I am in the process of installing Sophos using a policy. Sophos has several PPPCs, and Kernels that need to be put in place. These are being pushed by a configuration profile.
I do not want the install of sophos to happen before the configuration policy is on the system, yet I do not see any option when creating a smart computer group to determine if the configuration policy has been applied. How do I verify the policy is in place before the install?
Thanks in advance for your help!
Solved! Go to Solution.
Another way you can implement this is by using a two step policy method that caches the installer on the machine, then subsequently does the install.
The basic steps are:
1. Create a smart group based on the Sophos installer package being cached on the system. Create another smart group based on the Sophos application being on the system.
2. Set the scope of the Sophos related config profile(s) to BOTH of the new smart groups.
3. Create an on-going policy that caches the Sophos package on the system and scope it all machines (or a small subset for testing) and exclude the new cached smart group. Make sure the policy runs a recon (via file & processes per this DerFlounder blog post )
4. Create an on-going policy that installs the Sophos package on the system and scope it to the cached smart group and excludes the installed smart group. Make sure the policy runs a recon (via file & processes)
The first policy will cache the installer to the machines and should ensure the configuration profiles get installed as well. During the next check-in cycle the machine will perform the installation with the config profiles in place. If the user unintentionally or purposely removes the Sophos application the two policies together will direct the machine to reinstall it depending on how often your machines typically run a recon.