So we're looking to move from our old SEC to Sophos Cloud and SAV 9.x. I've been following Rich and jelockwood's instructions to build a native .pkg installer for SAV 9.x but have hit a snag.

When I download the "Sophos Installer.app" from our demo Sophos Cloud environment and build a package out of it, the postflight script fails to install the software. This is because, I think, the v9.1.4 installer I'm downloading doesn't appear to have the InstallationDeployer binary tool in it anymore. The post flight script calls for this tool but it's nonexistent so the script fails.

Any ideas? Is there somewhere else to obtain the Sophos Installer.app?

https://www.dropbox.com/s/bch3vsweijqt4hw/sophos9_grrr.png

Ah ha, I figured it out. At some point between 9.0.3 and the current 9.1.4, Sophos decided to rename the binary tool that's embedded in their .app installer. It's now called "Sophos Installer" and not "InstallationDeployer". Yes, some software engineer wizard decided to put a space in the name of their new Unix binary...

So you just have to modify Rich or John's postflight script to reflect this new binary name. Just replace every instance of "InstallationDeployer" with "Sophos Installer" and be sure to enclose in quotes so the space(s) are ignored.

@damienbarrett

Glad you sorted it. I just downloaded the current official versions of the free Sophos Home Edition installer which is 9.0.8 and Sophos Stand-alone installer which is 9.0.10 both still use a binary of InstallationDeployer. The release notes suggest 9.1.4 is not yet an official release i.e. iti is a preview version. I don't appear to have access to the preview versions.

If you could tell me the exact file name for the cloud installer version I will modify my script to support it as well.

You can see it in my screenshot in my Dropbox above. They appear to have changed the name from "InstallationDeployer" to "Sophos Installer"

I simply modified your script to call the new binary and it worked beautifully.

Still can't believe their software engineer called the binary "Sophos Installer", complete with a space.

@damienbarrett

I meant the name of the Sophos application it is in e.g. "Sophos Installer.app" or "Sophos Anti-Virus Home Edition.app" and not the name of the enclosed binary which you quite rightly point out is in your screenshot.

Ah, it's called "Sophos Installer.app". It's version 9.1.4.

After it updates from the Cloud, it becomes 9.1.5. Perhaps they'll eventually re-jigger the Sophos Cloud to offer a 9.1.5 installer...

We recently moved our SEC to a new server and need to shut down the old one. I tried using Composer to do a snapshot then entered the new AutoUpdate path and then created a dmg. Didn't work on a test Mac.

What is the best method to update the AutoUpdate Address to our new SEC server? All other settings are the same.

Thanks!

Corbin

@corbin3ci

Its been a while since I run Sophos Enterprise for Mac clients, but as I remember you set up a CID for the Mac version of Sophos and get SEC to download and populate it from Sophos' servers. You also use SEC to configure the CID with settings for the Macs including the auto-update settings.

Normally you would have the primary server as the credentials to access the CID on your file server, and the secondary server would be set to download directly from Sophos in case your file server is not accessible.

If you set up a new SEC and presumably also a new CID then I would do the same thing, i.e. setup the new CID, populate it and configure it. Then in answer to your question I would then copy the contents of the new CID in to the old CID directory. I would make sure the old SEC is turned off so it does not alter the new contents. You will need to keep the old file server running for a while so that the Mac clients can 'update' from the old CID and get the new auto-update details it contains which will then thereafter direct the Mac clients to the new CID.

For those let familiar with Sophos terminology, CID stands for "Central Installaiton Directory" and is the shared folder on a file server containing the Sophos Anti-Virus installer, settings and updates. You have a CID per version you are using e.g. Mac, Windows, Linux.

Sorry this doesn't help OP, but for anyone else looking for helpful SEC info, in v9 you can finally have installer point clients to right message relay.

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

After reading everyone's posts and external links, I found that the best method is to deploy the Sophos Anti-Virus.mpkg followed by a .dmg file created in Composer.

Installing it on a clean Mac, I did the initial Sophos install, then fired up Composer to take a snapshot, then populated the auto-update preferences, quit Sophos then finish running Composer.

Need to test a few more Macs before pushing it out to the general audience.

Corbin

@corbin3ci

It is now only possible to deploy a Sophos Anti-Virus.mpkg if you have a Windows Server and are running Sophos Enterprise Console as this is the only method to get a genuine Sophos produced installer package (or mpkg). This issue is what started this whole thread off in the first place.

The Sophos standalone installer, the Sophos cloud installer, and the free home edition installer are all custom applications and not installer packages.

The solution Richard Trouton and myself came up with was wrapping the Sophos installer application in an installer package along with a script to deploy i.e. run the application. This installer package can of course then be put in a disk image if needed.

Yes, making an installer by using Compuser to take a snapshot would be an approach but a cleaner more genuine installer is as per Richard's and my solution.

Note: There is a command-line tool inside the Sophos installer app (right click and open package) which lets you pre-configure the auto-update credentials. If you do this before putting it in an installer package the installer package will keep those settings since the script is running the same Sophos installer application and the settings are stored inside the application you are including in the installer package.

As a reminder on how to pre-configure the Sophos application see http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

It works great once we found how to do this. I can deploy the resulting package via DeployStudio, Apple Remote Desktop, Munki, etc. or even run it manually and clients properly remove any old version of Sophos if there is one, install the new version and get the auto-update credentials automatically. It works on all supported OS X versions which for Sophos SAV 9 means 10.6 to 10.9 at the moment.

All great suggestions but I still ended up using Composer to package the latest version of 9. Even after creating the pre-configured package as stated above. Really, for the following two reasons

1) The pre-configured package still requests the user to click through even when called using the script mentioned (which needed slight corrections) via Self-Service.

2) I prefer Self-Services un-install process over the Sophos uninstaller.

At my previous shop i had a nightmare with version 9 and Sophos end technical support getting me to download a Home edition standalone version!

It was a relitively small environment at the time and it meant there was too much problem with installing the original mpkg installer on the clients and waiting for the policies to be applied to the machines.

In a larger environment, it isn't feasible to wait for the policies to apply.

I have managed to follow all the Instructions and found Johns the clearest

http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

Richs blog here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

I changed the script around to allow for an uninstall of all SAV versions

http://pastebin.com/L7ZceVpW

This worked, but unfortunately this isn't any use to me because the end result is that the client machine has no RMS and will not talk to the Sophos Enterprise Console.

@CasperSally Thanks for link.

Looks like for SEC this is the only thing we can do in the Enterprise where we are still reliant on the clients communicating with SEC.

Im not sure how this is going to work if there are lots of different groups the clients need to be assigned to in SEC!

Its a shame Sophos are not listening because this has been an outstanding problem for a long time.

If your company uses Active Directory, the SEC can scope to computer groups. Or, you can set up manual groups in the SEC and apply different scanning policies to them. It's actually not too bad (depending on how large your environment is, anyway). I just set up an SEC and deployed our clients from the SEC's mpkg and could probably answer some basic questions about it if you want, @tkimpton.

Hi For Mac Sophos deployment you can Create MacOSX client AV package
Go to c:programdatasophosupdate managerupdate managerCIDS000ESCOSX
Zip “Sophos Anti-Virus.mpkg” folder
do not use RAR format, it does not work well on the Mac afterwards for some reason…
You can launch this mpkg on any Mac by double clicking on it! :) Or using Policy to deploy it to the managed machines.

@emilykausalik thanks thats what i think is the only way as well.

@thuluyang Yes thanks we know that ;)

Hi guys

It seem it is possible to create a Sophos Installer with the autoupdate settings. I first need to clarify the OLD method used to be so that this makes sense.

1. In version 8 and below an administrator used to be able to get the Sophos Anit-Virus.mpkg off the network share of your Sophos Enterprise Console server

eg

smb://yourserver/SophosUpdate/CIDs/S000/ESCOSX/Sophos Anit-Virus.mpkg

2.Edit the mrinit inside the mpkg

1. On a test machine install Sophos Anti-Virus.mpkg and configure the sophos updating manually and the usernames and passwords get written to a plist but they are obfuscated.

2. copy the file /Library/Preferences/com.sophos.sau.plist and put it in the location here

Sophos Anti-Virus.mpkgContentsPackagesSophosAU.mpkgContentsResourcescom.sophos.sau.plist

1. Change the mrinit.conf in Sophos Anti-Virus.mpkg/Contents/Packages/SophosRMS.mpkg/Contents/Resources/ appropriately

Now thats all well and good but the problem in version 9 and above is that the SoposAU.mkg doesn't exist any more in the Sophos Anti-Virus.mpkg

Instead for version 9+ the credentials are not stored in the /Library/Preferences/com.sophos.sau.plist but in a keychain.

/Library/Sophos Anti-Virus/Sophos.keychain

So what you need to differently is at step 4 by packaging up the Sophos.keychain, make sure the com.sophos.sau.plist just includes the PrimaryServerURL (not the obfuscated credentials) and include those in your deployment workflow :)

I found this to be super easy... assuming that you realy don't care about enterprise console distro.

1) As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx build a pre-configured installer Application as mentioned above.

2) After you've created the custom pkg with your associated accounts info and update schedule. Run composer and then install. Create a .dmg out of that and presto, you're A-OK.

This method works beautifully for me and makes future "un-installs" trivial (not that it was that complicated in the first place).

@Chris_Hafner yes thats correct for a STANDALONE, but as already stated those of us reliant on the windows SEC this is not going to work because the standalone installer doesn't have RMS (will not communicate to your Sophos Enterprise Console)

@tkimpton

Heh, yea, sorry. I lost track of the thread and kind of replied without re-reading where everyone was in the post. Sorry about that ;-)

Using @tkimpton 's info about the Sophos.keychain file, I was able to build an Sophos enterprise installer that works for both AD-bound and unbound Macs in my shop. I have a post with the details available here:

http://derflounder.wordpress.com/2014/09/02/deploying-sophos-enterprise-anti-virus-for-mac-os-x-9-x/

@rtrouton awesome, thanks rich :)

Our office just did a Sophos Cloud deploy. We found the only way to how the Sophos Installer install correctly with unique device names is to create a DMG in Composer. The trick is to do the following steps:
Open Casper Composer (New & Modified Snapshot).
Take the Before Snapshot
Once the Before Snapshot is complete, run the Sophos Installer provided from the Sophos Cloud website.

The critical step to getting the snapshot correct is to:
Open Keychain Access, located in /Applications/Utilities.
Select the Sophos Keychain and choose the Category All Items
Delete the two Sophos Keychain entries:
Primary Server
Sophos Cloud Credentials

Open Activity Monitor, also located in /Applications/Utilities.
Highlight the process SophosMcsAgentD
Choose the icon to Kill the process.

Finally take the After Snapshot.

To un-install Sophos 9.1 before installing Sophos Cloud, Mark Posey wrote this script to run BEFORE the Sophos Cloud install.

# Purpose: To remove Sophos local distriubtion and install cloud distribution
# Configuration
# Uninstall Sophos 9.1.X (Local distribution)

/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

if ! [ "$?" = "0" ]; then echo "ERROR: Failed to uninstall" exit 1
fi

[ "$?" = "0" ] && echo "NOTICE: Removal of Sophos local distribution is successful"