- Jamf Nation Community
- Products
- Jamf Pro
- Sophos to Defender
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-16-2024 04:37 PM
Hello
My company is planning to move away from Sophos to MS Defender. Is there any tools out there that locks a user out while the uninstall Sophos is happening, reboots and then installs Defender? Assuming I can do this via a policy but I just don't want users to intervene while it's uninstalling
Thanks!
Solved! Go to Solution.
Labels:
- Labels:
-
Microsoft Defender
-
sophos endpoint
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2024 06:02 AM
Generally speaking, no. Jamf itself is just running a policy to remove Application A and install Application B. Jamf does not perform posture checking, it has similar functions, but they cannot really be leveraged in this manner.
I would suggest moving Sophos to monitor only and installing Defender before removing Sophos assuming you must do this in one sweep rather than separating the two events. This way if something goes wrong, you can flip a switch and put Sophos into high enforcement again and you never lose visibility on the device. Jamf Helper could put a full screen notification up until the workflow has completed that most users won't know how to dismiss.
Workflow:
- Run Policy A that calls the script for Jamf Helper.
- Device gets a full screen notification.
- Script calls Policy C from CLI to install Defender.
- if statement to ensure Defender was installed.
- If defender failed to install, exit 1 and fail the policy.
- If defender succussed its install, continue.
- if statement to ensure Defender was installed.
- Script calls Policy B from CLI to uninstall Sophos.
- if statement to check to ensure Sophos was removed.
- If Sophos failed to uninstall, exit 2 and fail the policy.
- If Sophos uninstalled successfully, continue.
- if statement to check to ensure Sophos was removed.
- Script checks for success on the previous two steps.
- Exit 0 and reboots if successful (or close Jamf Helper dialog)
- Exit 3 Notify user to call support if something went wrong. (should something else stupid happen that you are looking for)
- Policy exits and reports status.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2024 01:19 AM
I have also already carried out a Sophos to Defender migration. However, a restart was not necessary under macOS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2024 06:02 AM
Generally speaking, no. Jamf itself is just running a policy to remove Application A and install Application B. Jamf does not perform posture checking, it has similar functions, but they cannot really be leveraged in this manner.
I would suggest moving Sophos to monitor only and installing Defender before removing Sophos assuming you must do this in one sweep rather than separating the two events. This way if something goes wrong, you can flip a switch and put Sophos into high enforcement again and you never lose visibility on the device. Jamf Helper could put a full screen notification up until the workflow has completed that most users won't know how to dismiss.
Workflow:
- Run Policy A that calls the script for Jamf Helper.
- Device gets a full screen notification.
- Script calls Policy C from CLI to install Defender.
- if statement to ensure Defender was installed.
- If defender failed to install, exit 1 and fail the policy.
- If defender succussed its install, continue.
- if statement to ensure Defender was installed.
- Script calls Policy B from CLI to uninstall Sophos.
- if statement to check to ensure Sophos was removed.
- If Sophos failed to uninstall, exit 2 and fail the policy.
- If Sophos uninstalled successfully, continue.
- if statement to check to ensure Sophos was removed.
- Script checks for success on the previous two steps.
- Exit 0 and reboots if successful (or close Jamf Helper dialog)
- Exit 3 Notify user to call support if something went wrong. (should something else stupid happen that you are looking for)
- Policy exits and reports status.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Just wanted to add a caveat to moving from Sophos to Defender. I have just been testing again for the first time in a year, as we are finally moving to Defender. Previously you could uninstall Sophos without turning off Tamper Protection in the Sophos Central portal. This was done by first deleting the file /Library/Sophos Anti-Virus/SophosSecure.keychain
Then a scripted silent uninstall could take place.
With Sequoia this no longer works. You will now have to turn off Tamper protection for any device your are moving to Defender. If you are in the process of migrating Windows devices to Defender you will already be following this process, so you just need to add your mac fleet to the process. I guess Sophos finally became tamper proof just as some of us are moving away from it.
