Trying to deploy Sophos Endpoint as part of a Configuration using Imaging. With the changes to Kernel Extensions and the requirement to approve them. Current process is for the person running the Configuration to manually approve the Kext when Sophos installs and the Mac prompts. I am deploying a "Configuration Profile" which works on existing machines but doesn't apply during the Configuration. Is there a way to force the Configuration Profile to apply during the Configuration before the Sophos install?
Question
How do I approve a Kernel Extension during imaging
+8
+13You could package up a kext whitelist configuration profile??
Have a look at this:
https://www.jamf.com/jamf-nation/discussions/23349/can-you-package-a-configuration-profile
+10We don't use imagaging anymore but Sophos has never worked well to deploy using imaging since it calls in to the Sophos server during installation (which it can't do during imaging) so it has to be installed post imaging.
This is how we do it: the Sophos installation is based on a smartgroup which checks if a pre-approved KEXT config is installed already (which contains the approved Sophos kext). If that exists the Sophos installation happens.
I believe a kext whitelist config profile can only be applied via an MDM server and only if the MDM profile has been user approved. You cannot install a config profile from the terminal/via a pkg etc.
+15@allanp81 is correct regarding user approved mdm settings - the following might work without the profile being user approved because its being placed by a package and set by a root user
BUT call me crazy, you can try this - off the cuff so don't hold me too it & please correct me where I'm wrong - not done coffee yet
Create a Policy. Policy will consist of a Package & Script.
Package - Create a package with the Sophos KEXT deployed to the correct directory ie. /System/Library/Extensions/SOPHOSKEXTHERE.kext
Script - Have a script run after package deployment modifying the KEXT.
pre 10.13 (I think)
#!/bin/bash
sudo chmod -R 755 /System/Library/Extensions/SOPHOSKEXTHERE.kext
sudo chown -R root:wheel /System/Library/Extensions/SOPHOSKEXTHERE.kext
sudo kextload /System/Library/Extensions/SOPHOSKEXTHERE.kext
sudo rm -R Extensions.kextcache
sudo rm -R Extensions.mkext
# Make Sure To Reboot Machine to Refresh Caches
# sudo shutdown -r nowMac 10.13+
#!/bin/bash
sudo chmod -R 755 /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext
sudo chown -R root:wheel /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext
sudo kextload /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext
sudo kextcache -i /
# Make Sure To Reboot Machine to Refresh Caches
# sudo shutdown -r now
+15A DEP-enrolled Mac (or user-approved MDM/user-initiated enrollment) is the base requirement for installing the kernel extension whitelist profiles. I would create the profile, and then use the new feature in Jamf 10.10 to have the config profile install during prestage so that it's in place before a user gets to the desktop (and Sophos is installed).
Check out this article: https://derflounder.wordpress.com/2018/04/12/whitelisting-third-party-kernel-extensions-using-profiles/
https://docs.jamf.com/10.10.0/jamf-pro/release-notes/What's_New.html 
+5Would using JAMF10.9 and a system using Mac OS 10.14 throw an error of, "The profile's payload did not validate properly." It was using prior to Mac OS 10.14 update.
I haven't seen that error but I would presume that if it's trying to apply a setting that isn't valid for 10.14 then it would throw up that error?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.