Help

Sophos Safeguard Filevault Automation

jthurwood
New Contributor III

Posted on ‎07-05-2016 02:40 AM

Hello

Has anyone been through the process of automation the latest version of Safeguard/Filevault with Casper?

The process i have from Sophos is

  1. Install Cert in System Keychain and set trust settings to always trust
  2. Install Safeguard DE pkg
  3. Drag Managed Client (Default) - Mac.zip to Safeguard Preference Pane and hit Sync

Its point 3 that i'm struggling to Automate, i'm hoping someone may have come across this before?

0 Kudos
Reply
5 REPLIES 5

macbentosh
New Contributor III

Posted on ‎07-05-2016 10:07 PM

Easy make a package that drops that file in a temp location. The command is /usr/local/bin/sgdeadmin --import-config /path/to/zip/file Then make that script run after both the DE packag and the copy of the zip package.

0 Kudos
Reply

macbentosh
New Contributor III

Posted on ‎07-06-2016 06:24 AM

I'm your guy for sophos. Spent more time automating then I care to admit

0 Kudos
Reply

jthurwood
New Contributor III

Posted on ‎08-15-2016 05:49 AM

Hi macbentosh

I'm still having issues attempting to install Safeguard.

I have created a pkg to install the DE Package, copy the cert and zip file then run using the below script. The cert is installed but the zip never adds the settings to Safeguard

This is the script i used, can you see anything wrong?

!/bin/sh

postinstall

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/safegrdcert/LN7SAFEG01.cer /usr/local/bin/sgdeadmin --import-config /Users/Shared/ManagedClientMac.zip

exit 0 ## Success
exit 1 ## Failure

0 Kudos
Reply

macbentosh
New Contributor III

Posted on ‎08-15-2016 03:30 PM

I wouldn't do it as a post install..I do it as a separate script in jamf

#!/bin/bash
postinstall
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/safegrdcert/LN7SAFEG01.cer"
/usr/local/bin/sgdeadmin --import-config /Users/Shared/ManagedClientMac.zip
rm -rf /private/tmp/safegrdcert


exit 0 ## Success
exit 1 ## Failure

I added trustAsRoot - Try changing these around and make sure you have the full chain that validates that cert.

I " " the paths and removed sudo
and #'d your shabang

0 Kudos
Reply

shoegazer
New Contributor

Posted on ‎10-18-2016 04:08 PM

@macbentosh how are you handling in place upgrades of computers with safeguard? as the JSS doesn't store the keys it's unable to do a pre-authenticated reboot when doing an OS upgrade. The user needs to log in to bypass the pre-boot screen so the upgrade can install.

0 Kudos
Reply