR license, or an MDR license. The Sophos Server Protection for Linux Agent has three
licenses; Intercept X Essentials for Server, Intercept X Advanced for Server, and Intercept X Advanced
for Server with XDR.

Getting Started with Server Protection for Linux - 4

Copyright © 2024 Sophos Ltd

Agent Vs Sensor

AGENT SENSOR

For highly scalable microservice

For protecting typical server workloads mission critical environments that
on premises and in cloud require ultra high performance
environments

For the majority of administrators looking to provide protection for typical server workloads, either on
premises or in cloud environments, you want to deploy the Linux protection agent.

For highly scalable microservice environments that are mission critical and require ultra-high
performance the sensor may be more appropriate. Sensor deployments do not report detections back
to Sophos Central, 3rd party applications are used to collate, and action based on the detection data.

Getting Started with Server Protection for Linux - 5

Copyright © 2024 Sophos Ltd

Sophos Protection for Linux Agent Deployment Options

FULL MALWARE PROTECTION Protection, detection, investigation, and

AND LOCKDOWN response capabilities

SOPHOS SERVER PROTECTION

FOR LINUX AGENT

Detection, investigation, and response

XDR SENSOR
capabilities

Can be used alongside existing protection products

Not to be confused with the Sophos Linux Sensor

The Sophos Server Protection for Linux agent can be deployed in two ways: full malware protection
and lockdown, and XDR sensor. When installed for full malware protection and lockdown, a full set of
protection, detection, investigation, and response capabilities are included with the agent. When
installed as an XDR sensor, there are no protection capabilities; Detection, investigation, and response
capabilities from XDR are included that can be used alongside existing protection products that are
already deployed.

Please note that the XDR sensor is not to be confused with the Sophos Linux Sensor, which has
different capabilities as outlined in the previous slides.

Getting Started with Server Protection for Linux - 6

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Agent System Requirements and Licensing

SYSTEM REQUIREMENTS SUPPORTED PLATFORMS

▪ 2.5 GB free disk space ▪ Amazon Linux 2/2022

▪ 2 GB of memory ▪ CentOS 7/Minimal/Stream
▪ X64 system ▪ Debian 10/11
▪ Systemd supported and running ▪ Miracle Linux 8
▪ Kernel that supports glibc 2.17 or later ▪ Oracle 7/8
▪ Bash is installed ▪ RHEL 7/8/9
▪ Ubuntu 18.04 (LTS)/20.04 (LTS)/22.04
(LTS)/Minimal

RELEASE NOTES: https://docs.sophos.com/releasenotes/output/en-us/esg/linux_protection_rn.html

To use Sophos Server Protection for Linux agent, the device must meet the system requirements and
run a supported platform shown here. For the latest system requirements, please check the release
notes.

[Additional Information]
For more information regarding system requirements and supported platforms please see the current
release notes.
https://docs.sophos.com/releasenotes/output/en-us/esg/linux_protection_rn.html

Getting Started with Server Protection for Linux - 7

Copyright © 2024 Sophos Ltd

Sophos Linux Sensor System Requirements and Licensing

SYSTEM REQUIREMENTS SUPPORTED PLATFORMS

▪ 2.5 GB free disk space ▪ Amazon Linux 2/2022

▪ 2 GB of memory ▪ CentOS 7/Minimal/Stream
▪ X64 system and ARM64* system ▪ Debian 10/11
▪ Miracle Linux 8
▪ Oracle 7/8
▪ RHEL 7/8/9
▪ Ubuntu 18.04 (LTS)/20.04 (LTS)/22.04
(LTS)/Minimal

* We support ARM64 and AWS Graviton 2 and

Graviton 3 platforms for kernel versions 5.3 or
later

The system requirements for the sensor are very similar, but there are some differences, including a
lower disk space requirement and the addition of ARM support.

Getting Started with Server Protection for Linux - 8

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Installation

To install Sophos Protection for Linux, download the installer from your Sophos Central account. In
your Central account, navigate to Devices > Installers from the top menu bar. To download the agent,
in the Server Protection section, right-click on the link for the installer you want, either Download
Linux Server Installer or Download XDR Sensor Linux. Select Copy link.

To download the Sophos Linux Sensor installer, follow the instructions in the documentation. The URL
is included in the notes.

[Additional Information]
https://doc.sophos.com/esg/sls/help/en-
us/gettingStarted/installSensor/Installing_SLS_from_Sophos_Repo/index.html

Getting Started with Server Protection for Linux - 9

Copyright © 2024 Sophos Ltd

Installation
Use the wget command with the link address

labuser@SophosLab-867764:~$ wget https://dzr-api-amzn-eu-west-1-9af7.api-

upe.p.hmr.sophos.com/api/download/61a5a61e48e1da3eeed8f09fae3b80a0/SophosSetup.sh
--2023-02-21 11:51:24-- https://dzr-api-amzn-eu-west-1-9af7.api-
upe.p.hmr.sophos.com/api/download/61a5a61e48e1da3eeed8f09fae3b80a0/SophosSetup.sh
Resolving dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com (dzr-api-amzn-eu-west-1-9af7.api-
upe.p.hmr.sophos.com)... 34.247.1.39, 34.253.80.32, 54.220.163.136
Connecting to dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com (dzr-api-amzn-eu-west-1-9af7.api-
upe.p.hmr.sophos.com)|34.247.1.39|:443... connected.
HTTP request sent, awaiting response... 200
Length: unspecified [application/octet-stream]
Saving to: ‘SophosSetup.sh’

SophosSetup.sh [ <=> ] 7.86M 45.6MB/s in 0.2s

2023-02-21 11:51:25 (45.6 MB/s) - ‘SophosSetup.sh’ saved [8245846]

labuser@SophosLab-867764:~$

On your Linux server, at a command prompt or in a script, use the wget command with the link
address. You can paste the link address directly from your Sophos Central account. An example of this
is shown here.

Other commands can be used to download the installer, such as curl, or if you are using a graphical
desktop environment you can use a browser.

Getting Started with Server Protection for Linux - 10

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Installation
Change the file permissions to include execute

labuser@SophosLab-867764:~$ chmod +x SophosSetup.sh Run the installer

labuser@SophosLab-867764:~$ sudo ./SophosSetup.sh
This software is governed by the terms and conditions of a licence agreement with Sophos Limited
Installation process for Sophos Protection for Linux started
Attempting to connect to Sophos Central
Successfully verified connection to Sophos Central
Successfully registered with Sophos Central
Successfully installed product
labuser@SophosLab-867764:~$

You can change the permissions of the file to include the execute permission. To do this, run chmod
+x SophosSetup.sh.

Once this has been completed, run the installer. If you are not logged in as the root user, run the
installer with the sudo command.

[Additional Information]
Installation documentation can be found here:
https://docs.sophos.com/central/customer/help/en-
us/PeopleAndDevices/ProtectDevices/ServerProtection/index.html#download-and-run-the-linux-
server-installer

Use this command to apply the execute permission: chmod +x SophosSetep.sh

Use this command to run the installer: ./SophosSetup.sh
To run the installer when not logged in as the root: sudo ./SophosSetup.sh

Additional command line options for the installer can be found here:
https://docs.sophos.com/central/customer/help/en-
us/PeopleAndDevices/ProtectDevices/ServerProtection/SophosProtectionLinux/ServerProtectionAgen
tCommandLineOptions/index.html#products

Getting Started with Server Protection for Linux - 11

Copyright © 2024 Sophos Ltd

Installation Directory
Installation directory is
/opt/sophos-spl

labuser@SophosLab-867764:~$ sudo ls /opt/sophos-spl

base bin logs plugins shared tmp var
labuser@SophosLab-867764:~$

The Sophos Protection for Linux installation directory is /opt/sophos-spl.

Using the command ls you can view the directories included in the installation. Note that you need to
have root privileges to access this directory, so if you are not logged in as the root user, use the sudo
command.

Getting Started with Server Protection for Linux - 12

Copyright © 2024 Sophos Ltd

Video Demo: Installation on Linux

In this video demonstration Sophos Server Protection for

Linux is installed on a Linux server.

LAUNCH DEMONSTRATION CONTINUE

https://training.sophos.com/ce/demo/LinuxInstall/2/play.html

Please watch this video demonstration.

Click Launch Demonstration to start. Once you have finished, click Continue.

Getting Started with Server Protection for Linux - 13

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Bulk Installation to Existing Devices
Linux

▪ Puppet
▪ Others…

▪ Use the installer from the Central Admin Dashboard

▪ Use third party tools to run the installer on target devices with administrator rights

If you need to deploy the Sophos Endpoint agent to multiple devices, you can create a script that will
automatically deploy and install it. It is important to note that bulk deployments should NOT be
created using an installer that has been sent using the email setup link. If this installer is used, all
devices will be associated with the user the email setup link was sent to.

[Additional Information]
The steps required to force devices to re-register with Sophos Central can be found in knowledge base
article KB-000035040. https://support.sophos.com/support/s/article/KB-000035049

Getting Started with Server Protection for Linux - 14

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Including Sophos Central in a ‘Gold’ Image

▪ Device identity is set during install

▪ Multiple images of the same device will try to use the same identity

To resolve this…

Install then remove the identity causing it to register on next boot

For organizations using virtual machines, it is common to create a gold image and run multiple
instances of that image. During the installation of the Sophos Endpoint Agent the device identity is set,
this is used by Sophos Central to identify individual devices. If you run multiple images using the same
identity, all devices will report to Sophos Central as the same device. To prevent this issue, new images
created from the gold image must register for a new identity. You can remove the identity, which
causes the Sophos Endpoint agent to register for a new identity when it next starts.

[Additional Information]
Creating a Linux gold image: https://docs.sophos.com/central/customer/help/en-
us/PeopleAndDevices/ProtectDevices/ServerProtection/SophosProtectionLinux/LinuxGoldImage/inde
x.html

Getting Started with Server Protection for Linux - 15

Copyright © 2024 Sophos Ltd

Chapter Review

Sophos Server Protection for Linux is an anti-virus scanner that also provides runtime detections.

After downloading the installer, you need to assign it with executable permissions using the chmod
command.

Sophos Server Protection for Linux is installed to the /opt/sophos-spl directory. This directory requires
root permissions to access.

Here are the main things you learned in this chapter.

Sophos Server Protection for Linux is an anti-virus scanner that also provides runtime detections.

After downloading the installer, you need to assign it with executable permissions using the chmod
command.

Sophos Server Protection for Linux is installed to the /opt/sophos-spl directory. This directory requires
root permissions to access.

Getting Started with Server Protection for Linux - 21

Copyright © 2024 Sophos Ltd

Getting Started with Server Protection for Linux - 22