Integrate Sophos via Scripted Actions

Integrate Sophos via Scripted Actions

Using Scripted Actions, it is possible to integrate Sophos Central endpoint protection into Nerdio Manager, allowing Nerdio Manager to manage the installation/removal of endpoint protection for your session hosts.

The default Nerdio-provided windows scripted action Install Sophos Server Endpoint Protection Agent can be used to install the Sophos endpoint. However, before use, secure variables must be defined within Nerdio Manager that are specific to your Sophos environment. The following steps guide you through the process for obtaining the necessary secrets from your Sophos environment and entering them into Nerdio Manager.

Determine your Sophos Central Environment Setup

Sophos Environments fall under the following types: Partner, Organization, and Tenant. See this article for details.

For the purposes of Nerdio Manager, we need to know which one you are. You can quickly determine your type by looking at the word present in the Sophos Central menu at the top left.

  • Admin = Tenant Portal

  • Enterprise = Organization Portal

  • Partner = Partner Portal

If you are in the Partner Portal or Organization Portal, you need to perform the following steps to get the Tenant ID and APIHost. Otherwise, you can skip to Retrieve the Client ID and Client Secret.

Get the Tenant ID (Partners and Organizations Only)

  1. Visit the documentation page corresponding to your portal: Partner or Organization.

  2. Follow the first steps in the appropriate guide to get your Client ID and Client Secret.

  3. On your local computer, open PowerShell ISE.

  4. Copy the following script.

    $ClientId= ''

    $ClientSecret= ''

    $AuthBody = @{

    grant_type = "client_credentials"

    client_id = $ClientID

    client_secret = $ClientSecret

    scope = "token"


    Write-Output "INFO: Retrieving Auth Info using Client Secrets"

    $AuthResponse = (Invoke-RestMethod -Method 'post' -Uri '' -Body $AuthBody)

    $AuthToken = $AuthResponse.access_token

    $AuthHeaders = @{Authorization = "Bearer $AuthToken"}

    $WhoAmIResponse = (Invoke-RestMethod -Method 'get' -headers $AuthHeaders -Uri '')

    $ID = $WhoAmIResponse.Id

    if($WhoAmIResponse.idType -eq 'partner'){

    $PartnerHeaders =@{

    Authorization = "Bearer $AuthToken"

    'X-Partner-ID' = $ID}

    $response = Invoke-RestMethod -method 'get' -headers $PartnerHeaders -uri ''


    $TotalPages = $

    if ($TotalPages -gt 1){

    do {

    $newpage = $response.pages.current + 1

    $response = Invoke-RestMethod -method 'get' -headers $PartnerHeaders -uri "$newpage"



    while ($newpage -lt $TotalPages)




    $OrgHeaders =@{

    Authorization = "Bearer $AuthToken"

    'X-Organization-ID' = $ID}

    Invoke-RestMethod -method 'get' -headers $OrgHeaders -uri ''


  5. Replace the $ClientID and $ClientSecret variables and run the script.

    You should receive a list of tenants detailing Names and IDs. Each tenant looks something like this. The Tenant ID is the top "id" for each returned result.

Retrieve the Client ID and Client Secret

Follow this guide to retrieve the Client ID and Client Secret.

Note: Be sure to note the Client Secret and Client ID provided. In addition, be careful where these are stored.

Configure and Use the Installation Script in Nerdio Manager

  1. In Nerdio Manager, you must create the following Account-level Secure Variables for the Sophos Server Endpoint Protection Agent installation and removal scripts:

    Note: See Scripted Actions - Account-Level Variables for details about creating account-level secure variables.

    • Client ID: sophosclientid

    • Client Secret: sophosclientsecret

    • Tenant ID: sophostenantid (For Partner or Organizations installs only)

      Note: Once you create the variables, the installation and removal scripts are ready to use. It is recommended that you test on a validation/development session host before deployment.

  2. At the Account level, navigate to AVD > Host Pools.

  3. Locate the host pool you wish to install the Sophos Server Endpoint Protection Agent on.

  4. From the action menu, select PropertiesVM Deployment.

  5. Toggle on Run Scripted actions when host VM is CREATED.

  6. From the drop-down list, select the installation script.

  7. Toggle on Run Scripted actions when host VM is REMOVED.

  8. From the drop-down list, select the removal script.

  9. Select Save & close.

    The scripted actions automatically installs/removes the Sophos Server Endpoint Protection Agent on session hosts VMs in the host pool.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.