Posted on 05-08-2018 06:06 AM
I'm working on a policy that will automatically install the Sophos Endpoint Protection client on Macs that are missing it. It installs a kernel extension, which in High Sierra, end users get prompted to approve. I want it to silently install in the background without user involvement, so as I understand it I need to whitelist Sophos' Team ID to keep the kext prompt from appearing.
Here's what I have set up in Jamf:
Most of our Macs aren't in DEP so we're relying on user-initiated enrollment. When the machine enrolls, it gets the MDM profile, but until the user approves it, it can't approve the kext. The problem I'm running across is that Jamf seems to only attempt to push the approved kext once, when the MDM policy first applies -- before the user has a chance to approve it. (And once they do approve it, the machine falls within the scope of the Sophos installation policy, but the user gets the "System Extension Blocked" message.)
Am I doing something wrong here?
Posted on 05-08-2018 06:38 AM
You could Scope your kext Config profile to only push to a Smart Group that has MDM policy approved.
So basically make the opposite of your #3 (all machines NOT members of Computer Group Name <whatever #3 is>) , and in the scope of your kext configuration profile, only push it to those.
OR, go to Scope -> Exclusions, and EXCLUDE #3.
That way, the profile will wait until the user approves the MDM policy and THEN push, as opposed to pushing it and failing.
Would that work?
Posted on 05-08-2018 07:36 AM
Yeah, looks like I need to do some massaging of smart groups. I also seem to have to split the workflow. The first workflow is to get the kext approved on machines after the MDM policy has been approved -- so scoping the config profile to a smart group, like you suggested, is going to be the way to go.
The second workflow is to actually install Sophos. I've changed my "missing Sophos" smart group to include only machines that 1) don't have it installed, and 2) have the MDM policy approved. The only thing that worries me a bit is that having the "MDM policy approved = yes" status isn't positive confirmation that the kext was whitelisted -- if the timing was just right, a computer could possibly report a status of Yes before the kext config policy had a chance to apply. I think this is a bit of a corner case, though, as config policies seem to apply very quickly. I'll give this setup a go and see how it works out.