Deploying Sophos Cloud

New Contributor III

i am having some issues deploying sophos cloud on Sierra after upgrading machines from LCAP , does anyone have any advise on managing the client and keeping it updated , or best way to deploy it to users


New Contributor III

Hello. We actually are in the process of moving from Sophos on-prem to cloud and have had success with the following. First, I have the below script run to remove the on-prem version.

/Library/Application Support/Sophos/opm/ --remove --tamper_password 'tamperpassword_here'

Then I made a pkg using the .app file you download from your sophos central portal. The pkg copies the files in the app to /tmp. I then run

sudo /tmp/SophosInstall/Sophos Installer --install

from a script and everything seems to work perfectly.

Contributor II

I drop the whole sophos install folder that you download from your central portal packaged as a dmg to the /Library/ApplicationSupport/JAMF/

then do chmod command and install (see kb article below for more details)
sudo chmod a+x /Library/ApplicationSupport/JAMF/SophosInstall/Sophos Installer
sudo chmod a+x /Library/ApplicationSupport/JAMF/SophosInstall/Sophos
/Library/ApplicationSupport/JAMF/SophosInstall/Sophos Installer --install

here is the KB article on it -

New Contributor II

So I've been pulling my hair out dealing with this problem for the last few days. It seems they changed the Sophos between Aug 2017 and October 2017. With Sophos Endpoint 9.6.6, I had to use the following script:

chmod a+x /Library/ApplicationSupport/JAMF/SophosInstall/Sophos
/Library/ApplicationSupport/JAMF/SophosInstall/Sophos --install

The current documentation seems to be here:

New Contributor II

I ran the below script which successfully installed on my mac clients without any user interaction;

Add the installer URL (I obtained this by Logging into Sophos Central (Cloud), and "send installers to users" to myself, then copied the URL from that email.


cd /tmp/
rm -R Sophos
curl -O >PASTE URL<
unzip &> /dev/null
chmod -R +x /tmp/Sophos
/tmp/Sophos Installer --install
rm -R Sophos

exit 0

New Contributor III

This is what we use. I built in a check for our proxy.

## postinstall

# Created By Mann Consulting - 2015
# Last Update: 
# 6/22/2015 - Will Green - Modify installation codeblock to pipe outout to logfile and send relivant run to JSS
# 4/27/2015 - Isaac Ordonez - Remove Sophos Anti-Virus.localized is detected 
# 3/30/2015 - Isaac Ordonez - Added headers and notes.
# 3/15/2015 - Lee Rahn - Identified installing after zip command caused machine to kernel 
# panic.  Used ditto to unzip the archive to resolve.

# ToDo

# Summary
# This script will automatically download and install Sophos Cloud without the need for a 
# Distribution Point of any kind.  The script will detect previous versions of Sophos 8 or
# Sophos 9 and uninstall if necessary. 

# Usage
# Upload the raw script to your JSS and set Parameter 4 label to "Sophos Download URL"
# When creating a policy to run the script copy the download URL for your
# Sophos Cloud installer.  You can find this by logging into
# choosing downloads in the upper right hand corner and copying the URL for the
# Mac OS X Installer link.  It should look something like 

#Exit Codes:
# 0 = Sucessful
# 1 = Installer Failed too many times, or a generic failure not defined by the script
# 2 = Variable 4 Not Set

### Variables & Arguments ###

if [[ $4 == "" ]]; then
        echo "FATAL: Variable 4 not set! You must provide the Sophos Download URL for variable 4."
        exit 2

if [[ $7 == "" ]]; then
        echo "WARN: Variable 7 (Max Install Attempts) not set! Using default of 3."
if [[ $8 == "" ]]; then
        echo "WARN: Variable 8 (Sophos Installer Log Path) not set! Using default of /tmp/SophosAVInstallerLog.log"

### Main Script ###

# Remove Sophos 8 if uninstaller is available

#if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
#   echo "Removing old Sophos 8 installation..."
#    sudo defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -bool false
#   installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /

# Remove Sophos 9 if uninstaller is available in opm-sa

#if [ -e "/Library/Application Support/Sophos/opm-sa/" ]; then
#    echo "Removing old Sophos 9 installation..."
#   sudo defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -bool false
#   "/Library/Application Support/Sophos/opm-sa/" --force_remove

# Remove Sophos 9 if uninstaller is available in saas
#if [ -e "/Library/Application Support/Sophos/saas/" ]; then
#    echo "Removing old Sophos 9 installation..."
#   sudo defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -bool false
#   "/Library/Application Support/Sophos/saas/" --force_remove

# Sometimes Sophos uninstaller leaves junk behind causing casper to incorrectly report version.  Remove this file if detected.
if [ -d "/Applications/Sophos Anti-Virus.localized" ]; then
    rm -R "/Applications/Sophos Anti-Virus.localized"

# Download and unzip the Installer to /tmp

echo "Downloading and Unpacking Installer...


# Check access to network
 ping -c 2 "$5" > /dev/null

    #If the pings failed 
    if [ "${ping_result}" != 0 ]
        echo "No Proxy Used" &
        curl -k -o /tmp/ "$4" 
        echo "Using Proxy" &
        curl -k -x "$6" -o /tmp/ "$4" 

sudo ditto -xk /tmp/ /tmp
sudo rm /tmp/

# Run Sophos Cloud Installer from /Users/Shared/
sudo chmod +x /tmp/Sophos Installer

while [[ $SAVInstallAttempts -lt $MaxSAVInstallAttempts ]]; do

    # Run the Installer, pipe the output to $SAVInstallLog (overwriting any contents), and immediately save the exit code as a variable so it isn't overwritten by subsequent commands
    echo "Running Installer..."
    sudo /tmp/Sophos Installer --install &> "$SAVInstallLog"
    echo "Sophos installer exited with code $SAVInstallExitCode"

    #  If the install was sucessful, dump the log output and exit with a sucessful code
    if [[ $SAVInstallExitCode == 0 ]]; then
        echo "SAV install appears sucessful! Installer output:"
        echo $(cat "$SAVInstallLog")
        echo "-------

        Install appears to be sucessful. Review the log output above for details. Exiting!"
        exit 0

    # If it failed, increment $SAVInstallAttempts, and retry
    elif [[ $SAVInstallExitCode -ge 1 ]]; then
        let SAVInstallAttempts=$SAVInstallAttempts+1
        echo "WARN: The Sophos install was unsuccessful."
        echo "-------


# If we're down here, then the installer failed too often. Log and exit.
echo "FATAL: The Sophos installer has failed too many times."
echo "Detailed logs are on the client at /var/log/installer.log. Less detailed logs below:"
echo $(cat "$SAVInstallLog")
echo "-------

echo "The install has failed. Exiting."
exit 1

New Contributor II

Thank you for posting this! It made today much easier!

New Contributor

Has anyone experience the "Approve" message for Sophos extension in System Preferences prompted during Sophos Cloud install? Anyone had any success to install it bypassing this? Thanks!

New Contributor III

@ralves This is an Apple change. You have to approve the KEXT -

You can approve the KEXT in a Configuration Profile. The ID is 2H5GFH3774. You might also find the post helpful - Post