In this guide I discuss the steps involved for a successful deployment of Sophos Endpoint Protection in a Citrix App Layer.
There are two layers you need to work on to successfully layer Sophos. An Application Layer of course and also the OS Layer.
As you may or may not know, the SAM Database is only writeable in the OS Layer and any user or group created in Application Layers are not captured. To layer Sophos we need to create a local user and couple of local groups and for this reason the OS Layer is used for user/group creations and the Application Layer is used to store the Endpoint Protection software, all configurations and definition updates.
To begin, open a new version of your OS Layer and create the following local Groups:
- SophosAdministrator
- Add Domain Admins or other groups who should be Sophos administrators to this local group.
- SophosOnAccess
- SophosPowerUser
- Add groups that should be designated as Sophos Power Users to this local group.
- SophosUser
- Add your Domain Users group here.
Next create a user account. Keep a secure note of the password and make sure the password is long. Check Password never expires and click Create.
Add this local account to the SophosUser group. Click OK. At this stage you should finalise the OS layer. 
Create a new Application Layer for Sophos and install Endpoint Protection using your normal methods. Configure Sophos settings and any exclusions as desired. Next browse to %ProgramData%\Sophos\AutoUpdate\Config and open iconn.cfg in notepad.
Next to AllowLocalConfig = for PPI.WebConfig_Secondary change the value from 0 to 1. Save and close the configuration file.
Open Sophos and browse to the Secondary location tab under Configure Updating. Enter any value next to fields Address and User name. Click Change next to Password.
Enter the password value you used when creating the local Sophos user account in the OS Layer. Click OK. 
Click OK. 
A new file is created in the %ProgramData%\Sophos\AutoUpdate\Config directory named iconnlocal.cfg. Open this file in a text editor. 
Copy the value beside UserPassword= 
Open Sophos again, navigate to the Secondary location tab and remove any values in Address/User name/Password fields and click OK. 
Open iconn.cfg again, this time changing the value of AllowLocalConfig back to 0. Save and close the file.
You should make sure to delete the iconnlocal.cfg file as it is no longer needed.
Open RegEdit and navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service. Now double click REG_SZ Download Password. 
Replace the existing value with the value you copied from iconnlocal.cfg. Next click Download User and replace the existing value with the name of the local Sophos account you created in the OS Layer.
Open services.msc and manually stop the Sophos Agent, Sophos AutoUpdate Service and Sophos Message Router. 
Navigate to %ProgramData\Sophos\AutoUpdate\data and delete machine_ID.txt. 
Within RegEdit, navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Messaging System\Router\Private and delete both pkc and pkp REG_BINARY objects. 
Navigate to HKLM\SOFTWARE\WOW6432Node\Sophos\Remote Management\ManagementAgent\Private and again delete both pkc and pkp REG_BINARY objects. 
Finish off the layer by running the App Layering Preparation Script: https://jgspiers.com/citrix-app-layering-preparation-script/
Finally run Shutdown For Finalize. You are now ready to publish Sophos as a layer.
RICHARD HUGHES-CHEN
July 31, 2017Will try this as had found installing in the OS layer worked but means any future changes to Sophos meant making changes in the OS layer
sharif
August 14, 2017Most OS layer’s are created on a system that is not a domain joined machine, that is part of the sysprep process when machines are created. So how would you add a domain account to the local Sophos Groups on a OS Layer machine??
George Spiers
August 14, 2017You temporarily join the OS Layer to the domain, add the groups, remove machine from domain and then finalise the image.
Calvin
April 13, 2021hi George, not sure if you will see this. But we’re just implementing Sophos SEP now and having trouble, and I’ve been working with an escalation engineer from Sophos on the issue. Issue are failing components, permission denies, window\temp denies, and many more. We’ve been following the recipe from Citrix and Sophos KB but they aren’t getting us anywhere. Then I came across your blog here, which involves both the OS and App layer… My question to you is… Is this recipe still viable? Are you still using Sophos? We’re on 1912 LTSR CU2, with PVS, and latest App Layering.. Windows 10 v1909.
Sharif
August 14, 2017Gotcha! I will give that a go.
dalip
August 23, 2017HI
SophosupdateACC is missing in the application layer.
Also the secondary address location is greyed out
George Spiers
August 23, 2017The secondary address location will be greyed out by default until you edit file iconn.cfg and change AllowLocalConfig = from 0 to 1. You also create the SophosUpdateAcc account in the OS Layer, so complete this step first before creating a Sophos layer.
dalip
August 23, 2017HI George
I had picked wrong OS layer.
I have been able to install Sophos. However when I publish I am getting error could not contact the server.
All the services are up
error there was a problem establishing connection to the server windows API call returned error 1326
George Spiers
August 23, 2017Hi Dalip. Not seen that error before but it is best you recreate the Sophos layer and follow the steps carefully. Also review the OS Layer version and make sure the correct groups/user is created and membership is correct.
Matt G
November 14, 2017Hi George,
I know this is a few months old, but just wondering if this has been tested on Sophos Cloud AV?
Thanks
Matt
George Spiers
November 14, 2017Sophos Cloud is just moving management to cloud? If you are still deploying Sophos Endpoint Protection on the VDA then I cannot see any issues with using this method.
KSyed
November 13, 2019Hi Gorge,
Whats the procedure to update Sophos Layer with new updates?
Thanks,
K
George Spiers
December 3, 2019You can apply updates within the Sophos Application layer.
Ksyed
March 16, 2020Hi George,
I am still not able to figure out how to install updates in Sophos Application Layer? Can you please point me in right direction?
George Spiers
May 19, 2020What is preventing it? What is the update log saying? Have you tried including a Platform layer for Packaging?