Question

Deploying Sophos Anti-Virus for Mac

Forum|Forum|12 years ago
February 20, 2014
114 replies
456 views

jelockwood
Contributor

Sophos have gone from being one of the best Mac enterprise anti-virus solutions to (perhaps) the worst. Grrr.

Multi-platform organisations are likely to have a Windows server (or more than one) and can therefore run Sophos Enterprise Console to create and manage a Mac installer for Sophos Anti-Virus. I have done this in previous companies.

Previously Mac only organisations could use Sophos Update Manager to do much the same on a Mac server. Unfortunately SUM only supports SAV8 and does not support SAV9. SAV8 is being discontinued in April 2014 and does not officially support Mavericks. It is therefore urgent to move all Macs to SAV9 by April 2014.

If you have no Windows Server, and can no longer use SUM, this leaves two more possibilities, first you could use the standalone SAV9 installer. It is even possible to pre-configure the auto-update account details for this. Unfortunately Sophos have made this installer an application and not an installer package. As a result it cannot be deployed using Apple Remote Desktop, Casper, Munki, or any other Mac management tool. (The application needs to be run as an application on each client Mac to do the actual installation.) This stupid design is like the equally stupid approach taken by Adobe and Flash. However at least with Adobe Flash you can find if you look hard enough a standard package file to install Flash.

The final possibility and the one Sophos are pushing Mac only customers to, is to sign up for an extra cost subscription to Sophos Cloud. This does let you manage via the Cloud your Macs, it does let your Macs directly update from Sophos, but a) the website for Sophos Cloud is not 100% Safari friendly, and much more importantly b) the installer it produces is yet again an application and not an installer package!

The only approach that still gives you a proper installer package is via Sophos Enterprise Console running on a Windows server.

Other than Sophos Enterprise Console has anyone else found a solution to let you mass deploy SAV9?

Note: Yes if you install SAV9 manually on a Mac and then make a monolithic master disk image that would work, however I like many others now prefer to use a thin imaging approach (via InstaDMG or AutoDMG).

Show first post

Forum|pagination.label 5 / 5

+19

BrysonTyrrell
Valued Contributor
Forum|Forum|10 years ago
June 4, 2015

There is. The /tools/ directory contains the com.sophos.bootstrap.helper file that is launched when invoking '--install'.

+33

rich.trouton
Hall of Fame
Forum|Forum|10 years ago
June 4, 2015

OK. In other Sophos installers, there's another copy of the Sophos InstallationDeployer install application located inside of tools, and ../tools/InstallationDeployer is the one that can be used by an installer package.

lionelgruenberg
Contributor
Forum|Forum|10 years ago
June 4, 2015

@brysontyrrell what version of the Sophos Installer.app are you using in your custom pkg?

+19

BrysonTyrrell
Valued Contributor
Forum|Forum|10 years ago
June 4, 2015

I checked out the Home app and I see that. I'm guessing that the Enterprise version has that as well?~

Their Cloud installer doesn't seem to line up with the other two.

[upload](f03ae0088f184762b2e80cbaf60e5b85)

+19

BrysonTyrrell
Valued Contributor
Forum|Forum|10 years ago
June 4, 2015

@lionelgruenberg

The app's version is 9.3.1

lionelgruenberg
Contributor
Forum|Forum|10 years ago
June 4, 2015

@brysontyrrell Can you try installing from a different directory? I use the JAMF Waiting Room for Sophos Cloud.
This is in my postinstall script:

/Library/Application Support/JAMF/Waiting Room/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

+11

corbinmharris
Valued Contributor
Forum|Forum|10 years ago
June 4, 2015

I just use the instructions provided by Sophos -

https://www.sophos.com/en-us/support/knowledgebase/33050.aspx

Launch Composer before I start the install and configuration. Must not be connected to network when setting up the update preferences. Quit Sophos and reconnect to network, then add to the Admin and then push out to a test MBP. The final package is almost 200mb, so take that in consideration.

Corbin

mkremic1
Contributor
Forum|Forum|10 years ago
June 4, 2015

@brysontyrrell I literally repackaged our Sophos installer 2 days ago...

+1 to @lionelgruenberg about using a different directory.

I started by trying to package the installer in /private/tmp so it would be cleared on a reboot and it would just sit for hours and hang.

Ended up repackaging so it was in /Users/Shared/Downloads with a postflight script:

sudo /Users/Shared/Downloads/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

and it worked first go. Installed in a matter of minutes. Hope that helps! Our old package was a pre and post capture of a full install and it was a bit of a hit and miss on some of our Macs. This is much cleaner.

Cheers

+19

BrysonTyrrell
Valued Contributor
Forum|Forum|10 years ago
June 5, 2015

@lionelgruenberg @mkremic

Can someone save my sanity and explain to my why executing the Sophos silent install from /Users/Shared/ is different from /private/tmp/? This doesn't make any sense to me!

(yes, that worked moving it out of /private/tmp/)

lionelgruenberg
Contributor
Forum|Forum|10 years ago
June 6, 2015

@brysontyrrell Can't explain why but hopefully this saves your sanity... Here is a rough way to execute the silent install from /private/tmp

Create a custom Sophos Install package and include a script to kick off the silent install at /private/tmp/SophosInstall/install_sophos.sh:

#!/bin/bash
/private/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

Execute the install_sophos.sh script from a postinstall script in your custom Sophos Install package:

#!/bin/bash
/private/tmp/SophosInstall/install_sophos.sh

+10

DanJ_LRSFC
Valued Contributor
Forum|Forum|9 years ago
June 8, 2016

I managed to create a Sophos package just fine, but what about changing the update server configuration on an already-installed copy of Sophos, is there a way to do that from a script? As installing the new package over the top of the old one does not have any effect.

+26

emily
Hall of Fame
Forum|Forum|9 years ago
June 8, 2016

It's built into a plist, so I would imagine you could deploy the plist to machines to update that info. Check out @rtrouton's post if you haven't already: https://derflounder.wordpress.com/2015/06/17/revisiting-sophos-enterprise-anti-virus-for-mac-9-2-x-deployment/

ekw | jamf @ jamf

+38

stevewood
Hall of Fame
Forum|Forum|9 years ago
June 8, 2016

@DanJ_LRSFC you may want to have a look at this Sophos article on how to create a pre-configured installer:

How to create a pre-configured installer containing updating and On-Access scanning options

That's the process I use to create the PKG for our install.

jelockwood
Author
Contributor
Forum|Forum|9 years ago
June 8, 2016

@DanJ_LRSFC As @stevewood mentions you can create a pre-configured stand-alone installer as per that Sophos article. As @emily mentions @rtrouton has done an excellent job of detailing how to deploy a pre-configured managed copy of the Sophos installer.

(Is this a record for the number of people referenced ;) )

What you can do when deploying a pre-configured stand-alone copy of the Sophos installer (via a package) is to have a pre-install script which uninstalls any existing copy first, this ensures the newly installed copy is not contaminated by old settings. This is how I do it.

Forum|pagination.label 5 / 5

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded