Our laptops are currently running OSX 10.9 with Sophos v9.1 and we need to upgrade to Sophos 9.2. Running the 9.2 install alone does not work. Sophos needs to be uninstalled first and then run the install. I have tried Composer by capturing, running the uninstall (9.1) and then running the install but it didn't seem to work. Is there a way to run the uninstaller through a policy? Casper Admin does not let me upload the uninstaller because it is a .app. Any thoughts?
Question
Sophos v9.2 Install
+3
I've written a post that describes how I'm building a Sophos 9.2.x installer. It's available via the link below:
https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/
I've incorporated a preinstall script that uninstalls existing copies of Sophos 8.x and 9.x before proceeding to install Sophos 9.2.x.
+17@rtrouton thanks for chiming in. Will bookmark that for sure for when I rebuild our installer in the next few months.
@acampuzano our clients updated themselves to 9.2.4 (but they were 9 something already as of this summer). Not sure if that helps you, but maybe there's a console setting that will upgrade your clients as well?
+3Thanks @rtrouton I will take a look at the article.
@CasperSally Our users are not admin on the laptops, therefore unable to upgrade themselves. The setting for an upgrade through the console is only available for Windows.
+17Our users aren't admins. On the Sophos console, under update managers, OSX is set to 9 Recommended which updates clients to whatever version Sophos deems a recommended.
Maybe your sophos update manager needs an update (this is from Feb when 9.2.3 was recommended)
https://www.sophos.com/support/knowledgebase/121824.aspx
+6I've built a payload-free package in JAMF Composer with a postinstall script. The script mounts the Sophos Enterprise Console network share, and runs the installer from there. It's a flat package set to require root authorisation and root volume only, signed so that Gatekeeper doesn't get in the way, and no spaces in it's name to avoid any trouble there. I'm still testing, but it works well so far on network segments which can see the Sophos share. You could scope a policy so that it installs when your laptops are on-net.
Earlier I used a similar package to deploy a copy of the present Sophos ESCOSX directory to a temporary folder, but mounting the share directly seems like less maintenance.
I'm using Expect to enter the password for the share, but you could simply include the password in the mount address, assuming it doesn't include certain special characters and you don't mind people seeing the password listed when they run mount.
Here is the postinstall script I'm using:
#!/bin/bash
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
# Sophos Anti-Virus 9.2.x Enterprise install application
# Based on https://www.sophos.com/en-us/support/knowledgebase/14179.aspx
# and https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/
# James Toher 2015-04-28
share=""
domain=`/usr/sbin/dsconfigad -show | grep "Active Directory Domain" | awk '{print tolower($NF)'}`
result=1
tempdir="/private/tmp/sav.$$"
function clean_up {
/usr/sbin/diskutil unmount $tempdir &&
/bin/rmdir "${tempdir}"
}
trap clean_up SIGHUP SIGINT SIGTERM EXIT
function with_password {
expect <<CMD
spawn $2
expect "*assword*:"
send "${1}
"
expect EOF
CMD
}
function removeSophosAV8 {
# Uninstall existing copy of Sophos 8.x by checking for the
# Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus.
if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
/usr/sbin/installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /
elif [ -d "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
/usr/sbin/installer -pkg "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /
fi
}
function removeSophosAV9 {
# Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer tool
if [ -x /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer ]; then
/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
fi
}
if [ $domain == "domain1.fqdn" ]; then
share="//SERVER-1-REALM;sophos-readonly-account@server1.domain1.fqdn/SophosUpdate/CIDs/S000/ESCOSX"
savpwd="your_password_here"
fi
if [ -n "$share" ]; then
# Mount network share from Sophos enterprise console
mkdir -p $tempdir
with_password "${savpwd}" "mount -t smbfs -o nobrowse $share $tempdir" || exit $result
# Unload the Sophos user agent as the logged in user
joe=`stat -f %Su /dev/console`
if [ -n "$joe" ]; then
sudo -u $joe /bin/launchctl unload /Library/LaunchAgents/com.sophos.uiserver.plist
fi
# Uninstall any earlier version
removeSophosAV8
removeSophosAV9
# Install Sophos Anti-Virus 9.x
message="Sophos Anti-Virus $install failed"
/usr/bin/logger "Sophos Anti-Virus $install starting..."
${tempdir}/"Sophos Installer.app"/Contents/MacOS/tools/InstallationDeployer --install && result=0
[ $result -eq 0 ] && message="Sophos Anti-Virus $install completed successfully"
/usr/bin/logger "$message"
fi
exit $result
+15Just wanted to add the updated derflounder article on packaging Sophos Anti-Virus 9.2.x:
Sophos Enterprise Packaging Revisited
Thanks so much for the instructions!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.