I've seen a number of postings regarding installing Sophos Central (including https://www.jamf.com/jamf-nation/discussions/12348/script-to-launch-sophos-cloud-installer which ultimately points to a derflounder post) but I'm not having any luck at all with getting things to work...
Can someone help me out a bit? Have things changed since the referenced post?
I assume you're trying to get Sophos Cloud installed from what I gather?
Here's what we do
#!/bin/sh
## postinstall
#
# Created using this Sophos KB article:
# https://community.sophos.com/kb/en-us/14179#v9.2+
#
sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer --install;
#
# Remove installer
/bin/rm -rf /private/var/tmp/sophos;
exit 0 ## Success
exit 1 ## FailureHope this helps. It works as a normal pkg for Casper or ARD.
Awesome! I've been fighting this for the last 24 hours and I finally gave up!
Thanks for this. It seems to be working currently!
Thanks @dmarcnw for this! Really helpful when updating my Sophos workflows!
If anyone doesn't want to be bound to creating a .pkg and would rather just have a script that can be run from Jamf Pro, this worked for me:
#!/bin/bash
mkdir /private/var/tmp/sophos
cd /private/var/tmp/sophos
# Installing Sophos
curl -L -O "https://your.url.for.sophos/SophosInstall.zip"
unzip SophosInstall.zip
chmod a+x /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer
chmod a+x /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper
sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer --install;
/bin/rm -rf /private/var/tmp/sophos;
exit 0 ## Success
exit 1 ## FailureYou can work out your unique Sophos download link from within Sophos Central Admin. Open up Chrome and when you click on the "Download macOS Installer" link make sure you "inspect" the page and go to the Network tab. You can then copy the URL.
Hopefully this helps someone with managing this horrific product!
We are going through this too. One thing we've run into is that the installers these links provide don't work after 90-days. How are you getting fresh links or installers? Just get new links and put it in the script every couple months?
thank you! this was helpful.
@dmarcnw Thank you very much for your post!!! Saved the day
This script works, up to a point. It looks like Sophos installs correctly, but the AutoUpdating is not configured, so each client doesn't automatically receive definitions updates. I'm still exploring and might find an answer. Is anyone else seeing this? Any ideas?
I usually see it say AutoUpdate isn't configured for like an hour or so after the install, and then it fixes itself at some point after that. Could do an extension attribute to pull the last definition date and possible do a policy to reinstall it from there.
I had this working with Munki (as an installer script) - it would take a little time for the client to report in and update. Sometimes it would do it quickly (15min or less) most times longer than that. I don't pay that much attention to when. Anyhow, what I saw with this in my testing, was no appearance of a launch agent or daemon. …still digging into this, could be a 10.13 related thing (but that's where I need this most).
I'm a small bit closer to figuring this out. Seems that this error where Sophos installs but then doesn't get the AutoUpdate configuration settings only applies to computers where Sophos was previous installed.
I've tried this on computers where I have used the Sophos Uninstaller to remove the software and then run the script to install it again, and I get this problem.
If I run the GUI installer on a computer where Sophos was previously installed, it installs correctly and gets the AutoUpdate settings. I have no idea why the GUI installer would work but the silent install would not give me the expected and desired results. Fortunately, for me, it's a relatively small number of computers that are exhibiting this problem in my environment, so I can pull them in and manually install Sophos using the GUI installer. Any new computers that I image and then deploy have never had Sophos installed on them, so the silent install via script will install Sophos and then enroll them in Sophos Cloud and updates will continue.
If you're reinstalling you'll want to uninstall first. In my experience with Sophos you won't have any luck running an installer over the top of a Mac with Sophos already installed.
I didn't think Sophos forums would post this, but seeing as it's now public knowledge (I had to direct message someone at Sophos to get this) here is the method for disabling tamper protection before uninstalling Sophos https://community.sophos.com/products/sophos-central/f/sophos-central/79952/computer-removed-with-tamper-protection-enabled-mac/305286#305286
This script below will disable tamper protection and forcibly remove Sophos from a Mac, getting it in a state ready to reinstall:
defaults write /Library/Preferences/com.sophos.sav TamperProtectionEnabled -int 0
killall -kill SophosServiceManager
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove
You could technically just have this run at the start of your Sophos install script all the time... I separated my scripts into an install, reinstall and uninstall versions.
Hopefully this helps someone on this thread!
Banged my head against the keyboard for the last few hours re-writing a bash script that I knew worked in the past, but couldn't get working. Anyway, thank you @dmarcnw, your contribution is much appreciated.
Has anyone made a EXT Attribute to see if Sophos is not installed. I tired this and set it to none but I don't get any results.
#!/bin/sh
if [ -d /Applications/Sophos Anti-Virus.app ] ; then
RESULT=$( sudo defaults read /Applications/Sophos Anti-Virus.app/Contents/Info.plist CFBundleShortVersionString )
echo "<result>$RESULT</result>"
else
echo "<result>Not Installed</result>"
fianyone else having issues w/sophos cloud client installing since they made a new installer last week?
I've got a ticket open with them, but they taking their time.
Yup. My old 9.6 installers were as smooth as silk. Pulled the new installers yesterday and started testing today. Not a single successful test :-(
I am seeing their new install fail on certain models. It succeeds for me on Mac Pro, MBP-Touch, Newer imacs, Fails on MBA's, MBP's (non-touch), Some iMac's and Mini's . Also not getting help good or timely
from Sophos.
@ooshnoo @gbyers have you heard from Sophos? I just created a support ticket.
I can confirm repeated failing of Sophos Installer version 1.1.0 (downloaded today) on 2015 MacBook Airs running macOS Sierra 10.12.6.
Fails by GUI:
Or script initiation as root:
2018-02-21 09:41:25.135 Sophos Installer[68217:1926186] Starting Sophos Bootstrap Installer.
2018-02-21 09:41:25.707 Sophos Installer[68217:1926186] Installation failed. See install.log for detailed information.Note, nothing is logged at install.log.
Update, Wed Feb 21 11:21:07 PST 2018: Now my previously functional 9.6.2 Sophos Installer fails. This is via GUI. The installer appears to finish its needed downloading, says "Verifying..." then fails. This is on multiple 2017 Touch MacBook Pros running macOS High Sierra 10.13.3. These are fresh macs done with our DEP flow and with FileVault encryption completed.
Seeing similar issues here trying to build an installer with the new version Sophos pushed out. Getting endless errors similar to @jggr. Install.log gives up no details... I can run the installer in the gui, CLI is a no go.
Same issues, still no working installer!
I received an answer from Sophos Support
Mid-last year there was an attack demonstrated at DEFCON (A hacker conference) that specifically attacked software which runs as root (and was demonstrated against our installer), during install time, by using non-standard privileges on several folders (including / and /Library). This prompted us to release a KB to check the validity of our installer.
Article ID: 127252
Title: Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer
URL: https://sophos.com/kb/127252
This was always intended as a stopgap measure until we could implement checking of the locations to install to. This exploit requires non-standard rights on / and /Library, both of which Apple protects with SIP. When we updated our installed in late January 2018, we implemented these security checks to make sure that we could not get exploited by this, by ensuring the default rights of 755 Root Wheel were applied.
We first had reports of customers running into this security check about 1.5 weeks ago, and thus created the KB you were sent, to validate the rights and how to correct it. I have opened a discussion with development to improve the messaging around this detection, including updating the GUI of the installer to properly notify when the installer runs into it, and directing to the appropriate article to correct the permissions.
At this time, we are not intending on changing the security check and stop, since it is in response to a legitimate, known way of hacking our software, and it just requires Apple's default permissions on their security locked down directories. But we can convey this information better, and I am working with development on that.
Started the pkg making process over again and it seems to work fine now all of the sudden! Nothing done differently, other than starting it from scratch. I did notice that the Application is now called "Sophos Endpoint.app" instead of "Sophos Anti-Virus.app", which made me have to alter my Policies, yet again.
I do seem to be able to get the installer to run from terminal when the installer package is located in the /Libray/Application Support/JAMF/ folder, but if I move everything to the /private/var/tmp/ folder, the installer seems to hang (with nothing showing in Console either). Is anyone else seeing similar behavior?
Thanks @ooshnoo. Looks like that would explain numerous entries similar to these in the SophosDiagnostic log:
02:20:21 +0000}, Call History=SMEInstallerFileManager.m:654 | SMEInstallerFileManager.m:724}" UserInfo={NSLocalizedDescription=Error: supplied secure destination is not secure. path: /Library/Application Support/Sophos/temp_19251
2018-02-22 20:22:30.549 [Sophos Installer 19248:780542 install error] Original Error: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /After reading this Sophos kb and since I'm working remotely, I had some hands on-prem run the Sophos installer (Version 1.1.0, shown in Get Info in Finder) on 2017 Retina Touch MacBook Pros running 10.13.3 and the installation that previously failed, succeeded. Note, however, I saw no evidence of a need to manually allow blocked kexts in Sys Prefs Security & Privacy. The app installed was Sophos Endpoint 9.7.4
I'm still unable to install or reinstall Sophos Endpoint 9.7.4 on various 2015 MacBook Airs running 10.12.6. The steps in this Sophos kb helped a little.
@JoshRouthier I had repeated hangs yesterday. Today the Sophos installer fails immediately, cli or GUI.
Update, Thu Feb 22 23:37:42 PST 2018: Based on this Sophos kb our . /Library permissions are correct but the / perms are not:
MBAir:/ root# ls -lah / | tail -n +2 | head -2
drwxrwxr-x@ 31 root wheel 1.1K Jan 24 18:20 .
drwxrwxr-x@ 31 root wheel 1.1K Jan 24 18:20 ..The installer succeeds on test 2015 MacBook Airs running Sierra 10.12.6 with perms on / as 755:
Test-4-MBAir:/ root# ls -lah / | tail -n +2 | head -2
drwxr-xr-x 30 root wheel 1.1K Jan 24 15:50 .
drwxr-xr-x 30 root wheel 1.1K Jan 24 15:50 ..Update, Fri Feb 23 23:44:03 PST 2018: Changed permissions on / from 775 to 755 and the installer now runs to completion. This is via the GUI or scripts like @calvins unzipping SophosInstall.zip in either /private/var/tmp or /private/tmp. Haven't tried building a pkg but I don't see why that wouldn't work.
If it helps at all, here's my Sophos installer. I generate a download link from the Sophos Central console and put it in the $4 parameter in a policy.
I got working new installs of 9.7.4 as recently as yesterday with this exact script. I also used this to upgrade around ~2000 machines from the older on-prem Sophos we had to the newer Endpoint in the past month.
#!/bin/bash
#1.0 Calvin S. 10/2017.
#1.1 Calvin S. 03/2018. Added checks for owner, group, and permissions.
#Variables.
######################################################################################################################################################
downloadLink=$4 #A public download link for the Mac Sophos client .zip.
######################################################################################################################################################
if [[ -z "$downloadLink" ]];
then
echo "Download link not specified. Please specify in parameter 4."
exit 1
else
echo "We are getting Sophos Endpoint from: $downloadLink"
fi
#Function definitions
########################################################################################
check_permissions()
{
#The Sophos installer wants the permissions on /, /Library, and "/Library/Application Support" to be exactly the default SIP-protected permissions.
#https://community.sophos.com/kb/en-us/131749
if [[ ! $( ls -ld / | grep -w "drwxr-xr-x" ) ]];
then
echo "Permissions on / might not be right."
fi
if [[ ! $( ls -ld /Library/ | grep -w "drwxr-xr-x" ) ]];
then
echo "Permissions on /Library might not be right."
fi
if [[ ! $( ls -ld /Library/Application Support/ | grep -w "drwxr-xr-x" ) ]];
then
echo "Permissions on /Library/Application Support/ might not be right."
fi
if [[ ! $( ls -ld / | grep -w "root wheel" ) ]];
then
echo "Owner and group on / might not be right."
fi
if [[ ! $( ls -ld /Library/ | grep -w "root wheel" ) ]];
then
echo "Owner and group on /Library might not be right."
fi
if [[ ! $( ls -ld /Library/Application Support/ | grep -w "root admin" ) ]];
then
echo "Owner and group on /Library/Application Support/ might not be right."
fi
}
download_Sophos()
{
rm -rf /private/tmp/*Sophos* #Clean out TMP of Sophos stuff in case there are leftovers from a previous failed attempt.
cd /private/tmp/
curl -O $downloadLink #Download the zip from Sophos
}
install_Sophos()
{
if [[ -e "/private/tmp/SophosInstall.zip" ]];
then
cd /private/tmp/
unzip ./SophosInstall.zip &> /dev/null #Unzip Sophos and send the output to null otherwise it'll falsely error out.
chmod -R +x ./Sophos Installer.app/ #Set the .app executable as recommended by Sophos in https://community.sophos.com/kb/en-us/120570
./Sophos Installer.app/Contents/MacOS/Sophos Installer --install #Run the install command.
exit_status=$?
if [[ $exit_status -eq 1 ]];
then
echo "The Endpoint installer failed. See /var/log/install.log and /Library/Logs/SophosDiagnostics.gz"
exit 1
fi
else
echo "Didn't find the Sophos Installer for some reason. Check the download link is actually valid."
exit 1
fi
}
########################################################################################
#Actually run the stuff.
check_permissions
download_Sophos
install_Sophos@arepko
can you elaborate?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.