Deploying Sophos Anti-Virus for Mac

jelockwood
Contributor

Sophos have gone from being one of the best Mac enterprise anti-virus solutions to (perhaps) the worst. Grrr.

Multi-platform organisations are likely to have a Windows server (or more than one) and can therefore run Sophos Enterprise Console to create and manage a Mac installer for Sophos Anti-Virus. I have done this in previous companies.

Previously Mac only organisations could use Sophos Update Manager to do much the same on a Mac server. Unfortunately SUM only supports SAV8 and does not support SAV9. SAV8 is being discontinued in April 2014 and does not officially support Mavericks. It is therefore urgent to move all Macs to SAV9 by April 2014.

If you have no Windows Server, and can no longer use SUM, this leaves two more possibilities, first you could use the standalone SAV9 installer. It is even possible to pre-configure the auto-update account details for this. Unfortunately Sophos have made this installer an application and not an installer package. As a result it cannot be deployed using Apple Remote Desktop, Casper, Munki, or any other Mac management tool. (The application needs to be run as an application on each client Mac to do the actual installation.) This stupid design is like the equally stupid approach taken by Adobe and Flash. However at least with Adobe Flash you can find if you look hard enough a standard package file to install Flash.

The final possibility and the one Sophos are pushing Mac only customers to, is to sign up for an extra cost subscription to Sophos Cloud. This does let you manage via the Cloud your Macs, it does let your Macs directly update from Sophos, but a) the website for Sophos Cloud is not 100% Safari friendly, and much more importantly b) the installer it produces is yet again an application and not an installer package!

The only approach that still gives you a proper installer package is via Sophos Enterprise Console running on a Windows server.

Other than Sophos Enterprise Console has anyone else found a solution to let you mass deploy SAV9?

Note: Yes if you install SAV9 manually on a Mac and then make a monolithic master disk image that would work, however I like many others now prefer to use a thin imaging approach (via InstaDMG or AutoDMG).

114 REPLIES 114

wmateo
Contributor

@jelockwood I might try your method. However, that about the Sophos Installer Components. do you still need them with the .mpkg? I didnt see mention of that.

jelockwood
Contributor

@wmateo My method is known to work with the Sophos Home Edition and the Sophos Standalone Edition, it might in theory also work with the Sophos Cloud Edition. It has not however been tested with the Enterprise Console Managed version.

I have not had access to Sophos Enterprise Console for quite some time which is why I had to find a way of creating a standard Apple installer package approach for deployment. My approach is based on a script originally written by @rtrouton you could try my modified version as the basis for a solution. The address for it is listed earlier in this discussion.

bentoms
Release Candidate Programs Tester

@wmateo You'like need the installed components directorty to be in the same enclosing folder as the Folder the Sophos enterprise consoles installer is in.

For ease, I'd copy he ESCOSX folder (or whatever it's called).

To test, move the installed complements folder to another location & try the install via the GUI.

wmateo
Contributor

@bentoms Thank You for that. I tried to install the .app with the components folder elsewhere and it failed so I have to package everything into one folder, then deploy to clients, and run a post install to copy over the preferences and keychain as referenced in @rtrouton outon blog. Plus I have to use a removal script that uninstalls 8.x and 9.1.x versions as well. I Thank Sophos for keeping me employed! There is a positive in this!!! lol

Thanks @jelockwood I will def take pieces from your removal script.

bentoms
Release Candidate Programs Tester

@wmateo FWIW, I didn't need to copy over the plist or keychain.

But I'm not doing an upgrade.

wmateo
Contributor

@bentoms hmm. I will check that out and perform some more testing. I didi read somewhere if you are copying it from the ESCOX or whatever folder, its supposed to have those settings of AutoUpdate folder to my Enterprise Console.

rtrouton
Release Candidate Programs Tester

I have a post on how I'm deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

wmateo
Contributor

@rtrouton thanks!!

wmateo
Contributor

@rtrouton just tried your method and it worked pretty good. Thank You for posting that.

tuinte
Contributor III

Where is this mpkg on SEC that people are referring to? CIDs/S000/ESCOSX has Sophos Installer.app not a mpkg. Is it somewhere else?

rtrouton
Release Candidate Programs Tester

@tuinte,

Sophos recently changed the Enterprise installer so that it's no longer an installer package. I have a post on how I'm repackaging the install.app and deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

casper100
New Contributor II

@tuinte Yeah, what @rtrouton said. I did my proof of concept for Sophos AV/SEC on the former package and just when I was waiting for my purchase order to go through (February, I believe) the "recommended" version changed to the app installer. It was with a bit of trepidation that I tried Rich's method (I, of limited scripting ability - and ugh, have to learn another 3rd party tool). It was more simple than I imagined (Rich did all of the heavy lifting for us) and the resulting installer worked great for my entire deployment via policy.

CasperSally
Valued Contributor II

With our renewal it comes with hours for a service engagement. I requested help building a Sophos installer pkg and have something scheduled for early June. I'm curious what they come up with or suggest. I know I have Rich's method to fall back on.

tuinte
Contributor III

Thanks all for the info. I built a package using Rich's method, and got it working, though I then stumbled across this Sophos article that gives the automatable command-line method of installing the Sophos Installer app. And this article details how to pre-configure the installer so it has all the server connection info included and enables On-Access scanning (which we require). I got this working, and, to me, it's simpler.

bbot
Contributor

Awesome post. This helped me with configuring my Deploy Studio imaging software.

I'm noticing it takes about 15-20 minutes for the machines to show up in Sophos Enterprise Console.. Is there a command that'll force it to check-in with the SEC as soon as it installs?

gregneagle
Valued Contributor

Rich writes: "Sophos recently changed the Enterprise installer so that it's no longer an installer package."

I have a hard time understanding how something that's not an install package can be considered (or called) an "Enterprise installer" #idonotthinkthatmeanswhatyouthinkitmeans

Keep complaining and filing issues with Sophos.

rtrouton
Release Candidate Programs Tester

To clarify, I called it the Enterprise installer to associate it with the Sophos Enterprise product. Likewise, Sophos also has a Home installer and a Cloud installer.

BrysonTyrrell
Contributor II

I'm trying to do a simple pkg that wraps the Sophos Cloud install app and there has to be something I am completely missing.

It I take the app and support plist from the zip file and run the terminal install command everything is fine. It downloads and installs silently in the background without issue.

Once I take that line and put it into the postinstall of my new package it no longer works. The last thing to show up in the install.log is:

Sophos Bootstrap[382]: [SMESophosBootstrapAppDelegate.m:1329] System Verified

After that nothing happens. The content is supposed to be downloaded at this point but the process will hang indefinitely (the only other log entry that would show up after this is the notification that the install is complete). Can anyone help me out with what might be going on here? I feel like I'm missing something obvious.

rtrouton
Release Candidate Programs Tester

@brysontyrrell Can you post a sanitized postinstall somewhere that folks can take a look at it?

BrysonTyrrell
Contributor II

@rtrouton

I have pared it down to just this without success:

#!/bin/bash

policy="SophosCloud"
loggertag="jamfsw-it-logs"

# IT logging
log() {
echo "$1"
/usr/bin/logger -t "$loggertag: $policy" "$1"
}

# TRAP statement and cleanup items upon EXIT
cleanup() {
log "Starting cleanup"
log "Removing temp files"
/bin/rm -r /private/tmp/SophosInstall
}

trap cleanup exit
log "Installing Sophos Cloud"
/private/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

log "Running Recon"
/usr/sbin/jamf recon || log "jamf error code $?: There was an error running Recon"

exit 0

rtrouton
Release Candidate Programs Tester

Just out of curiosity, is there also a tools directory located in /path/to/Sophos Installer.app/Contents/MacOS/ ?

The reason I'm asking is that running the install application from /path/to/Sophos Installer.app/Contents/MacOS/ on Sophos 9.1.x and later will cause the Sophos install application to launch in the dock and interfere with a normal installation via installer package.

BrysonTyrrell
Contributor II

There is. The /tools/ directory contains the com.sophos.bootstrap.helper file that is launched when invoking '--install'.

rtrouton
Release Candidate Programs Tester

OK. In other Sophos installers, there's another copy of the Sophos InstallationDeployer install application located inside of tools, and ../tools/InstallationDeployer is the one that can be used by an installer package.

lionelgruenberg
New Contributor III

@brysontyrrell what version of the Sophos Installer.app are you using in your custom pkg?

BrysonTyrrell
Contributor II

I checked out the Home app and I see that. I'm guessing that the Enterprise version has that as well?~

Their Cloud installer doesn't seem to line up with the other two.

[upload](f03ae0088f184762b2e80cbaf60e5b85)

BrysonTyrrell
Contributor II

@lionelgruenberg

The app's version is 9.3.1

lionelgruenberg
New Contributor III

@brysontyrrell Can you try installing from a different directory? I use the JAMF Waiting Room for Sophos Cloud.
This is in my postinstall script:

/Library/Application Support/JAMF/Waiting Room/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

corbinmharris
Contributor

I just use the instructions provided by Sophos -

https://www.sophos.com/en-us/support/knowledgebase/33050.aspx

Launch Composer before I start the install and configuration. Must not be connected to network when setting up the update preferences. Quit Sophos and reconnect to network, then add to the Admin and then push out to a test MBP. The final package is almost 200mb, so take that in consideration.

Corbin

mkremic
New Contributor III

@brysontyrrell I literally repackaged our Sophos installer 2 days ago...

+1 to @lionelgruenberg about using a different directory.

I started by trying to package the installer in /private/tmp so it would be cleared on a reboot and it would just sit for hours and hang.

Ended up repackaging so it was in /Users/Shared/Downloads with a postflight script:

sudo /Users/Shared/Downloads/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

and it worked first go. Installed in a matter of minutes. Hope that helps! Our old package was a pre and post capture of a full install and it was a bit of a hit and miss on some of our Macs. This is much cleaner.

Cheers

BrysonTyrrell
Contributor II

@lionelgruenberg @mkremic

Can someone save my sanity and explain to my why executing the Sophos silent install from /Users/Shared/ is different from /private/tmp/? This doesn't make any sense to me!

(yes, that worked moving it out of /private/tmp/)

lionelgruenberg
New Contributor III

@brysontyrrell Can't explain why but hopefully this saves your sanity... Here is a rough way to execute the silent install from /private/tmp

Create a custom Sophos Install package and include a script to kick off the silent install at /private/tmp/SophosInstall/install_sophos.sh:

#!/bin/bash
/private/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install

Execute the install_sophos.sh script from a postinstall script in your custom Sophos Install package:

#!/bin/bash
/private/tmp/SophosInstall/install_sophos.sh

DanJ_LRSFC
Contributor III

I managed to create a Sophos package just fine, but what about changing the update server configuration on an already-installed copy of Sophos, is there a way to do that from a script? As installing the new package over the top of the old one does not have any effect.

emily
Valued Contributor III
Valued Contributor III

It's built into a plist, so I would imagine you could deploy the plist to machines to update that info. Check out @rtrouton's post if you haven't already: https://derflounder.wordpress.com/2015/06/17/revisiting-sophos-enterprise-anti-virus-for-mac-9-2-x-d...

stevewood
Honored Contributor II
Honored Contributor II

@DanJ_LRSFC you may want to have a look at this Sophos article on how to create a pre-configured installer:

How to create a pre-configured installer containing updating and On-Access scanning options

That's the process I use to create the PKG for our install.

jelockwood
Contributor

@DanJ_LRSFC As @stevewood mentions you can create a pre-configured stand-alone installer as per that Sophos article. As @emily mentions @rtrouton has done an excellent job of detailing how to deploy a pre-configured managed copy of the Sophos installer.

(Is this a record for the number of people referenced ;) )

What you can do when deploying a pre-configured stand-alone copy of the Sophos installer (via a package) is to have a pre-install script which uninstalls any existing copy first, this ensures the newly installed copy is not contaminated by old settings. This is how I do it.