Posted  by  admin

Enterprise Deployment Of Sophos 9.2.2 For Mac

Nov 27, 2018 - macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update. (64 bit), Windows 7 and later (32 bit), and Red Hat Enterprise Linux (64 bit), 5 Dec 2016. TvOS 9.2.2, Apple TV (4th generation), 18 Jul 2016. Deployment of SAV for Mac v9.1.x will still work on Mac OS X 10.9.5 and 10.10 if the installer is transferred to the target endpoint(s) using a method that will not trigger Gatekeeper. Gatekeeper is not currently triggered if the installer is transferred to the endpoint.

Sophos have gone from being one of the best Mac enterprise anti-virus solutions to (perhaps) the worst. Multi-platform organisations are likely to have a Windows server (or more than one) and can therefore run Sophos Enterprise Console to create and manage a Mac installer for Sophos Anti-Virus. I have done this in previous companies. Previously Mac only organisations could use Sophos Update Manager to do much the same on a Mac server. Unfortunately SUM only supports SAV8 and does not support SAV9. SAV8 is being discontinued in April 2014 and does not officially support Mavericks. It is therefore urgent to move all Macs to SAV9 by April 2014.

If you have no Windows Server, and can no longer use SUM, this leaves two more possibilities, first you could use the standalone SAV9 installer. It is even possible to pre-configure the auto-update account details for this.

Enterprise Deployment Of Sophos 9.2.2 For Mac

Unfortunately Sophos have made this installer an application and not an installer package. As a result it cannot be deployed using Apple Remote Desktop, Casper, Munki, or any other Mac management tool.

(The application needs to be run as an application on each client Mac to do the actual installation.) This stupid design is like the equally stupid approach taken by Adobe and Flash. However at least with Adobe Flash you can find if you look hard enough a standard package file to install Flash.

The final possibility and the one Sophos are pushing Mac only customers to, is to sign up for an extra cost subscription to Sophos Cloud. This does let you manage via the Cloud your Macs, it does let your Macs directly update from Sophos, but a) the website for Sophos Cloud is not 100% Safari friendly, and much more importantly b) the installer it produces is yet again an application and not an installer package! The only approach that still gives you a proper installer package is via Sophos Enterprise Console running on a Windows server. Other than Sophos Enterprise Console has anyone else found a solution to let you mass deploy SAV9? Note: Yes if you install SAV9 manually on a Mac and then make a monolithic master disk image that would work, however I like many others now prefer to use a thin imaging approach (via InstaDMG or AutoDMG). Just noticed the same thing.

My findings so far:. The standalone 'Sophos Installer.app' creates 'Sophos Anti-Virus.mpkg' in /Library/Caches/com.sophos.sau/CID which can apparently be copied from there and used to install (might have to remove the CodeSignature).

Inside the standalone 'Sophos Installer.app', there is an 'InstallationDeployer' binary. Running ``` /path/to/Sophos Installer.app/Contents/MacOS/InstallationDeployer -install ``` also seems to install it properly. One could drop the Sophos Installer.app into /var/tmp and run the command with a postinstall script however, i haven't done any QA testing for both methods yet, so i might be totally wrong. Good spot, it does get us closer but that mpkg does not contain the pre-configured auto-update settings. Therefore if you use it on a fresh Mac or one on which you have cleaned out the previous installs preferences it does not know how to auto-update. It will help with a different problem we have (which is not Sophos' fault) which is for some Macs never connected to the Internet.

I can just periodically copy this.mpkg to them or have a tool like ARD push it to them (on this disconnected network). It is worth looking at further though as in the past with SAV8 it was possible to have some settings files outside the mpkg itself but in the same folder. Ok, I did a bit more testing, as mentioned the mpkg you found does not include the needed auto-update preferences.

I have found that if you do the following in the following order the desired results seem to be achieved. Uninstall SAV8. While it is possible to install SAV9 over the top of SAV8, SAV8 currently has auto-update settings pointing to SUM, we need to clear those settings and have SAV9 directly update from Sophos. Bit messier than I thought it was going to be, the following looks like being the 'official' way to do it. Note: Sophos support don't know how to do this, but I got pointed in the right direction by a manager. As per build a pre-configured installer Application.

Copy the Application to the client Mac either as is, or you could build a customer pkg containing it. As a post copy step, run a shell script and do the following command path/to/Sophos Install Application/Contents/MacOS/InstallationDeployer -install Contrary to what the built-in 'help' for the InstallationDeployer says, I did not need to specific a product name, in fact I could not find a valid product name to use - hence not using one. If the InstallationDeployer command is executed from root it will run without a GUI session and without needing additional authentication. So for ARD you could copy the Sophos standalone installer to a Mac, then remotely execute the InstallationDeployer command.

I plan however to build an Apple PackageMaker pkg to copy the Sophos standalone installer and have a post 'install' shell script then run the InstallationDeployer command. Either approach should remove SAV8 automatically before installing SAV9, and as I have pre-configured it to download directly from Sophos it should also then auto-update directly instead of via SUM which does not support SAV9. After much troubleshooting I managed to get around this issue by doing the following (we're using Sophos Cloud) 1) Use a test VM to install 'Sophos Installer.app' (4Mb Cloud Installer which downloads a full version). Captured the changes using Composer 2) Took a copy of the Installer.app which shows up in the list of captured files.

(Can't remember exact path but if you browse through the folders it should be under a folder called 'saas'. Put it somewhere temporary like Desktop. 3) Made a.pkg of the plists left in /Library/Preferences (excluding the apple plist) 4) Made a new Composer dmg including these 2 packages in the folder /private/tmp 5) Ran a script after installing the dmg (which dumps the 2.pkg's into /private/tmp), which then calls the installer in the app and then applies the preferences for the cloud app: #!/bin/bash /private/tmp/Installer.app/Contents/MacOS/InstallationDeployer -install installer -pkg /private/tmp/sophospreferences.pkg -target / After rebooting the Mac and checking our cloud server the computer is showing in the control panel. Tested on a couple of separate clients and they're showing up as unique machines in the cloud control panel!:D. This doesn't help if you use a av relay server like we do.

The idea for us being an end user says they want to vpn in to the corporate network to work from home and we insist on av. The user then installs SAV home but then never carries out any scans or looks further at the setup!

With an av relay server your users home machines show up in your SEC console and get policies from there. At the moment the v9 deployer is still in development and im told they don't see it as a priority at the moment. Speak to Sophos and you will probably be asked to fill out a feature request like i was, then speak to your Sophos account manager! Also go on Sophos talk and view your opinion on there! I had the same problem too, until I found a workaround this week.

This is what I did. Created sophos installer dmg and added it to my imaging workflow. When the machine finishes imaging the sophos installer is place on the root of the drive. (subject to change var is better location) I also added the below script to the imaging workflow to run once the machine reboots after the image process completes. #!/bin/bash sudo /Sophos Installer.app/Contents/MacOS/Sophos Installer -install exit 0 When you login into a freshly imaged machine the script will install sophos dmg which has been placed on the root of the drive. This has worked for me.

Looking at this quickly. We are deploying sophos via a script - as I couldn't be bothered to repackage every month or so when the app was updated. mount sophos share - copy entire directory for mac installer and supporting files for update config/console to /tmp - umount share - install from tmp - clean up /tmp The macs are bound to AD, and the sophos console applies policies based on the AD OU. This means you have to make sure that macs will be in the correct location in AD when binding. The console takes care of the updates/config changes. That won't work because the sav installer is a mpkg (other installer inside it) I copy it to some where like /private/tmp/ I then drag all of /private/tmp to composer Once tmp is in composer, delete the other stuff to on the sav mpkg is in there.

Then make a post flight script to install it via the command line like sudo installer -pkg (path to the mpkg) -target / Give you package a name in composer and build it as a non flat pkg. You can then upload your pkg to Casper Admin and start looking at smart groups and push it out via a policy. Hope that makes sense and helps:). Here's our procedure for installing our managed Sophos client using Casper. We're using v9.0.8 currently of the Mac client.

We have a Windows 2003 Server (I know, time for an upgrade) running the Sophos Enteprise Console. It creates a.pkg file for Mac clients which can be downloaded.

Download the Sophos installer from our Sophos server. In our case I connect using smb to the share and locate the installer in /Sophos Update/CIDs/S000/ESCOSX/Sophos Anti-Virus.mpkg. Add the Sophos Anti-Virus package to Casper Admin. Make sure you set the option to 'Install on boot drive after imaging' in the Options tab when you 'Get Info' of the Sophos package in Casper Admin. Image a machine and hey presto it'll show up in the Sophos Enteprise Console on your Sophos server. If it's a brand new machine that's never had Sophos on it then you will probably need to assign it to a policy group in the Sophos Enteprise Console.

If it's already been imaged then in my experience the SEP is already aware of the machine and it just reconnected auto-magically. As per Richard Trouton's earlier post in this thread and my own, it is possible to take the standalone Sophos installer and convert it in to a pkg. As per my earlier reply one can do this with the Sophos update credentials saved in to it as well.

If your using Sophos Enterprise Library then you can in theory use the installer package it maintains, if you don't have Sophos Enterprise Library (which requires a Windows server) then you need to use Richard's and my instructions. Richard's original instructions are here they are based actually on the free Sophos Home Edition installer which is very similar to the paid for Standalone installer but not identical. I therefore took Richard's script and modified it to also work with the paid for standalone installer and my own instructions and version of script are available here To summarise if your not using Sophos Enterprise Console but want to make a package to deploy the paid for Sophos Anti-Virus 9 for Mac you do the following Download the standalone Sophos SAV9 installer, Run the command line tool to embed the Sophos Update Credentials, Use my modified script as per Richard's original instructions (instead of Richard's script) You can then deploy the resulting package via ARD or locally run it. It will uninstall any previous versions of Sophos and replace with SAV9 and will also set the update credentials you defined as above.

I was using Sophos Update Manager (SUM) which ran on a Mac server but only supported SAV8, I have used the package I built as per this post to upgrade all our Macs to SAV9 and get them now to update directly from Sophos' servers since there is unfortunately no Mac replacement for SUM. So we're looking to move from our old SEC to Sophos Cloud and SAV 9.x. I've been following Rich and jelockwood's instructions to build a native.pkg installer for SAV 9.x but have hit a snag. When I download the 'Sophos Installer.app' from our demo Sophos Cloud environment and build a package out of it, the postflight script fails to install the software. This is because, I think, the v9.1.4 installer I'm downloading doesn't appear to have the InstallationDeployer binary tool in it anymore. The post flight script calls for this tool but it's nonexistent so the script fails. Is there somewhere else to obtain the Sophos Installer.app?

Ah ha, I figured it out. At some point between 9.0.3 and the current 9.1.4, Sophos decided to rename the binary tool that's embedded in their.app installer. It's now called 'Sophos Installer' and not 'InstallationDeployer'. Yes, some software engineer wizard decided to put a space in the name of their new Unix binary. So you just have to modify Rich or John's postflight script to reflect this new binary name.

Just replace every instance of 'InstallationDeployer' with 'Sophos Installer' and be sure to enclose in quotes so the space(s) are ignored. Its been a while since I run Sophos Enterprise for Mac clients, but as I remember you set up a CID for the Mac version of Sophos and get SEC to download and populate it from Sophos' servers. You also use SEC to configure the CID with settings for the Macs including the auto-update settings. Normally you would have the primary server as the credentials to access the CID on your file server, and the secondary server would be set to download directly from Sophos in case your file server is not accessible.

If you set up a new SEC and presumably also a new CID then I would do the same thing, i.e. Setup the new CID, populate it and configure it. Then in answer to your question I would then copy the contents of the new CID in to the old CID directory. I would make sure the old SEC is turned off so it does not alter the new contents. You will need to keep the old file server running for a while so that the Mac clients can 'update' from the old CID and get the new auto-update details it contains which will then thereafter direct the Mac clients to the new CID.

For those let familiar with Sophos terminology, CID stands for 'Central Installaiton Directory' and is the shared folder on a file server containing the Sophos Anti-Virus installer, settings and updates. You have a CID per version you are using e.g. Mac, Windows, Linux. It is now only possible to deploy a Sophos Anti-Virus.mpkg if you have a Windows Server and are running Sophos Enterprise Console as this is the only method to get a genuine Sophos produced installer package (or mpkg).

This issue is what started this whole thread off in the first place. The Sophos standalone installer, the Sophos cloud installer, and the free home edition installer are all custom applications and not installer packages. The solution Richard Trouton and myself came up with was wrapping the Sophos installer application in an installer package along with a script to deploy i.e. Run the application.

This installer package can of course then be put in a disk image if needed. Yes, making an installer by using Compuser to take a snapshot would be an approach but a cleaner more genuine installer is as per Richard's and my solution. Note: There is a command-line tool inside the Sophos installer app (right click and open package) which lets you pre-configure the auto-update credentials. If you do this before putting it in an installer package the installer package will keep those settings since the script is running the same Sophos installer application and the settings are stored inside the application you are including in the installer package. As a reminder on how to pre-configure the Sophos application see It works great once we found how to do this.

I can deploy the resulting package via DeployStudio, Apple Remote Desktop, Munki, etc. Or even run it manually and clients properly remove any old version of Sophos if there is one, install the new version and get the auto-update credentials automatically. It works on all supported OS X versions which for Sophos SAV 9 means 10.6 to 10.9 at the moment.

At my previous shop i had a nightmare with version 9 and Sophos end technical support getting me to download a Home edition standalone version! It was a relitively small environment at the time and it meant there was too much problem with installing the original mpkg installer on the clients and waiting for the policies to be applied to the machines. In a larger environment, it isn't feasible to wait for the policies to apply.

I have managed to follow all the Instructions and found Johns the clearest Richs blog here I changed the script around to allow for an uninstall of all SAV versions This worked, but unfortunately this isn't any use to me because the end result is that the client machine has no RMS and will not talk to the Sophos Enterprise Console. Hi guys It seem it is possible to create a Sophos Installer with the autoupdate settings. I first need to clarify the OLD method used to be so that this makes sense. In version 8 and below an administrator used to be able to get the Sophos Anit-Virus.mpkg off the network share of your Sophos Enterprise Console server eg smb://yourserver/SophosUpdate/CIDs/S000/ESCOSX/Sophos Anit-Virus.mpkg 2.Edit the mrinit inside the mpkg.

On a test machine install Sophos Anti-Virus.mpkg and configure the sophos updating manually and the usernames and passwords get written to a plist but they are obfuscated. copy the file /Library/Preferences/com.sophos.sau.plist and put it in the location here Sophos Anti-Virus.mpkg Contents Packages SophosAU.mpkg Contents Resources com.sophos.sau.plist. Change the mrinit.conf in Sophos Anti-Virus.mpkg/Contents/Packages/SophosRMS.mpkg/Contents/Resources/ appropriately Now thats all well and good but the problem in version 9 and above is that the SoposAU.mkg doesn't exist any more in the Sophos Anti-Virus.mpkg Instead for version 9+ the credentials are not stored in the /Library/Preferences/com.sophos.sau.plist but in a keychain. /Library/Sophos Anti-Virus/Sophos.keychain So what you need to differently is at step 4 by packaging up the Sophos.keychain, make sure the com.sophos.sau.plist just includes the PrimaryServerURL (not the obfuscated credentials) and include those in your deployment workflow:). I found this to be super easy. Assuming that you realy don't care about enterprise console distro.

1) As per build a pre-configured installer Application as mentioned above. 2) After you've created the custom pkg with your associated accounts info and update schedule.

Run composer and then install. Create a.dmg out of that and presto, you're A-OK. This method works beautifully for me and makes future 'un-installs' trivial (not that it was that complicated in the first place).

Enterprise Deployment Of Sophos 9.2.2 For Mac Free

Our office just did a Sophos Cloud deploy. We found the only way to how the Sophos Installer install correctly with unique device names is to create a DMG in Composer. The trick is to do the following steps: Open Casper Composer (New & Modified Snapshot). Take the Before Snapshot Once the Before Snapshot is complete, run the Sophos Installer provided from the Sophos Cloud website. The critical step to getting the snapshot correct is to: Open Keychain Access, located in /Applications/Utilities. Select the Sophos Keychain and choose the Category All Items Delete the two Sophos Keychain entries: Primary Server Sophos Cloud Credentials Open Activity Monitor, also located in /Applications/Utilities. Highlight the process SophosMcsAgentD Choose the icon to Kill the process.

Finally take the After Snapshot. To un-install Sophos 9.1 before installing Sophos Cloud, Mark Posey wrote this script to run BEFORE the Sophos Cloud install. # Purpose: To remove Sophos local distriubtion and install cloud distribution # Configuration # Uninstall Sophos 9.1.X (Local distribution) /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer -remove if! = '0' ; then echo 'ERROR: Failed to uninstall' exit 1 fi '$?' = '0' && echo 'NOTICE: Removal of Sophos local distribution is successful'.

As per you can pre-configure the Sophos installer to contain update credentials typically to update directly from Sophos' servers. Whereas with SAV 9.0.x and 9.1.x these details where stored in a plist inside the Sophos installer application with SAV 9.2.x they are now in a plist in a folder outside the application. You need SAV 9.2.2 for Yosemite compatibility. Since Sophos Update Manager is discontinued the only ways to distribute updates to Mac clients are -. Configure each Mac to get updates directly from Sophos. Setup a Windows server running Sophos Enterprise Console. Once a month reinstall the latest SAV9 application, typically Sophos issue a new version once a month, this later choice of course means you don't get the benefit of updates every hour If you have installed say 9.1.4 and it was configured to get updates directly from Sophos then it should should update itself to 9.2.2.

If you are merely installing the newer version once a month then pushing the newer version will update it and it is not necessary to remove the older version. Obviously it is best to pre-configure it to get automatic hourly updates and not to just manually update it each month. Hopefully everything mentioned above falls into deploying the mpkg from the bootstrap location on the Enterprise Console.

The problem I have is knowing which version to trust. So is it actually 9.1.4 or is it 9.1.8? (9.1.8 is the version available in the bootstrap location on our Enterprise Console.) I understand how to deploy AV to the machines, I just don't know if I should trust if it updates itself correctly or if I need to re-distribute the application on a regular basis via policy in the JSS with the mpkg from the bootstrap location. If you deploy from the Sophos Enterprise Console CID location then when it installs it includes settings to get updates from the CID. If you use the standalone version you need to pre-configure the installer app to add update credentials which usually will be set to update directly from Sophos. It is annoying that the plist within the main Sophos application does not match the headline version number but Sophos do provide the correct version number at /Library/Sophos Anti-Virus/product-info.plist and have made it clear this is the correct place to check it. Note: It is also the correct place to check which type you have installed - Sophos Home Edition Sophos Standalone Edition Sophos Managed Edition (i.e.

Sophos Enterprise Console) Sophos Cloud Edition By checking the type you can see if people are running the wrong one and not confuse those in any license counts. Defaults read /Library/Sophos Anti-Virus/product-info Product gives you a number that indicates the product type. 1B897C99-EBD6-430D-AA97-EF71E7AC6C15 = home edition C7CC7924-277E-431D-88E7-F6C956AD24D9 = standalone edition F9A0034E-6549-41ED-BD37-88CF2AA4CC8A = managed edition F268E38B-F647-4E06-AA73-3F3C2850E6F5 = sophos cloud edition Clearly people should not be running the home edition on work computers. Wow this is a big thread. I seem to only have to deal with getting a working Sophos package every couple of years. Most of the time it all gets updated via the SEC. Read this thread to refresh my knowledge of deploying Sophos.

So much of information here. That is an amazing script for removing any version of Sophos.

It works for me but when I run it I do see an error that says 'line 15: : /Library/Application Support/Sophos: binary operator expected' That line reads 'elif -d /Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg ; then' But it does seem to work. I used to install Sophos and then package with Composer but thanks to the tips in this thread I'm now using the.mpkg that is on the SEC in /Sophos Update/CIDs/S000/ESCOSX/ The problem I had at first was that Casper would give me this error that it couldn't verify the package or something to do with the integrity. I had a feeling that it was something to do with it being an.mpkg as it would install perfectly on a workstation on its own. So I went back to searching JAMFnation on mpkg and and found a tip from where he said to 1. Add the pkg to the policy, then under the action pop up select 'Cache' 2. Then under the maintenance section check the box that says x Install cached packages. So my policy first runs the script to clear out any former install of Sophos.

Then it pushes out the.mpkg file to the machine and caches it. Then installs any cached packages. Other than that one error it all works great. A little digging around JAMFNation and I'm all set. This is an amazing community. @rtoughton Quite some time ago I adapted Richard's original script to allow deploying the paid for but standalone version of SAV9.0.x, more recently I have updated my modified script to allow deploying SAV 9.2.2 see my article here and follow the pastebin link to get a copy of the script. The process is basically the same as Richard's original one - using Packages to build an installer package containing the Sophos installer application along with the now externally stored update settings, and then running (my version of) a post-install script.

9.2.2

This works fine to deploy the standalone version on versions of OS X from 10.6 all the way up to and including 10.10.1. I did mention it on my webpage and earlier in this thread. For the Sophos standalone version you pre-configure the Sophos installer application as per their instructions here You then package up the Sophos installer application and these settings (using Packages) and run the post-install script to install both. The Sophos installer app will look for the settings that should be included with it.

The settings used to be inside the Sophos installer application but are now in a folder outside the application - this folder is called 'Sophos Installer Components' and contains a file called 'updateconfig.xml'. So the installer package needs to deliver both 'Sophos Installer.app' and 'Sophos Installer Components' (at the same level) I did this by putting both into a folder and delivering the parent folder. As I don't have a Windows server I am using the standalone version of Sophos as mentioned. If Sophos Enterprise Console now stores the settings outside of the Sophos Installler.app and if it now uses the Sophos Installer.app rather than a package then a similar approach should be possible. I have had Sophos 9.1.7 working fine in our environment, has the update server name, and auto update as it should. I repackaged the provided mpkg with a pkg, doing a snapshot in Composer. Has been working (does require a reboot) Now I have an updated 9.1.8 mpkg, and the Sophos admins, want to include a GroupPath, grouppath.list, in the mpkg.

Did that, but this just doesn't install correctly / work anymore. Is there an ultimate destination that this grouppath.list (or information contained thereof) is located PostInstall, that way, I can just include that with Composer. Any experiences / feedback greatly appreciated. @rtoughton As you are hopefully aware you need Sophos Anti-Virus 9.2.2 for full Yosemite compatibility, I think the latest version is now 9.2.3. I deploy the standalone (paid for) version of 9.2.2 using a tweaked version of Richard Troughton's original solution as documented here with my tweaked version here I pre-configure the Sophos installer application to include the download credentials to get updates direct from Sophos.

As a reminder I don't have a Windows server to run Sophos Enterprise Console and hence cannot distribute updates internally. I realise some people here need to deploy the Enterprise Console managed version and when I did last use this in a previous job where I had a Windows server to run it on it used to be the case that when a migration from one major version of SAV to another was taking place you could chose which to subscribe to to get updates to host on your server. Either you would replace your soon to be obsolete one and only have the new one, or you would create an additional separate folder - aka.

I would presume a similar process still occurs so you might want to look at whether a 9.2.2 based option is now available. Greetings all. We've always had issues with our Mac Sophos clients, and our install base was an inconsistent and rather unprotected mess. When we set up a new Sophos server, we decided to use this as an opportunity to remove the messed up installations on our Macs and have our clients all configured consistently and talking to the new Enterprise Console. I was having issues getting Sophos 9.1.8 deployed; the installer would run as a policy from Casper but the autoupdate settings would not be properly populated in a consistent manner. I was referred to the guide already referenced here: I modified that approach for our environment and it has been working great so far.

A couple notes on our environment:. Most of our Macs already have Sophos 9.x installed. The few that have no Sophos installed or still have Sophos 8 installed are excluded from our policy and will be remediated separately. We've been using Iceberg to make our packages, so some options and what-not may be a little different OK, so first we created an installer with our Enterprise Console with the appropriate settings we want. We then took a clean machine and manually ran this installer so that everything was configured properly. We then grabbed the following files to distribute later:. /Library/Preferences/com.sophos.sau.plist.

/Library/Sophos Anti-Virus/Sophos.keychain We then created a new project in Iceberg on an admin machine. We configured it to copy our Enterprise installer and the two files we harvested into a non-obvious local folder on the drive. For argument sake we'll call it /Library/MrFluffyKins. I had the same thought as and decided to script it. That was working great with the pkg installer from the previous version. I just had to update our script to work with the app installer. Here it is in case someone else finds it useful.

We aren't hardcoding the update settings; instead, we're using the grouppath.plist to specify a group in which to enroll in the Enterprise Console. That group's settings determine primary and secondary update servers, definition update frequency, etc. #!/bin/sh # InstallSophos.sh # Mount Sophos share echo 'Mounting SOPHOSAV.' Jamf mount -server 'sophos.mydomain.com' -share 'SophosUpdate' -type 'smb' -username 'username' -password 'password' # Copy package to machine echo 'Copying package to local directory.' Cp -R '/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer.app' /tmp/ cp -R '/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer Components' /tmp/ # Unmount Sophos share echo 'Unmounting SOPHOSAV.'

Jamf unmountServer -mountPoint /Volumes/SophosUpdate # Add install data for Mac group in Enterprise Console echo 'Setting group path info.' GroupPath='/tmp/Sophos Installer Components/RMS/grouppath.plist' echo ' $groupPath echo '

Sleep 15 /usr/bin/sophosupdate # Remove tmp files rm -rf '/tmp/Sophos Installer.app' rm -rf '/tmp/Sophos Installer Components' exit 0 I find that sometimes that initial Auto Update doesn't work because it takes time for the Enterprise Console's group settings to apply to the client. Usually a reboot seems to fix this. If any one knows of a way to expedite this process, please share!

My method is known to work with the Sophos Home Edition and the Sophos Standalone Edition, it might in theory also work with the Sophos Cloud Edition. It has not however been tested with the Enterprise Console Managed version. I have not had access to Sophos Enterprise Console for quite some time which is why I had to find a way of creating a standard Apple installer package approach for deployment. My approach is based on a script originally written by you could try my modified version as the basis for a solution. The address for it is listed earlier in this discussion. Yeah, what said. I did my proof of concept for Sophos AV/SEC on the former package and just when I was waiting for my purchase order to go through (February, I believe) the 'recommended' version changed to the app installer.

It was with a bit of trepidation that I tried Rich's method (I, of limited scripting ability - and ugh, have to learn another 3rd party tool). It was more simple than I imagined (Rich did all of the heavy lifting for us) and the resulting installer worked great for my entire deployment via policy.

I'm trying to do a simple pkg that wraps the Sophos Cloud install app and there has to be something I am completely missing. It I take the app and support plist from the zip file and run the terminal install command everything is fine. It downloads and installs silently in the background without issue. Once I take that line and put it into the postinstall of my new package it no longer works. The last thing to show up in the install.log is: Sophos Bootstrap382: SMESophosBootstrapAppDelegate.m:1329 System Verified After that nothing happens. The content is supposed to be downloaded at this point but the process will hang indefinitely (the only other log entry that would show up after this is the notification that the install is complete). Can anyone help me out with what might be going on here?

I feel like I'm missing something obvious. I literally repackaged our Sophos installer 2 days ago. +1 to about using a different directory. I started by trying to package the installer in /private/tmp so it would be cleared on a reboot and it would just sit for hours and hang.

Ended up repackaging so it was in /Users/Shared/Downloads with a postflight script: sudo /Users/Shared/Downloads/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer -install and it worked first go. Installed in a matter of minutes. Hope that helps! Our old package was a pre and post capture of a full install and it was a bit of a hit and miss on some of our Macs. This is much cleaner.

Can't explain why but hopefully this saves your sanity. Here is a rough way to execute the silent install from /private/tmp Create a custom Sophos Install package and include a script to kick off the silent install at /private/tmp/SophosInstall/ installsophos.sh: #!/bin/bash /private/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer -install Execute the installsophos.sh script from a postinstall script in your custom Sophos Install package: #!/bin/bash /private/tmp/SophosInstall/installsophos.sh. Wallpaper weekends: morning dew for mac free. As mentions you can create a pre-configured stand-alone installer as per that Sophos article. As mentions has done an excellent job of detailing how to deploy a pre-configured managed copy of the Sophos installer. (Is this a record for the number of people referenced;) ) What you can do when deploying a pre-configured stand-alone copy of the Sophos installer (via a package) is to have a pre-install script which uninstalls any existing copy first, this ensures the newly installed copy is not contaminated by old settings.

This is how I do it.

I used Home Edition in this example because it was free and I could test it easily. I would not recommed using Home Edition at a business because that’s not what it’s meant for.

It appears that the governing EULA here is Sophos’ End User License Agreement for Consumers: The relevant section is this one: ——- 3. RIGHTS AND RESTRICTIONS 3.1 LICENSE TERM.

This End-User License Agreement starts when you download the Licensed Product and shall continue until terminated as provided in Clause 9 below. Your obligations under this End-User License Agreement in respect of the intellectual property and confidential information of Sophos shall survive any expiry or termination of this End-User License Agreement.