Jamf Nation Community

I have also come across this issue this week, but only sometime after the 09/21/18 as we prepped 10 new iMacs on this date and they all installed fine. If I run the installer manually it installs fine. But if I use my script or manually run /Users/Shared/Sophos Installer.app/Contents/MacOS/Sophos Installer --install it hangs forever.
At Starting Sophos Bootstrap Installer
Have checked /library and /library/Application Support Permissions and all look fine.

Ive only noticed this week as we configuring Adobe update server and new test machine we getting no software due to this.

Think my next step is Sophos support

anyone have any luck?

my script is:

cd /Users/Shared/
rm -R Sophos
curl -O https://szss-gpi-arn-wu-west-1-4af2.api-upe.p.hmr.sophos.com/api/download/11c15480cfcc24e4badf2da8cf81ae3b/SophosInstall.zip
unzip SophosInstall.zip &> /dev/null
chmod -R +x /Users/Shared/Sophos Installer.app/
/Users/Shared/Sophos Installer.app/Contents/MacOS/Sophos Installer --install
rm -R Sophos
exit

@ccsshelpdesk @macbentosh we started to see this behavior back in August. We too have been utilizing a script provided by Sophos:

#!/bin/sh
# Date: 19 Mar 2018
#
# modified: 11 Jul 2018 - changed download URL to https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/71ad97dba3bb650032be8175fa113153/SophosInstall.zip
#       Previous URL: https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/f2a28a2655db28e94087b78bac512b56/SophosInstall.zip

# Grab the token from parameter 4
token_id=$4;
# grab agency code
agency_code=$5;
# sophos server
sophos_server="";

cd /tmp

if [[ -d "/tmp/Sophos Installer.app" ]]; then
    rm -rf /tmp/Sophos*
fi

if   [[ "$agency_code" == "GB-TBW-149" ]] || [[ "$agency_code" == "GB-TBW-EGP" ]] ||
     [[ "$agency_code" == "GB-TBW-INT" ]] || [[ "$agency_code" == "GB-TBW-LON" ]] ||
     [[ "$agency_code" == "GB-TBW-MAN" ]] || [[ "$agency_code" == "GB-TBW-MOT" ]] ||
     [[ "$agency_code" == "GB-TBW-TWW" ]] || [[ "$agency_code" == "GB-TBW-UKG" ]] ||
     [[ "$agency_code" == "GB-BBD-AMV" ]] || [[ "$agency_code" == "GB-BBD-BBD" ]] ||
     [[ "$agency_code" == "GB-BBD-RED" ]] || [[ "$agency_code" == "GB-BBD-CED" ]] ||
     [[ "$agency_code" == "GB-BBD-PRX" ]] || [[ "$agency_code" == "GB-DAS-PRX" ]] ||
     [[ "$agency_code" == "GB-DDB-IBL" ]] || [[ "$agency_code" == "GB-DDB-HMK" ]] ||
     [[ "$agency_code" == "GB-DDB-AED" ]] || [[ "$agency_code" == "GB-DDB-TRI" ]] ||
     [[ "$agency_code" == "GB-DDB-GUT" ]] || [[ "$agency_code" == "GB-DDB-EUR" ]] ||
     [[ "$agency_code" == "GB-DDB-REM" ]] || [[ "$agency_code" == "GB-DDB-HAY" ]] ||
     [[ "$agency_code" == "GB-DDB-TRA" ]] || [[ "$agency_code" == "GB-DDB-POD" ]] ||
     [[ "$agency_code" == "GB-DDB-AED" ]] || [[ "$agency_code" == "GB-DDB-EUR" ]] || 
     [[ "$agency_code" == "GB-DDB-REM" ]] || [[ "$agency_code" == "GB-DDB-GUT" ]] || 
     [[ "$agency_code" == "GB-DDB-HAY" ]] || [[ "$agency_code" == "GB-DDB-HMK" ]] || 
     [[ "$agency_code" == "GB-DDB-IBL" ]] || [[ "$agency_code" == "GB-DDB-POD" ]] || 
     [[ "$agency_code" == "GB-DDB-TRA" ]] || [[ "$agency_code" == "GB-DDB-TRI" ]] || 
     [[ "$agency_code" == "GB-DDB" ]] ; then
    sophos_server="https://mcs-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep";
elif [[ "$agency_code" == "GB-DAS-RAP" ]] || [[ "$agency_code" == "GB-DAS-COD" ]] ; then
    sophos_server="https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com/sophos/management/ep";
else
    sophos_server="https://dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com/sophos/management/ep";
fi


# download the installer and unzip

# Old URL
#curl -O https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/f2a28a2655db28e94087b78bac512b56/SophosInstall.zip

# new URL as of Jul 2018
curl -O https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/71ad97dba3bb650032be8175fa113153/SophosInstall.zip
unzip SophosInstall.zip

chmod a+x ./Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x ./Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

# replace the token ID in the downloaded files with the token ID we need to isntall
plutil -replace RegistrationToken -string $token_id ./Sophos Installer Components/SophosCloudConfig.plist
# replace the server in the downloaded files with the sophos_server we need to isntall
plutil -replace RegistrationServerURL -string $sophos_server ./Sophos Installer Components/SophosCloudConfig.plist

./Sophos Installer.app/Contents/MacOS/Sophos Installer --install &

exit 0

Because we have mutliple Sophos tenants (consoles) with different Registration Tokens, we pass the token as Parameter 4 and swap it out with what gets downloaded.

We opened a case with Sophos, but they did not have anything for us. They wanted us to collect some trace logs while their installer was running, but shortly after opening the case the problem kind of went away. We would see it on some machines but not others, often times on the same network.

The behavior was that the installer would start and would initiate the bootstrap process. At that point it would appear to hang. Sometimes it would hang for a few minutes, sometimes an hour or two, and in a few cases we saw it hang for over 24 hours. This was causing our provisioning process to hang as well, and our techs were starting to hard reboot in the middle of provisioning.

We made the decision to pull the Sophos installer out of provisioning and make it a policy set to "Ongoing" with an exclusion group of "Sophos Installed". That way if any device did not have Sophos, Sophos would get installed. We also made the decision to let Sophos run in the background my using the ampersand (&) at the end of the installer call:

./Sophos Installer.app/Contents/MacOS/Sophos Installer --install &

That allowed the policy to complete and not hold up other policies while the Sophos installer finished. This worked well up until about a week or two ago and we started getting reports of Sophos never installing. So, I'm about to re-open our case with them and try to grab some trace logs that they wanted, and point them at this post so hopefully we'll get some juice.

If you have a contract with Sophos, I would highly suggest opening a case and referencing this post. I will try to come back and post our case # here, if I get one, so that we can pile on.

Ditto on all of this, Steve. We also started seeing this behavior in August. Also, intermittently, with no clear reason why Sophos would install on some machine but not others, or why the installer would hang.

Quite frankly, I've become quite unhappy with Sophos over the last few years. There are better products out there, with software teams that can build a proper .pkg installer. I'm replacing my entire fleet in June 2019 and if Sophos can't straighten out their installer mechanism -- so that I don't have to script ridiculous workarounds to make it work as expected -- then our Sophos contract will be terminated and replaced with a vendor that is paying attention to the Mac platform. I'm looking at Cylance, Malwarebytes Breach Remediation, and perhaps Avast. (recommendations welcomed).

So as of right now, the solution is to make Sophos a policy and have it run based on a smart group? We used to have it set to recurring checkin. The policy would run in terminal after doing a sudo jamf policy. All of our policies would run the same way. I decided to automate this and have all policies run during enrollment. I have one policy running during enrollment and it fetches other policies. Sophos was the problem in this matter. Sophos would hang and other policies wouldn't execute because of that. Once I took out Sophos everything else ran. As of right now I changed Sophos to have run during recurring checkin.

@kadams It's not necessarily to have Sophos install as a policy scoped to a Smart Group, the solution is to have the install run as a background process ( Bg, Fg, &, Ctrl-Z – 5 Examples to Manage Unix Background Jobs by adding the ampersand & to the end of the install command:

./Sophos Installer.app/Contents/MacOS/Sophos Installer --install &

By running the install command as a background process the jamf binary does not get "stuck" waiting for Sophos to finish installing. Instead the policy will complete even though Sophos is still installing on the machine.

The reason I took Sophos out of our provisioning and instead made it a policy scoped to a group of machines, was so that I could keep Sophos installed on the machines, and not have to worry about it making my provisioning stick.

Our Sophos install policies (we have multiple Sophos consoles, like close to 100 or more):

• use Parameter 4 to add the Registration Token that identifies the Sophos console
• they are scoped to a group of machines (Smart Group that identifies the agency (business unit) that it applies to)
• has an exclusion group of "Sophos Installed" so that if Sophos is already on the device the policy will not run
• is set to "Once per Day"
• set to update inventory

We originally had this set to "Ongoing" but because the installer was still running on the machine, and the inventory did not reflect Sophos as installed, at the next check-in (or network state change) the Sophos install policy would kick off again. So we changed it to "Once per day" and we haven't had that problem since.

@damienbarrett and others, I did hear back from Sophos today. I do not have a case # yet, but I did get this from them:

This looks to be related to something we may be tracking and working on already. Once I get your logs etc into the case, I’ll have it reviewed by our GES team. They’ll be able to confirm for us if it’s the same issue, and provide updates on that investigation and any related fixes.

So it looks like they're aware, now we just need everyone to open cases with Sophos so they are really aware of the scope.

I have reported to Sophos, awaiting a response my case number is 8413722

If i get any info i will post back.

Not sure if this is related to the recent problems with installing Sophos anyone is having but figured I'd share anyway. At my job we started noticing issues installing and updating Sophos around 10.9.18. Had a case open with Sophos. Couldn't install using terminal with the bootstrap hang and also couldn't install with the manual installer as the download would hang at 23mb downloaded. My ISO department found that something in the file being downloaded triggered an adobe acrobat threat that, if true, allowed elevated privilege access. This had to be whitelisted on our firewall. Once it was, installs were successful all around.

We did get a case open with Sophos (8417423) and they have come back asking for some more testing. They did indicate that an updated installer was released this past Tuesday that is supposed to remedy the problem. So for all of you out there having this issue, give it a try and report back if you are no longer seeing the issue.

We removed the ampersand that we were using to put the install in the background, and now I am just waiting on feedback from the field.

Still having an issue with this. I have to kill the jamf process that starts the install policy...

@macbentosh Which version of the Sophos Installer are you using? 1.2.1 was supposed to resolve the issue (and solved it for us and I've heard the same from others in MacAdmins).

The current installer is 1.2.2, I believe.

@kevinwilemon the installer is being curled every time.

Have not had any luck at all deploying Sophos with Jamf. Followed dmarcnw's suggestions but no luck. Simply get an error in Self Service. Policy is configured with a .pkg. Interesting that a couple of weeks ago I configured Sophos this way with a .dmg created in composer. It worked for a while. Now that policy does not work either. Sophos has offered zero help as expected. Am I missing something?

@Gabrielson the method I posted up the discussion a bit, to use a script provided by Sophos, still works for us to this day. Once Sophos fixed their installer late last year we no longer have a need to run the script in the background. Instead we have a policy setup that triggers on login, logout, recurring check-in, set to frequency Ongoing with an inventory update. The script has Parameter 4 set to the registration token of the Sophos tenant we need it to go to. If you have a Sophos installer folder (Sophos Installer app with Sophos Installer Components folder), look inside the Installer Components folder and locate the SophosCloudConfig.plist file. Open the plist, or use defaults read <path to plist> RegistrationToken, to get the Registration Token. The file looks like this in an editor like TextMate:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>RegistrationServerURL</key>
        <string>https://dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com/sophos/management/ep</string>
        <key>CustomerId</key>
        <string>4615b7de-3fa5-4c2c-aecc-ce00999d1a6a</string>
        <key>RegistrationToken</key>
        <string>abcd123456yadfjweotnvadslkj12309uh98ad078234lj098audvlkiu0872134</string>
        <key>DesiredFeatures</key>
        <string>CORE, SDU, AV, SAV, DVCCNTRL, APPCNTRL, DLP, WEBCNTRL, NTP, HBT, EFW, CLEAN, XPD</string>
        <key>ProductType</key>
        <string>business</string>
        <key>GeneratedAt</key>
        <string>2018-07-10T13:38:39Z</string>
        <key>DciFileName</key>
        <string>f83b12fd5ea16a9b90da41fc358125b4</string>
    </dict>
</plist>

Copy the string on the line after <key>RegistrationToken</key>. That is your registration token. Now put that in Parameter 4 of a policy that contains the following script and is scoped to your machines. You can set the triggers to whatever, set Frequency to whatever, or you can make it. Self Service policy if you want. The script is:

#!/bin/sh

# Grab the token from parameter 4
token_id=$4;

cd /tmp

if [[ -d "/tmp/Sophos Installer.app" ]]; then
    rm -rf /tmp/Sophos*
fi

# new URL as of Jul 2018
curl -O https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/71ad97dba3bb650032be8175fa113153/SophosInstall.zip
unzip SophosInstall.zip

chmod a+x ./Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x ./Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

# replace the token ID in the downloaded files with the token ID we need to isntall
plutil -replace RegistrationToken -string $token_id ./Sophos Installer Components/SophosCloudConfig.plist

./Sophos Installer.app/Contents/MacOS/Sophos Installer --install

exit 0

That should get Sophos installed for you. Like I said, we've been using it successfully for well over a year and only had issue when the installer itself was broken (we were seeing multiple hour installs), but ever since they fixed that, it's been golden.

Thanks so much for the advice. I have been traveling so did not see your response until today. I will certainly take the steps listed here and report back on my findings. Cheers!

This did not work for us. The script is working and installation completes as expected. The problem is when I paste the Registration Token into the Parameter 4 field and click save, the string is immediately truncated to 40 characters. it should be 64 characters as in your example. So although Sophos is installed, it never reports into Sophos Central since the key is compromised. Any ideas? Seems like a bug.

I had to sort out Sophos cloud for a customer today and revised the last script slightly, I had to set the token and also the server url or it didn't register with the console, I also modified the installed products list so I added that as a variable as well.
I got all the data from the install package downloaded from the console and removed the unwanted product installs from the list contained in the DesiredFeatures key

 DesiredFeatures = "CORE, SDU, CLEAN, XPD, AV, SAV, DVCCNTRL, APPCNTRL, DLP, WEBCNTRL, NTP, HBT, EFW, DISKENCRYPTION";

#!/bin/sh

# Grab the token from parameter 4
token_id=$4;
# set the cloud url
sophos_server=$5;
#required features
features_required=$6;

cd /tmp

if [[ -d "/tmp/Sophos Installer.app" ]]; then
    rm -rf /tmp/Sophos*
fi

# new URL as of Jul 2018
curl -O https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/71ad97dba3bb650032be8175fa113153/SophosInstall.zip
unzip SophosInstall.zip

chmod a+x ./Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x ./Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

# replace the token ID in the downloaded files with the token ID we need to isntall
plutil -replace RegistrationToken -string $token_id ./Sophos Installer Components/SophosCloudConfig.plist

plutil -replace RegistrationServerURL -string $sophos_server ./Sophos Installer Components/SophosCloudConfig.plist

plutil -replace DesiredFeatures -string $features_required ./Sophos Installer Components/SophosCloudConfig.plist


./Sophos Installer.app/Contents/MacOS/Sophos Installer --install

exit 0

Thanks so much for your input. We have cut ties with Sophos.

So I've been running the script as @marklamont posted above, but running into an error. I've set parameters 4, 5 and 6 as described to change the values in the plist file. However, when the script runs, it results in the following error:

inflating: Sophos Installer Components/SophosCloudConfig.plist ./Sophos Installer Components/Sophos/SophosCloudConfig.plist: file does not exist or is not readable or is not a regular file (Error Domain=NSCocoaErrorDomain Code=260 "The file “SophosCloudConfig.plist” couldn’t be opened because there is no such file." UserInfo={NSFilePath=./Sophos Installer Components/Sophos/SophosCloudConfig.plist, NSUnderlyingError=0x7fa94bc0be70 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}})
2019-10-23 16:01:12.511 Sophos Installer[1035:12664] Starting Sophos Bootstrap Installer.
2019-10-23 16:01:14.060 Sophos Installer[1035:12664] Installation failed with: Failed to get deployment token. (43). See SophosDiagnostics for detailed information.

It seems like it's not able to find the plist file to begin with. Any ideas why this would be happening?

@Micah.Smith
I had to fix the parameters for $6 and add new one $7

$6= CORE
$7= intercept,antivirus

#!/bin/sh

# Grab the token from parameter 4
token_id=$4;
# set the cloud url
sophos_server=$5;
#required features
features_required=$6;
#Products
products=$7;

cd /tmp

if [[ -d "/tmp/Sophos Installer.app" ]]; then
    rm -rf /tmp/Sophos*
fi

# new URL as of Jul 2018
curl -O https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/71ad97dba3bb650032be8175fa113153/SophosInstall.zip
unzip SophosInstall.zip

chmod a+x ./Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x ./Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

# replace the token ID in the downloaded files with the token ID we need to isntall
plutil -replace RegistrationToken -string $token_id ./Sophos Installer Components/SophosCloudConfig.plist

plutil -replace RegistrationServerURL -string $sophos_server ./Sophos Installer Components/SophosCloudConfig.plist

plutil -replace DesiredFeatures -string $features_required ./Sophos Installer Components/SophosCloudConfig.plist

plutil -replace Products -string $products ./Sophos Installer Components/SophosCloudConfig.plist



./Sophos Installer.app/Contents/MacOS/Sophos Installer --install

exit 0

Also tested this script will install on 10.15 but devices don't show in the Sophos console. So download the install files and package them up with Composer then use this post install script.

#!/bin/sh

## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

chmod a+x /tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer

chmod a+x /tmp/SophosInstallSophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper

/tmp/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer --install


exit 0      ## Success
exit 1      ## Failure

Are you caching the package, because using Composer does not work for files places in the /tmp folder.

I've been trying each of these and it all comes back to the chmod command not finding the file/directory. Can this still be deployed via JAMF?