Deploying Sophos Anti-Virus for Mac

Greetings all. We've always had issues with our Mac Sophos clients, and our install base was an inconsistent and rather unprotected mess. When we set up a new Sophos server, we decided to use this as an opportunity to remove the messed up installations on our Macs and have our clients all configured consistently and talking to the new Enterprise Console. I was having issues getting Sophos 9.1.8 deployed; the installer would run as a policy from Casper but the autoupdate settings would not be properly populated in a consistent manner. I was referred to the guide already referenced here:

https://derflounder.wordpress.com/2014/09/02/deploying-sophos-enterprise-anti-virus-for-mac-os-x-9-x/

I modified that approach for our environment and it has been working great so far.

A couple notes on our environment:

• Most of our Macs already have Sophos 9.x installed. The few that have no Sophos installed or still have Sophos 8 installed are excluded from our policy and will be remediated separately.
• We've been using Iceberg to make our packages, so some options and what-not may be a little different

OK, so first we created an installer with our Enterprise Console with the appropriate settings we want. We then took a clean machine and manually ran this installer so that everything was configured properly. We then grabbed the following files to distribute later:

• /Library/Preferences/com.sophos.sau.plist
• /Library/Sophos Anti-Virus/Sophos.keychain

We then created a new project in Iceberg on an admin machine. We configured it to copy our Enterprise installer and the two files we harvested into a non-obvious local folder on the drive. For argument sake we'll call it /Library/MrFluffyKins. We then added the following preflight script which invokes the existing Sophos removal tool on clients and then deletes old files that had been used by Sophos:

#!/bin/sh

# ** REMOVE SOPHOS ANTI-VIRUS ***
# 2015-01-28 cforte

# Remove Current Install
/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

# Timer to delay next steps until the removal process completes
sleep 30

# Delete Sophos Files
rm -fr /Library/Sophos Anti-Virus
rm -fr /Library/Application Support/Sophos
rm -fr /Library/Application Support/Sophos Anti-Virus
rm -f /Library/Preferences/com.sophos.*

exit 0

We then added the following postflight script which runs the installer we dumped on the local drive, copies the update files we had grabbed earlier, and relaunches Sophos:

#!/bin/sh
#!/bin/bash
# Reinstall Sophos Anti-Virus
# 2015-02-11 cforte
# Postflight script for a package that copies the installer to the /Library/MrFluffyKins folder and invokes the appropriate flags to install Sophos properly and copies settings files to appropriate locations

# Install cached package
installer -pkg '/Library/MrFluffyKins/Sophos Anti-Virus.mpkg' -target /

# Timer to give time for installation processes to complete before moving on
sleep 45

# Remove incorrect update files
rm -f /Library/Sophos Anti-Virus/Sophos.keychain
rm -f /Library/Preferences/com.sophos.sau.plist

# Move update settings files to their appropriate locations
mv -f /Library/MrFluffyKins/Sophos.keychain /Library/Sophos Anti-Virus/
mv -f /Library/MrFluffyKins/com.sophos.sau.plist /Library/Preferences/

# Relaunch Sophos to load new settings
/bin/launchctl unload /Library/LaunchDaemons/com.sophos.configuration.plist
/bin/launchctl load /Library/LaunchDaemons/com.sophos.configuration.plist 

exit 0

When building the package, I had to make sure that it was set to run with elevated privileges. To be safe, I also set permissions on the installer and settings files dumped in the MrFluffyKins folder so that everyone had read/execute rights. After building that and deploying it as a policy in Casper, it has been working on machines from OS X 10.6 - 10.10.

I had the same thought as @lisacherie and decided to script it. That was working great with the pkg installer from the previous version. I just had to update our script to work with the app installer. Here it is in case someone else finds it useful. We aren't hardcoding the update settings; instead, we're using the grouppath.plist to specify a group in which to enroll in the Enterprise Console. That group's settings determine primary and secondary update servers, definition update frequency, etc.

#!/bin/sh

# InstallSophos.sh

# Mount Sophos share
echo "Mounting SOPHOSAV..."
jamf mount -server "sophos.mydomain.com" -share "SophosUpdate" -type "smb" -username "username" -password "password"

# Copy package to machine
echo "Copying package to local directory..."
cp -R "/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer.app" /tmp/
cp -R "/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer Components" /tmp/


# Unmount Sophos share
echo "Unmounting SOPHOSAV..."
jamf unmountServer -mountPoint /Volumes/SophosUpdate

# Add install data for Mac group in Enterprise Console
echo "Setting group path info..."
groupPath="/tmp/Sophos Installer Components/RMS/grouppath.plist"
echo '<?xml version="1.0" encoding="UTF-8"?>' > $groupPath
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> $groupPath
echo '<plist version="1.0">' >> $groupPath
echo '<dict>' >> $groupPath
echo '<key>GroupPath</key>' >> $groupPath
echo '<string>SOPHOSMac</string>' >> $groupPath
echo '</dict>' >> $groupPath
echo '</plist>' >> $groupPath

# Install package
echo "Installing Sophos app..."
"/tmp/Sophos Installer.app/Contents/MacOS/tools/InstallationDeployer" --install

# Trigger initial auto update
echo "Performing initial auto update..."
sleep 15
/usr/bin/sophosupdate

# Remove tmp files
rm -rf "/tmp/Sophos Installer.app"
rm -rf "/tmp/Sophos Installer Components"

exit 0

I find that sometimes that initial Auto Update doesn't work because it takes time for the Enterprise Console's group settings to apply to the client. Usually a reboot seems to fix this. If any one knows of a way to expedite this process, please share!

@jagress how did you handle existing installations of Sophos Clients? was this only for machines that didn't have it?

@wmateo I first run an uninstall script.

I think there are some examples in this thread. Though I had some issues with the Sophos uninstaller not working 100% over the summer, so I ended up scripting my own.

@jelockwood I might try your method. However, that about the Sophos Installer Components. do you still need them with the .mpkg? I didnt see mention of that.

@wmateo My method is known to work with the Sophos Home Edition and the Sophos Standalone Edition, it might in theory also work with the Sophos Cloud Edition. It has not however been tested with the Enterprise Console Managed version.

I have not had access to Sophos Enterprise Console for quite some time which is why I had to find a way of creating a standard Apple installer package approach for deployment. My approach is based on a script originally written by @rtrouton you could try my modified version as the basis for a solution. The address for it is listed earlier in this discussion.

@wmateo You'like need the installed components directorty to be in the same enclosing folder as the Folder the Sophos enterprise consoles installer is in.

For ease, I'd copy he ESCOSX folder (or whatever it's called).

To test, move the installed complements folder to another location & try the install via the GUI.

@bentoms Thank You for that. I tried to install the .app with the components folder elsewhere and it failed so I have to package everything into one folder, then deploy to clients, and run a post install to copy over the preferences and keychain as referenced in @rtrouton outon blog. Plus I have to use a removal script that uninstalls 8.x and 9.1.x versions as well. I Thank Sophos for keeping me employed! There is a positive in this!!! lol

Thanks @jelockwood I will def take pieces from your removal script.

@wmateo FWIW, I didn't need to copy over the plist or keychain.

But I'm not doing an upgrade.

@bentoms hmm. I will check that out and perform some more testing. I didi read somewhere if you are copying it from the ESCOX or whatever folder, its supposed to have those settings of AutoUpdate folder to my Enterprise Console.

I have a post on how I'm deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

@rtrouton thanks!!

@rtrouton just tried your method and it worked pretty good. Thank You for posting that.

Where is this mpkg on SEC that people are referring to? CIDs/S000/ESCOSX has Sophos Installer.app not a mpkg. Is it somewhere else?

@tuinte,

Sophos recently changed the Enterprise installer so that it's no longer an installer package. I have a post on how I'm repackaging the install.app and deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

@tuinte Yeah, what @rtrouton said. I did my proof of concept for Sophos AV/SEC on the former package and just when I was waiting for my purchase order to go through (February, I believe) the "recommended" version changed to the app installer. It was with a bit of trepidation that I tried Rich's method (I, of limited scripting ability - and ugh, have to learn another 3rd party tool). It was more simple than I imagined (Rich did all of the heavy lifting for us) and the resulting installer worked great for my entire deployment via policy.

With our renewal it comes with hours for a service engagement. I requested help building a Sophos installer pkg and have something scheduled for early June. I'm curious what they come up with or suggest. I know I have Rich's method to fall back on.

Thanks all for the info. I built a package using Rich's method, and got it working, though I then stumbled across this Sophos article that gives the automatable command-line method of installing the Sophos Installer app. And this article details how to pre-configure the installer so it has all the server connection info included and enables On-Access scanning (which we require). I got this working, and, to me, it's simpler.

Awesome post. This helped me with configuring my Deploy Studio imaging software.

I'm noticing it takes about 15-20 minutes for the machines to show up in Sophos Enterprise Console.. Is there a command that'll force it to check-in with the SEC as soon as it installs?

Rich writes: "Sophos recently changed the Enterprise installer so that it's no longer an installer package."

I have a hard time understanding how something that's not an install package can be considered (or called) an "Enterprise installer" #idonotthinkthatmeanswhatyouthinkitmeans

Keep complaining and filing issues with Sophos.

To clarify, I called it the Enterprise installer to associate it with the Sophos Enterprise product. Likewise, Sophos also has a Home installer and a Cloud installer.

I'm trying to do a simple pkg that wraps the Sophos Cloud install app and there has to be something I am completely missing.

It I take the app and support plist from the zip file and run the terminal install command everything is fine. It downloads and installs silently in the background without issue.

Once I take that line and put it into the postinstall of my new package it no longer works. The last thing to show up in the install.log is:

Sophos Bootstrap[382]: [SMESophosBootstrapAppDelegate.m:1329] System Verified

After that nothing happens. The content is supposed to be downloaded at this point but the process will hang indefinitely (the only other log entry that would show up after this is the notification that the install is complete). Can anyone help me out with what might be going on here? I feel like I'm missing something obvious.

@brysontyrrell Can you post a sanitized postinstall somewhere that folks can take a look at it?

@rtrouton

I have pared it down to just this without success:

#!/bin/bash

policy="SophosCloud"
loggertag="jamfsw-it-logs"

# IT logging
log() {
echo "$1"
/usr/bin/logger -t "$loggertag: $policy" "$1"
}

# TRAP statement and cleanup items upon EXIT
cleanup() {
log "Starting cleanup"
log "Removing temp files"
/bin/rm -r /private/tmp/SophosInstall
}

trap cleanup exit
log "Installing Sophos Cloud"
/private/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

log "Running Recon"
/usr/sbin/jamf recon || log "jamf error code $?: There was an error running Recon"

exit 0

Just out of curiosity, is there also a tools directory located in /path/to/Sophos Installer.app/Contents/MacOS/ ?

The reason I'm asking is that running the install application from /path/to/Sophos Installer.app/Contents/MacOS/ on Sophos 9.1.x and later will cause the Sophos install application to launch in the dock and interfere with a normal installation via installer package.