Trying to deploy Sophos Endpoint as part of a Configuration using Imaging. With the changes to Kernel Extensions and the requirement to approve them. Current process is for the person running the Configuration to manually approve the Kext when Sophos installs and the Mac prompts. I am deploying a "Configuration Profile" which works on existing machines but doesn't apply during the Configuration. Is there a way to force the Configuration Profile to apply during the Configuration before the Sophos install?
We don't use imagaging anymore but Sophos has never worked well to deploy using imaging since it calls in to the Sophos server during installation (which it can't do during imaging) so it has to be installed post imaging.
This is how we do it: the Sophos installation is based on a smartgroup which checks if a pre-approved KEXT config is installed already (which contains the approved Sophos kext). If that exists the Sophos installation happens.
@allanp81 is correct regarding user approved mdm settings - the following might work without the profile being user approved because its being placed by a package and set by a root user
BUT call me crazy, you can try this - off the cuff so don't hold me too it & please correct me where I'm wrong - not done coffee yet
Create a Policy. Policy will consist of a Package & Script.
Package - Create a package with the Sophos KEXT deployed to the correct directory ie. /System/Library/Extensions/SOPHOSKEXTHERE.kext
Script - Have a script run after package deployment modifying the KEXT.
pre 10.13 (I think)
#!/bin/bash sudo chmod -R 755 /System/Library/Extensions/SOPHOSKEXTHERE.kext sudo chown -R root:wheel /System/Library/Extensions/SOPHOSKEXTHERE.kext sudo kextload /System/Library/Extensions/SOPHOSKEXTHERE.kext sudo rm -R Extensions.kextcache sudo rm -R Extensions.mkext # Make Sure To Reboot Machine to Refresh Caches # sudo shutdown -r now
#!/bin/bash sudo chmod -R 755 /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext sudo chown -R root:wheel /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext sudo kextload /Library/StagedExtensions/Library/Extensions/SOPHOSKEXTHERE.kext sudo kextcache -i / # Make Sure To Reboot Machine to Refresh Caches # sudo shutdown -r now
A DEP-enrolled Mac (or user-approved MDM/user-initiated enrollment) is the base requirement for installing the kernel extension whitelist profiles. I would create the profile, and then use the new feature in Jamf 10.10 to have the config profile install during prestage so that it's in place before a user gets to the desktop (and Sophos is installed).