Skip to main content
Solved

Sophos to Defender

  • June 16, 2024
  • 3 replies
  • 38 views
C
Forum|alt.badge.img+2

Hello

My company is planning to move away from Sophos to MS Defender. Is there any tools out there that locks a user out while the uninstall Sophos is happening, reboots and then installs Defender? Assuming I can do this via a policy but I just don't want users to intervene while it's uninstalling

Thanks! 

Best answer by AJPinto

Generally speaking, no. Jamf itself is just running a policy to remove Application A and install Application B. Jamf does not perform posture checking, it has similar functions, but they cannot really be leveraged in this manner.

 

I would suggest moving Sophos to monitor only and installing Defender before removing Sophos assuming you must do this in one sweep rather than separating the two events. This way if something goes wrong, you can flip a switch and put Sophos into high enforcement again and you never lose visibility on the device. Jamf Helper could put a full screen notification up until the workflow has completed that most users won't know how to dismiss.

 

Workflow:

  • Run Policy A that calls the script for Jamf Helper.
    • Device gets a full screen notification.
    • Script calls Policy C from CLI to install Defender.
      • if statement to ensure Defender was installed.
        • If defender failed to install, exit 1 and fail the policy.
        • If defender succussed its install, continue. 
    • Script calls Policy B from CLI to uninstall Sophos.
      • if statement to check to ensure Sophos was removed.
        • If Sophos failed to uninstall, exit 2 and fail the policy.
        • If Sophos uninstalled successfully, continue.
    • Script checks for success on the previous two steps.
      • Exit 0 and reboots if successful (or close Jamf Helper dialog)
      • Exit 3 Notify user to call support if something went wrong. (should something else stupid happen that you are looking for)
  • Policy exits and reports status.

 

 

    3 replies

    mickl089
    Forum|alt.badge.img+11
    • mickl089
    • Valued Contributor
    • June 17, 2024

    I have also already carried out a Sophos to Defender migration. However, a restart was not necessary under macOS.

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • Answer
    • June 17, 2024

    Generally speaking, no. Jamf itself is just running a policy to remove Application A and install Application B. Jamf does not perform posture checking, it has similar functions, but they cannot really be leveraged in this manner.

     

    I would suggest moving Sophos to monitor only and installing Defender before removing Sophos assuming you must do this in one sweep rather than separating the two events. This way if something goes wrong, you can flip a switch and put Sophos into high enforcement again and you never lose visibility on the device. Jamf Helper could put a full screen notification up until the workflow has completed that most users won't know how to dismiss.

     

    Workflow:

    • Run Policy A that calls the script for Jamf Helper.
      • Device gets a full screen notification.
      • Script calls Policy C from CLI to install Defender.
        • if statement to ensure Defender was installed.
          • If defender failed to install, exit 1 and fail the policy.
          • If defender succussed its install, continue. 
      • Script calls Policy B from CLI to uninstall Sophos.
        • if statement to check to ensure Sophos was removed.
          • If Sophos failed to uninstall, exit 2 and fail the policy.
          • If Sophos uninstalled successfully, continue.
      • Script checks for success on the previous two steps.
        • Exit 0 and reboots if successful (or close Jamf Helper dialog)
        • Exit 3 Notify user to call support if something went wrong. (should something else stupid happen that you are looking for)
    • Policy exits and reports status.

     

     

    geoff_widdowson
    Forum|alt.badge.img+8

    Just wanted to add a caveat to moving from Sophos to Defender. I have just been testing again for the first time in a year, as we are finally moving to Defender. Previously you could uninstall Sophos without turning off Tamper Protection in the Sophos Central portal. This was done by first deleting the file /Library/Sophos Anti-Virus/SophosSecure.keychain 

    Then a scripted silent uninstall could take place.

    With Sequoia this no longer works. You will now have to turn off Tamper protection for any device your are moving to Defender. If you are in the process of migrating Windows devices to Defender you will already be following this process, so you just need to add your mac fleet to the process. I guess Sophos finally became tamper proof just as some of us are moving away from it.

     

    Terms & ConditionsCookie settingsAccessibility statement