Create gold images and clone new devices
You can create gold images from Sophos protection software. This process is supported on Windows computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:
- Windows 10 or later
- Windows Server 2016 or later
- Thin Installer 1.14 or later
- Sophos Core Agent 2022.1.0.78 or later
- Sophos Server Core Agent 2022.1.0.78 or later
When using virtual machines in a Virtual Desktop Infrastructure (VDI), you can create new virtual machines from a gold image. The gold image acts as a template for your virtual machines. You must ensure that each new virtual machine has a different identity from the device being used as the gold image.
You can create gold images from Endpoint Protection or Server Protection to create new virtual machines. Follow these instructions to install Endpoint Protection or Server Protection on a gold image so that every instance of a virtual machine that runs from that single gold image gets its own unique identity. We register these virtual machines as devices in Sophos Central Admin. You can then manage them in Sophos Central Admin.
Restriction
You can't create a gold image for a server running Server Lockdown or Update Cache.
For help with installing Endpoint Protection see Endpoint Protection.
For help with installing Server Protection see Server Protection.
For help with setting up your firewall or proxy to communicate between Sophos Central Admin and your managed endpoints, see Domains and ports to allow.
This video gives more help on setting up a gold image.
Prepare your image
Update the device you want to use for your image so that the operating system and your apps are how you want them.
Set up your image
You can create a new installation on a new device. To do this, do as follows:
- Install Endpoint Protection or Server Protection using the gold image option and any other applicable options.
-
Run one of the following commands:
SophosSetup.exe --goldimage
: Run this command to install using the timeout mode.SophosSetup.exe --goldimage --notificationmode
: Run this command to install using the notification mode. For more information on gold image notification mode, see Gold image notification mode.
This indicates that the device is a gold image and installs all your licensed options.
Note
You only need to run this command once to configure the software to treat this device as a gold image. If you have an existing gold image device that doesn't use this process, run this command on the device so that it starts using it.
Make sure that Tamper Protection is turned off on the device hosting the gold image.
For more information about Tamper Protection, see the following pages:
You can use some of the Sophos installation command-line options when you create your gold image. You could use the following options:
-
Install selected products on your gold image using the
--products
option.Example
SophosSetup.exe --goldimage --products=antivirus
creates a gold image with only the antivirus products installed. -
Assign your cloned devices to a group using the
--devicegroup
option.Example
SophosSetup.exe --goldimage --devicegroup=Virtual
creates a gold image with all your licensed products installed. We add any devices cloned from it to a group called "Virtual" in Sophos Central Admin.
See Installer command-line options for Windows.
When the installation is complete, you can turn off the gold image device.
You can now create your virtual machines or clones. If you want to update the gold image restart the device.
How Sophos determines whether the virtual machine is a clone
When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.
If no change to the device name occurs we assume you're starting the gold image device.
We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.
If the change of the identity is taking longer than the default two minutes, use the --goldimagetimeout
option to change the default.
Example
To set the timeout to 4 minutes, add the following option to your installation command:
--goldimagetimeout=240
After this two minute time period, regular communication with Sophos Central starts again for the gold image device. You can then update the operating system, apps, Endpoint or Server Protection.
We check the identity each time you restart the gold image device.
Note
This process only works if all clones are created from the gold image, not from other clones. If any clones aren't created from the gold image, use the manual or scripted process for creating new clones. See Avoid duplicate identities when installing on a gold image.
Gold image notification mode
After you install and create a gold image using the notification mode, it'll register with Sophos Central and allow communication until restart. When restarted, communication will be disabled until you do one of the following actions:
- Run
GoldImageCli.exe activate
. - From the Sophos Endpoint Agent, click About and then click Activate and Update.
The following behaviors occur:
GoldImageCli.exe
won't allow a machine to become a clone if the device name hasn't changed. The gold image process will also block this if it's attempted manually.GoldImageCli.exe
won't allow a machine to activate if the device name has changed.
Run a post-synchronization script
When you create a pool of instant clones in VMWare Horizon, you can run a post-synchronization script. You can run this script at the end of the cloning process on the final machines that are produced.
To run a post-synchronization script, do as follows:
-
In Post-Synchronization Script Name, enter the path to the
GoldImageCli.exe
installer.Example
C:\Program Files\Sophos\AutoUpdate\GoldImageCli.exe
-
In Post-Synchronization Script Parameters, enter the command
clone
.
When the process is complete, there will be a pool of machines ready for access, all registered with Sophos Central and containing the correct endpoint details.