Just noticed the same thing.
My findings so far:
- The standalone "Sophos Installer.app" creates "Sophos Anti-Virus.mpkg" in /Library/Caches/com.sophos.sau/CID which can apparently be copied from there and used to install (might have to remove the _CodeSignature)
- Inside the standalone "Sophos Installer.app", there is an "InstallationDeployer" binary.
Running ```
/path/to/Sophos Installer.app/Contents/MacOS/InstallationDeployer --install
``` also seems to install it properly.
One could drop the Sophos Installer.app into /var/tmp and run the command with a postinstall script
however, i haven't done any QA testing for both methods yet, so i might be totally wrong.
Good spot, it does get us closer but that mpkg does not contain the pre-configured auto-update settings. Therefore if you use it on a fresh Mac or one on which you have cleaned out the previous installs preferences it does not know how to auto-update.
It will help with a different problem we have (which is not Sophos' fault) which is for some Macs never connected to the Internet. I can just periodically copy this .mpkg to them or have a tool like ARD push it to them (on this disconnected network).
It is worth looking at further though as in the past with SAV8 it was possible to have some settings files outside the mpkg itself but in the same folder...
Ok, I did a bit more testing, as mentioned the mpkg you found does not include the needed auto-update preferences. I have found that if you do the following in the following order the desired results seem to be achieved.
Uninstall SAV8. While it is possible to install SAV9 over the top of SAV8, SAV8 currently has auto-update settings pointing to SUM, we need to clear those settings and have SAV9 directly update from Sophos.
Copy pre-configured plist files from a previously manually setup SAV9 Mac, these will contain the auto-update settings we need, while probably just com.sophos.sau.plist is needed the others I copied were com.sophos.ac.plist, com.sophos.dc.plist and com.sophos.sav.plist these are all from /Library/Preferences these should be copied to a Mac after step 1, note the uninstall tool Sophos provided does not remove the old preferences so either over-write them or delete them before copying the new SAV9 ones in to their place
Now run the Sophos Anti-Virus.mpkg installer it should install, keep the preference files from step 2 above and then you end up with a SAV9 with the auto-update settings.
I still need to test this on a second Mac just in case those preference files are hard coded to a single Mac via a GUID.
Ugh!
Bit messier than I thought it was going to be, the following looks like being the 'official' way to do it.
Note: Sophos support don't know how to do this, but I got pointed in the right direction by a manager.
As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx build a pre-configured installer Application
Copy the Application to the client Mac either as is, or you could build a customer pkg containing it
As a post copy step, run a shell script and do the following command
path/to/Sophos Install Application/Contents/MacOS/InstallationDeployer --install
Contrary to what the built-in 'help' for the InstallationDeployer says, I did not need to specific a product name, in fact I could not find a valid product name to use - hence not using one.
If the InstallationDeployer command is executed from root it will run without a GUI session and without needing additional authentication.
So for ARD you could copy the Sophos standalone installer to a Mac, then remotely execute the InstallationDeployer command. I plan however to build an Apple PackageMaker pkg to copy the Sophos standalone installer and have a post 'install' shell script then run the InstallationDeployer command.
Either approach should remove SAV8 automatically before installing SAV9, and as I have pre-configured it to download directly from Sophos it should also then auto-update directly instead of via SUM which does not support SAV9.
I was able to build an installer package that uninstalls Sophos and installs a new copy of Sophos 9.x using the install application. I've posted the details here:
http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/
After much troubleshooting I managed to get around this issue by doing the following (we're using Sophos Cloud)
1) Use a test VM to install "Sophos Installer.app" (~4Mb Cloud Installer which downloads a full version). Captured the changes using Composer
2) Took a copy of the Installer.app which shows up in the list of captured files. (Can't remember exact path but if you browse through the folders it should be under a folder called "saas". Put it somewhere temporary like Desktop.
3) Made a .pkg of the plists left in /Library/Preferences (excluding the apple plist)
4) Made a new Composer dmg including these 2 packages in the folder /private/tmp
5) Ran a script after installing the dmg (which dumps the 2 .pkg's into /private/tmp), which then calls the installer in the app and then applies the preferences for the cloud app:
#!/bin/bash
/private/tmp/Installer.app/Contents/MacOS/InstallationDeployer --install
installer -pkg /private/tmp/sophospreferences.pkg -target /
After rebooting the Mac and checking our cloud server the computer is showing in the control panel. Tested on a couple of separate clients and they're showing up as unique machines in the cloud control panel! :D
This doesn't help if you use a av relay server like we do.
The idea for us being an end user says they want to vpn in to the corporate network to work from home and we insist on av.
The user then installs SAV home but then never carries out any scans or looks further at the setup!
With an av relay server your users home machines show up in your SEC console and get policies from there.
At the moment the v9 deployer is still in development and im told they don't see it as a priority at the moment.
Speak to Sophos and you will probably be asked to fill out a feature request like i was, then speak to your Sophos account manager!
Also go on Sophos talk and view your opinion on there!
I had the same problem too, until I found a workaround this week.
This is what I did.
Created sophos installer dmg and added it to my imaging workflow.
When the machine finishes imaging the sophos installer is place on the root of the drive. (subject to change var is better location)
I also added the below script to the imaging workflow to run once the machine reboots after the image process completes.
#!/bin/bash
sudo /Sophos Installer.app/Contents/MacOS/Sophos Installer --install
exit 0
When you login into a freshly imaged machine the script will install sophos dmg which has been placed on the root of the drive.
This has worked for me.
Does anyone have a recipe for packaging SAV in the JAMF Composer tool?
I've attempted this by snapshotting a drag of the preconfigured 'Sophos Installer.app' into /Applications then adding a postinstall script similar to the ones suggested above but that doesn't work - I have to run the Installer manually to get it going.
@ianmb, we deploy the PKG from the Sophos Enterprise Console.
This contains our auto-update settings.
@bentoms How have you been deploying the PKGs from the Sophos Enterprise Console? When we try it fails every time. Is it possible to run that package with Composer on a blank/test machine, enter the credentials, and package with Composer to deploy? I haven't found a way to get the ./CreateUpdatePreconfig command to work with the PKG I grabbed from our Enterprise Console. (http://www.sophos.com/en-us/support/knowledgebase/119744.aspx)
@emilykausalik, i needed to prod the Sophos Admin guy but.. once we had applied a Mac policy to an OU in SEC & THEN created the pkg from that.. all we needed to do was install the PKG using casper.. the PKG contained all the rest.
Looking at this quickly..
We are deploying sophos via a script - as I couldn't be bothered to repackage every month or so when the app was updated.
- mount sophos share
- copy entire directory for mac installer and supporting files for update config/console to /tmp
- umount share
- install from tmp
- clean up /tmp
The macs are bound to AD, and the sophos console applies policies based on the AD OU. This means you have to make sure that macs will be in the correct location in AD when binding.
The console takes care of the updates/config changes.
@bentoms Any tips on how you created a pkg from within the SEC? Or did you just go to the bootstrap location and snag it from there?
@tkimpton for some reason I can't take the Sophos Anti-Virus.mpkg from the SEC bootstrap location and get it into anything that will deploy. When I put it in Composer, composer fails out. I must be missing something here.
@emilykausalik that won't work because the sav installer is a mpkg (other installer inside it)
I copy it to some where like /private/tmp/
I then drag all of /private/tmp to composer
Once tmp is in composer, delete the other stuff to on the sav mpkg is in there.
Then make a post flight script to install it via the command line like sudo installer -pkg (path to the mpkg) -target /
Give you package a name in composer and build it as a non flat pkg.
You can then upload your pkg to Casper Admin and start looking at smart groups and push it out via a policy.
Hope that makes sense and helps :)
@tkimpton I think I'm still too green to know how to do what you're referring to. I'll be reaching out to Sophos support to see if they can help.
Here's our procedure for installing our managed Sophos client using Casper. We're using v9.0.8 currently of the Mac client. We have a Windows 2003 Server (I know, time for an upgrade) running the Sophos Enteprise Console. It creates a .pkg file for Mac clients which can be downloaded.
Download the Sophos installer from our Sophos server. In our case I connect using smb to the share and locate the installer in /Sophos Update/CIDs/S000/ESCOSX/Sophos Anti-Virus.mpkg
Add the Sophos Anti-Virus package to Casper Admin
Make sure you set the option to "Install on boot drive after imaging" in the Options tab when you 'Get Info' of the Sophos package in Casper Admin.
Image a machine and hey presto it'll show up in the Sophos Enteprise Console on your Sophos server. If it's a brand new machine that's never had Sophos on it then you will probably need to assign it to a policy group in the Sophos Enteprise Console. if it's already been imaged then in my experience the SEP is already aware of the machine and it just reconnected auto-magically.
@pbenham yeah that's simpler, I forgot to mention I do it that way because I different sav installers for workstations and laptops with different mrinit configs in them to point workstations to the main sec and laptops to a relay server.
Sorry for replying late.
I'd second what @pbenham has mentioned.
Just deploy the pkg from SEC, no composer needed.
So thanks to posts here I can deploy Sophos from Casper, but does anyone have a recipe for packaging it for systems not managed by Casper?
I have a requirement to get Sophos installed on standalone Macs (managed by users) so it'd be great to send them a pkg file with the relevant update servers preconfigured. All Sophos can tell me is that I need to include the ESCOSX directory that's in the same directory as the mpkg file?! I have this, but not really sure how to proceed.
@ianmb, if you are just deploying the PKG... That should work via ARD too.
Yes, but will that contain the references to my local update servers?
I wasn't clear whether I need to repackage the mpkg and include the ESCOSX directory (if so where does that need to be placed on the client?) or do I just take the mpkg from that directory and distribute it (see my initial question).
I have always just deployed the MPKG from the ESCOSX directory on my Sophos server. I've never had to re-package it or include any other directories. That MPKG includes the address of your management server. So as long as the computers can get back to that address, you should be fine.
As per Richard Trouton's earlier post in this thread and my own, it is possible to take the standalone Sophos installer and convert it in to a pkg. As per my earlier reply one can do this with the Sophos update credentials saved in to it as well.
If your using Sophos Enterprise Library then you can in theory use the installer package it maintains, if you don't have Sophos Enterprise Library (which requires a Windows server) then you need to use Richard's and my instructions.
Richard's original instructions are here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/ they are based actually on the free Sophos Home Edition installer which is very similar to the paid for Standalone installer but not identical. I therefore took Richard's script and modified it to also work with the paid for standalone installer and my own instructions and version of script are available here http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html
To summarise if your not using Sophos Enterprise Console but want to make a package to deploy the paid for Sophos Anti-Virus 9 for Mac you do the following
Download the standalone Sophos SAV9 installer,
Run the command line tool to embed the Sophos Update Credentials,
Use my modified script as per Richard's original instructions (instead of Richard's script)
You can then deploy the resulting package via ARD or locally run it. It will uninstall any previous versions of Sophos and replace with SAV9 and will also set the update credentials you defined as above.
I was using Sophos Update Manager (SUM) which ran on a Mac server but only supported SAV8, I have used the package I built as per this post to upgrade all our Macs to SAV9 and get them now to update directly from Sophos' servers since there is unfortunately no Mac replacement for SUM.