Sophos Safeguard Filevault Automation

jthurwood
New Contributor III

Hello

Has anyone been through the process of automation the latest version of Safeguard/Filevault with Casper?

The process i have from Sophos is

  1. Install Cert in System Keychain and set trust settings to always trust
  2. Install Safeguard DE pkg
  3. Drag Managed Client (Default) - Mac.zip to Safeguard Preference Pane and hit Sync

Its point 3 that i'm struggling to Automate, i'm hoping someone may have come across this before?

5 REPLIES 5

macbentosh
New Contributor III

Easy make a package that drops that file in a temp location. The command is /usr/local/bin/sgdeadmin --import-config /path/to/zip/file Then make that script run after both the DE packag and the copy of the zip package.

macbentosh
New Contributor III

I'm your guy for sophos. Spent more time automating then I care to admit

jthurwood
New Contributor III

Hi macbentosh

I'm still having issues attempting to install Safeguard.

I have created a pkg to install the DE Package, copy the cert and zip file then run using the below script. The cert is installed but the zip never adds the settings to Safeguard

This is the script i used, can you see anything wrong?

!/bin/sh

postinstall

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/safegrdcert/LN7SAFEG01.cer /usr/local/bin/sgdeadmin --import-config /Users/Shared/ManagedClientMac.zip

exit 0 ## Success
exit 1 ## Failure

macbentosh
New Contributor III

I wouldn't do it as a post install..I do it as a separate script in jamf

#!/bin/bash
postinstall
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/safegrdcert/LN7SAFEG01.cer"
/usr/local/bin/sgdeadmin --import-config /Users/Shared/ManagedClientMac.zip
rm -rf /private/tmp/safegrdcert


exit 0 ## Success
exit 1 ## Failure

I added trustAsRoot - Try changing these around and make sure you have the full chain that validates that cert.

I " " the paths and removed sudo
and #'d your shabang

shoegazer
New Contributor

@macbentosh how are you handling in place upgrades of computers with safeguard? as the JSS doesn't store the keys it's unable to do a pre-authenticated reboot when doing an OS upgrade. The user needs to log in to bypass the pre-boot screen so the upgrade can install.