Skip to main content

I'm working on a policy that will automatically install the Sophos Endpoint Protection client on Macs that are missing it. It installs a kernel extension, which in High Sierra, end users get prompted to approve. I want it to silently install in the background without user involvement, so as I understand it I need to whitelist Sophos' Team ID to keep the kext prompt from appearing.

Here's what I have set up in Jamf:

  1. Config profile that approves kext's from Sophos.
  2. A smart group of computers that don't have Sophos installed.
  3. A smart group of computers that haven't had the MDM policy approved by the user (in System Preferences --> Policy).
  4. A policy that will install Sophos to computers that are in the group from 2 above, but not 3.

Most of our Macs aren't in DEP so we're relying on user-initiated enrollment. When the machine enrolls, it gets the MDM profile, but until the user approves it, it can't approve the kext. The problem I'm running across is that Jamf seems to only attempt to push the approved kext once, when the MDM policy first applies -- before the user has a chance to approve it. (And once they do approve it, the machine falls within the scope of the Sophos installation policy, but the user gets the "System Extension Blocked" message.)

Am I doing something wrong here?

You could Scope your kext Config profile to only push to a Smart Group that has MDM policy approved.

So basically make the opposite of your #3 (all machines NOT members of Computer Group Name <whatever #3 is>) , and in the scope of your kext configuration profile, only push it to those.

OR, go to Scope -> Exclusions, and EXCLUDE #3.

That way, the profile will wait until the user approves the MDM policy and THEN push, as opposed to pushing it and failing.

Would that work?

Yeah, looks like I need to do some massaging of smart groups. I also seem to have to split the workflow. The first workflow is to get the kext approved on machines after the MDM policy has been approved -- so scoping the config profile to a smart group, like you suggested, is going to be the way to go.

The second workflow is to actually install Sophos. I've changed my "missing Sophos" smart group to include only machines that 1) don't have it installed, and 2) have the MDM policy approved. The only thing that worries me a bit is that having the "MDM policy approved = yes" status isn't positive confirmation that the kext was whitelisted -- if the timing was just right, a computer could possibly report a status of Yes before the kext config policy had a chance to apply. I think this is a bit of a corner case, though, as config policies seem to apply very quickly. I'll give this setup a go and see how it works out.

Terms & ConditionsCookie settingsAccessibility statement