Skip to main content

Hello

My company is planning to move away from Sophos to MS Defender. Is there any tools out there that locks a user out while the uninstall Sophos is happening, reboots and then installs Defender? Assuming I can do this via a policy but I just don't want users to intervene while it's uninstalling

Thanks! 

I have also already carried out a Sophos to Defender migration. However, a restart was not necessary under macOS.

Generally speaking, no. Jamf itself is just running a policy to remove Application A and install Application B. Jamf does not perform posture checking, it has similar functions, but they cannot really be leveraged in this manner.


 


I would suggest moving Sophos to monitor only and installing Defender before removing Sophos assuming you must do this in one sweep rather than separating the two events. This way if something goes wrong, you can flip a switch and put Sophos into high enforcement again and you never lose visibility on the device. Jamf Helper could put a full screen notification up until the workflow has completed that most users won't know how to dismiss.


 


Workflow:



  • Run Policy A that calls the script for Jamf Helper.

    • Device gets a full screen notification.

    • Script calls Policy C from CLI to install Defender.

      • if statement to ensure Defender was installed.

        • If defender failed to install, exit 1 and fail the policy.

        • If defender succussed its install, continue. 





    • Script calls Policy B from CLI to uninstall Sophos.

      • if statement to check to ensure Sophos was removed.

        • If Sophos failed to uninstall, exit 2 and fail the policy.

        • If Sophos uninstalled successfully, continue.





    • Script checks for success on the previous two steps.

      • Exit 0 and reboots if successful (or close Jamf Helper dialog)

      • Exit 3 Notify user to call support if something went wrong. (should something else stupid happen that you are looking for)





  • Policy exits and reports status.


 


 

Just wanted to add a caveat to moving from Sophos to Defender. I have just been testing again for the first time in a year, as we are finally moving to Defender. Previously you could uninstall Sophos without turning off Tamper Protection in the Sophos Central portal. This was done by first deleting the file /Library/Sophos Anti-Virus/SophosSecure.keychain 


Then a scripted silent uninstall could take place.


With Sequoia this no longer works. You will now have to turn off Tamper protection for any device your are moving to Defender. If you are in the process of migrating Windows devices to Defender you will already be following this process, so you just need to add your mac fleet to the process. I guess Sophos finally became tamper proof just as some of us are moving away from it.


 

Reply


Terms & ConditionsCookie settings