Jump to content
  • 0

App Layering Basics - Packaging Sophos (cloud)

Nicholas Innes


Hi there,


I'm very new to App Layering and am currently trying to get a POC up for our local desktop support team.


We are a Citrix PVS environment (7.15 LTSR) running on VMware 6.5. ELM Version is


OS I'm working with is 2016


My Question / immense frustration is around this KMS gpo script that is setup when you run the machine tools. The GPO startup script is in place as expect and is running as it should.


When I have been packaging Sophos (using Citrix provided recipe https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html ) I can't seem to reliably get the services to start up.


I have put debugging echo statements in the kmssetup.cmd script to allow me to follow the flow of the script during boot up. I'm happy to concede this may be the start of the "you're doing it wrong" phase. :)


The instructions for the recipe say i need to add the service startup batch code in the "Run after every boot" section. Which I do. If I put debugging echo statements around this area, I notice that I never see the debugging output and that the script enters a different chunk of code (IF EXIST Setup_cleanup, line 378 ish) which has the goto END at the end of it, bypassing the RUN EVERY BOOT section.




	REM --------------------------------------------
	REM --------------------------------------------

	REM Here we will activate if this is a kms destkop every boot.  Note we alsways call the script but
	REM if non KMS the script will not contain activation commands
	REM To add commands that run on every boot add after the call runipkato
	@echo "Starting Sophos Services Section" >> c:\admin\kms-script.txt	
	@echo %time% >> c:\admin\kms-script.txt

	REM Change Sophos Service to Automatic - once

	If EXIST SophosSetup1.cmd (
	echo !date!-!time!-kmssetup.cmd:Call
	SophosSetup.cmd >> SophosSetuplog.txt
	Call SophosSetup.cmd >> SophosSetuplog.txt
	Copy SophosSetup.cmd SophosSetupCMD.txt >> SophosSetuplog.txt
	Del SophosSetup.cmd >> SophosSetuplog.txt
	) else ( @echo "Sophos Setup Script not found!" >> c:\admin\kms-script.txt )

if I manually run the kmssetup script, it will execute as expected and start up the sophos services using the above code.


I am at the point of just moving on and worrying about it later as i just don't seem to be able to get it to behave.


I'm almost ready to just chuck the service-starting code in at the top of the script before it does anything else! :)


I'm happy to answer any questions if I've left out any important information.


Link to comment

10 answers to this question

Recommended Posts

  • 0
25 minutes ago, Rob Zylowski1709158051 said:

You should be able to create the script in the sophos layer and just add it as a kayer script. Then kmssetup will call it every boot without you having to edit the  Knssetup script. 

Ahh, that's a great idea. Why didn't I think of that :). as an FYI - Sophos is installed as an OS layer (installer creates local computer groups/accounts)


as and aside - the kmssetup.cmd script - is this the sort of script that you don't mess around without outside of adding what you need for your application requirements? i.e. adding debugging code seemed like I was spoiling the script


Thank you

Link to comment
  • 0
17 minutes ago, Rob Zylowski1709158051 said:

You can modify it but its overly complicated. We really should take a shot at simplifying it the complexity was from Unidesk 2.x

Yes, I find this script very complicated... Looks like there's a flag file Setup_complete that is lingering after I seal the layer preventing the script from executing properly...question is, is it meant to be there or not ? :)

Link to comment
  • 0
3 hours ago, Rob Zylowski1709158051 said:

You should be able to create the script in the sophos layer and just add it as a kayer script. Then kmssetup will call it every boot without you having to edit the  Knssetup script. 

Sorry - silly question time, when you provide the script for the app layer - is this location relative to the image or are you just feeding it a file from your own workstation and it buries it in the layer as it is built? i.e. if I say D:\work\restartSophos.cmd, does this need to be that location in the image or does it not matter? I haven't found detail about this.

Link to comment
  • 0
49 minutes ago, Rob Zylowski1709158051 said:

Yes it needs to be there si fir your issue you can just create an app layer. Put the script in say windows\setup\scripts and the in the script path enter the path. The add that layer to your image template.

Yes! thank you so much, that did the trick.


Thankfully, office 2019 has worked out of the gates :)

Link to comment
  • 0

If you have Sophos Cloud, you should be able to download and deploy the virtual appliance that is able to install the version of Sophos made for VMs. We made the mistake of trying to install the regular server client on our server VMs and ran into all kinds of weird issues. The VM version runs perfectly, and it offloads the heavy lifting of scanning to the appliance. Works for desktop OSes as well that are virtualized too. No crazy activation and client duplication to worry about. You can run multiple VAs for redundancy -- they actually host the scanning engine + updates so you're not constantly re-downloading updates to your VMs. In your cloud console, you will see your VAs connected, and it reports how many clients are connected to each VA.


The VA is pretty lightweight on resources and one VA can handle dozens of clients without any problems.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...