@calvins how did you generate the download link from the web console?

Im having issues installing on fresh images of 10.126 and 10.13.1 -- installer will automatically fail. Anyone else seeing this?

Log into the "cloud.sophos.com" console > Protect Devices in the left-side navigator > Send Link to Users > Picked myself > took the Mac download link out of the email it sent me.

I've heard you can use the Sophos API to generate a user-less download link, but I've never found any supporting info on that. It does have the downside of attaching all machines that get it via that link to my Sophos user, but we don't use that for any purpose so we ignored that bit.

I had problems installing it on machines that had a conflicting AV or Sophos Home, but those were far between so I didn't account for them in the installer. It also seems to fail on Macs that were imaged via a clone, but those are also far between.

As of friday I now have 5 machines that will not install Sophos Endpoint Client.

It works accross the board except these 5 machines, and they all produce the same errors in the logs:

default 11:39:36.874008 -0500   com.sophos.bootstrap.helper [SMEDownloadController.m:574] failed to secure folders. Error Domain=com.sophos.installer Code=1 "Error: programming error. Nil passed as SecureLocation" UserInfo={NSLocalizedDescription=Error: programming error. Nil passed as SecureLocation, Call History=SMEInstallerFileManager.m:806}

default 11:39:36.874149 -0500   com.sophos.bootstrap.helper [SMEDownloadController.m:601] Failed to launch InstallationDeployer. Error Domain=com.sophos.installer Code=1 "Error: programming error. Nil passed as SecureLocation" UserInfo={NSLocalizedDescription=Error: programming error. Nil passed as SecureLocation, Call History=SMEInstallerFileManager.m:806}

default 11:39:37.075824 -0500   Sophos Installer    [SMESophosBootstrapAppDelegate.m:1225] Received failure notification: (1)

default 11:39:40.994218 -0500   kernel  [Sophos Installer pid 97785 mux-aware] exiting, non-mux-aware app count 0, runtime: 0:00:49.832

/ and /Library have correct permissions and the previous Security Software (SEP 12) was removed prior to attempted install. The error occurs during the verify step both when installed by JAMF Pro or Locally.

Totally at a loss here. All 5 of these machines are developers so I am almost certain this is a matter of them FUBARing folder permissions on something the installer is trying to access, but I don't know where to even start.

ideas?

Anyone had any luck lately with installing the Sophos cloud client. I tried the scripts from dmarcnw. It didn't install and doesn't give an errors? Not sure what to try next.

I resolved my issue:

Sophos tells you to verify the permissions of /, /Library and /Library/Application Support but it goes deeper than that.

You also need to check permissions of the contents of /Library and verify they are set to the default. Lots of stuff in there is not SIP protected so users with sudo can mess stuff up.

Specifically in my case users had changed the ownership of /Library/Caches and /Library/Developer. Once I set those back to default it installed without issue.

@hkabik What did you change the ownership and permissions to?

The default ownership for those: root:admin.

I resolved my issue. Im now able to install sophos. For some reason when imaging via Deploystudio, it changes the permissions/group of /Library to root:admin

https://www.jamf.com/jamf-nation/discussions/27249/deploystudio-imaging-library-permission-group-changed

Doesn't seem to matter what I try. It's not working. I do have an open ticket with Sophos. They had me run their diagnostic tool. More to come...

…as soon as I posted that, I tried one more thing with running their installer. They must have a ton of perm dependencies that are just wacky. I got it to work now (wouldn't you know it) , but I'm not confident that it'll work consistently on any given machine. - well, I got the basic installer to work (by downloading the installer bits), still failed the installation.

Am also trying to install 9.7.4.
I have managed to silent install sophos using terminal - after using a permission changing command.
But if i use the same commands within a .pkg file the install/quit screen appears.
I cannot get it to install silent - sophos closed my ticket because it now works via terminal ...boooo

@steve1127 can u elaborate on what permission change you did, and when in your workflow you are running it?

We had the issue where the manual install would fall straight away.
After sending logs off to Sophos they found that a file didn't have the correct permissions (see below)

com.sophos.bootstrap.helper using com.sophos.macendpoint.Installer.HelperTool. Error Domain=com.sophos.installer
Code=1 "Error: supplied secure destination is not secure. path: /Library/Application Support/Sophos/temp_2052

Sophos' solution was to disable SIP and run a command.... not happening

So @gazlee found that the command "sudo chmod 0755 /Library/Application Support/” can be ran without disabling the SIP and corrects the permission(s)

This was added to a .pkg file (post script) with the path to the file which runs the manual install + sorts the permissions

In terminal if this permissions command is ran and then use the silent installer one provided by sophos ..it works.
sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

My problem is now if these are combined into composer the sophos install/quit screen opens so is not silent - this is where Sophos did a runner..

I haven't had much experience with postinstall scripts, but can confirm this works great as a separate script to run after caching the installer files.

sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer

sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

sudo /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

sudo rm -rf /pathtoinstaller/SophosInstall/

https://community.sophos.com/kb/en-us/120570

@steve1127 when you added the "sudo chmod 0755 /Library/Application Support/” command to a .pkg, was that just an empty package containing the command or did it include the Sophos installer files as well.

I ask cuz I just ran that command manually, then tried to install Sophos manually, and it still failed.

Above is the full script i have within composer.
Place installer files within /tmp
create post install (shell script)
permission command and then installer

Unfortunately, I was wrong and it is not working properly after remaking the package... Not sure why it worked fine on the few I tested it on. Back to the drawing board...

So it looks like this ONLY works if SIP is disabled... Anyone find a way to do it with it enabled?

I was able to use #calvins awesome script to install Sophos 9.7.6 but I received the message System Extension Blocked. Once I went into the security settings and allowed it... Sophos appears to be running and says my computer is protected. Is there anyway to automate approving the System extension? Thanks, Ray

@rgerman , you need to also do a Configuration Profile that whitelists the Sophos Kernel Extension's TeamID. At a high level in general, we whitelist a ton of Kernel Extensions in a single profile scoped to all machines that have User Approved MDM enabled, including Sophos.

See this screenshot for what you need

@calvins Will whitelisting the Team ID do the trick or do we need to list all the bundle IDs?

Thanks Calvin! I'll give it a try. BTW - Your script was great... I actually think its a great template for many installs. Very smart!

Whitelisting a Team ID blesses everything that uses that same ID. So Sophos installs something like 4 kernel extensions, but you can get away just doing the Team ID they all share. That single entry in my screenshot is the only Sophos thing we have to whitelist to Endpoint work.

There's a good script in this other thread about finding these extensions and all the ID's associated with them. By @franton, here.
We run a simplified version of that on all our Macs 1x as a policy, then we just have to skim policy logs on a machine if someone needs one added to our global whitelist. We have 22 total Team IDs in there right now, but only Sophos and HP complained about needing it approved; the rest were pre-emptive.

Also, I just edited my OP script with the one we are currently using. We had a couple cases come up where some Macs were cloned with bad permissions on /, /Library, and /Library/Application Support, and it turns out the Sophos installer doesn't like that at all. So, I added some cursory logging and checking for that.

I am new to Sophos Endpoint Protection and have to say it is proving a bit more challenging than I ever expected.

Using @calvins script, I was able to automate the installation. I was also able to make a configuration profile whitelist and thought I was home free. I have one last issue which I was curious how others were handling.

After successfully installing Sophos on my test bed macs (which are local accounts not bound to AD) and another users computer who is bound to AD. I logged Sophos Central and noticed all of the devices were showing up under my User account under the people tab. Not a good thing, as this would not allow me to assign policies to groups. Are you guys using the AD Sync tool with Sophos... and if you are, will the installer match up the user automatically?