Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Deploying Sophos Anti-Virus for Mac

Sophos have gone from being one of the best Mac enterprise anti-virus solutions to (perhaps) the worst. Grrr.

Multi-platform organisations are likely to have a Windows server (or more than one) and can therefore run Sophos Enterprise Console to create and manage a Mac installer for Sophos Anti-Virus. I have done this in previous companies.

Previously Mac only organisations could use Sophos Update Manager to do much the same on a Mac server. Unfortunately SUM only supports SAV8 and does not support SAV9. SAV8 is being discontinued in April 2014 and does not officially support Mavericks. It is therefore urgent to move all Macs to SAV9 by April 2014.

If you have no Windows Server, and can no longer use SUM, this leaves two more possibilities, first you could use the standalone SAV9 installer. It is even possible to pre-configure the auto-update account details for this. Unfortunately Sophos have made this installer an application and not an installer package. As a result it cannot be deployed using Apple Remote Desktop, Casper, Munki, or any other Mac management tool. (The application needs to be run as an application on each client Mac to do the actual installation.) This stupid design is like the equally stupid approach taken by Adobe and Flash. However at least with Adobe Flash you can find if you look hard enough a standard package file to install Flash.

The final possibility and the one Sophos are pushing Mac only customers to, is to sign up for an extra cost subscription to Sophos Cloud. This does let you manage via the Cloud your Macs, it does let your Macs directly update from Sophos, but a) the website for Sophos Cloud is not 100% Safari friendly, and much more importantly b) the installer it produces is yet again an application and not an installer package!

The only approach that still gives you a proper installer package is via Sophos Enterprise Console running on a Windows server.

Other than Sophos Enterprise Console has anyone else found a solution to let you mass deploy SAV9?

Note: Yes if you install SAV9 manually on a Mac and then make a monolithic master disk image that would work, however I like many others now prefer to use a thin imaging approach (via InstaDMG or AutoDMG).

Like Comment
Order by:
SOLVED Posted: by Chris

Just noticed the same thing.
My findings so far:

  • The standalone "Sophos Installer.app" creates "Sophos Anti-Virus.mpkg" in /Library/Caches/com.sophos.sau/CID which can apparently be copied from there and used to install (might have to remove the _CodeSignature)
  • Inside the standalone "Sophos Installer.app", there is an "InstallationDeployer" binary. Running ``` /path/to/Sophos\ Installer.app/Contents/MacOS/InstallationDeployer --install ``` also seems to install it properly. One could drop the Sophos Installer.app into /var/tmp and run the command with a postinstall script

however, i haven't done any QA testing for both methods yet, so i might be totally wrong.

Like
SOLVED Posted: by jelockwood

Good spot, it does get us closer but that mpkg does not contain the pre-configured auto-update settings. Therefore if you use it on a fresh Mac or one on which you have cleaned out the previous installs preferences it does not know how to auto-update.

It will help with a different problem we have (which is not Sophos' fault) which is for some Macs never connected to the Internet. I can just periodically copy this .mpkg to them or have a tool like ARD push it to them (on this disconnected network).

It is worth looking at further though as in the past with SAV8 it was possible to have some settings files outside the mpkg itself but in the same folder...

Ok, I did a bit more testing, as mentioned the mpkg you found does not include the needed auto-update preferences. I have found that if you do the following in the following order the desired results seem to be achieved.

  1. Uninstall SAV8. While it is possible to install SAV9 over the top of SAV8, SAV8 currently has auto-update settings pointing to SUM, we need to clear those settings and have SAV9 directly update from Sophos.

  2. Copy pre-configured plist files from a previously manually setup SAV9 Mac, these will contain the auto-update settings we need, while probably just com.sophos.sau.plist is needed the others I copied were com.sophos.ac.plist, com.sophos.dc.plist and com.sophos.sav.plist these are all from /Library/Preferences these should be copied to a Mac after step 1, note the uninstall tool Sophos provided does not remove the old preferences so either over-write them or delete them before copying the new SAV9 ones in to their place

  3. Now run the Sophos Anti-Virus.mpkg installer it should install, keep the preference files from step 2 above and then you end up with a SAV9 with the auto-update settings.

I still need to test this on a second Mac just in case those preference files are hard coded to a single Mac via a GUID.

Like
SOLVED Posted: by jelockwood

Ugh!

Bit messier than I thought it was going to be, the following looks like being the 'official' way to do it.

Note: Sophos support don't know how to do this, but I got pointed in the right direction by a manager.

  1. As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx build a pre-configured installer Application

  2. Copy the Application to the client Mac either as is, or you could build a customer pkg containing it

  3. As a post copy step, run a shell script and do the following command

path/to/Sophos Install Application/Contents/MacOS/InstallationDeployer --install

Contrary to what the built-in 'help' for the InstallationDeployer says, I did not need to specific a product name, in fact I could not find a valid product name to use \- hence not using one.

If the InstallationDeployer command is executed from root it will run without a GUI session and without needing additional authentication.

So for ARD you could copy the Sophos standalone installer to a Mac, then remotely execute the InstallationDeployer command. I plan however to build an Apple PackageMaker pkg to copy the Sophos standalone installer and have a post 'install' shell script then run the InstallationDeployer command.

Either approach should remove SAV8 automatically before installing SAV9, and as I have pre-configured it to download directly from Sophos it should also then auto-update directly instead of via SUM which does not support SAV9.

Like
SOLVED Posted: by rtrouton

I was able to build an installer package that uninstalls Sophos and installs a new copy of Sophos 9.x using the install application. I've posted the details here:

http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

Like
SOLVED Posted: by mkremic

After much troubleshooting I managed to get around this issue by doing the following (we're using Sophos Cloud)

1) Use a test VM to install "Sophos Installer.app" (~4Mb Cloud Installer which downloads a full version). Captured the changes using Composer

2) Took a copy of the Installer.app which shows up in the list of captured files. (Can't remember exact path but if you browse through the folders it should be under a folder called "saas". Put it somewhere temporary like Desktop.

3) Made a .pkg of the plists left in /Library/Preferences (excluding the apple plist)

4) Made a new Composer dmg including these 2 packages in the folder /private/tmp

5) Ran a script after installing the dmg (which dumps the 2 .pkg's into /private/tmp), which then calls the installer in the app and then applies the preferences for the cloud app:

#!/bin/bash
/private/tmp/Installer.app/Contents/MacOS/InstallationDeployer --install
installer -pkg /private/tmp/sophospreferences.pkg -target /

After rebooting the Mac and checking our cloud server the computer is showing in the control panel. Tested on a couple of separate clients and they're showing up as unique machines in the cloud control panel! :D

Like
SOLVED Posted: by tkimpton

This doesn't help if you use a av relay server like we do.

The idea for us being an end user says they want to vpn in to the corporate network to work from home and we insist on av.

The user then installs SAV home but then never carries out any scans or looks further at the setup!

With an av relay server your users home machines show up in your SEC console and get policies from there.

At the moment the v9 deployer is still in development and im told they don't see it as a priority at the moment.

Speak to Sophos and you will probably be asked to fill out a feature request like i was, then speak to your Sophos account manager!

Also go on Sophos talk and view your opinion on there!

Like
SOLVED Posted: by k3nz00

I had the same problem too, until I found a workaround this week.

This is what I did.

Created sophos installer dmg and added it to my imaging workflow.

When the machine finishes imaging the sophos installer is place on the root of the drive. (subject to change var is better location)

I also added the below script to the imaging workflow to run once the machine reboots after the image process completes.

#!/bin/bash
sudo /Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --install
exit 0

When you login into a freshly imaged machine the script will install sophos dmg which has been placed on the root of the drive.

This has worked for me.

Like
SOLVED Posted: by ianmb

Does anyone have a recipe for packaging SAV in the JAMF Composer tool?

I've attempted this by snapshotting a drag of the preconfigured 'Sophos Installer.app' into /Applications then adding a postinstall script similar to the ones suggested above but that doesn't work \- I have to run the Installer manually to get it going.

Like
SOLVED Posted: by bentoms

@ianmb, we deploy the PKG from the Sophos Enterprise Console.

This contains our auto-update settings.

Like
SOLVED Posted: by emily

@bentoms How have you been deploying the PKGs from the Sophos Enterprise Console? When we try it fails every time. Is it possible to run that package with Composer on a blank/test machine, enter the credentials, and package with Composer to deploy? I haven't found a way to get the ./CreateUpdatePreconfig command to work with the PKG I grabbed from our Enterprise Console. (http://www.sophos.com/en-us/support/knowledgebase/119744.aspx)

Like
SOLVED Posted: by bentoms

@emilykausalik, i needed to prod the Sophos Admin guy but.. once we had applied a Mac policy to an OU in SEC & THEN created the pkg from that.. all we needed to do was install the PKG using casper.. the PKG contained all the rest.

Like
SOLVED Posted: by lisacherie

Looking at this quickly..

We are deploying sophos via a script \- as I couldn't be bothered to repackage every month or so when the app was updated.

\- mount sophos share
\- copy entire directory for mac installer and supporting files for update config/console to /tmp
\- umount share
\- install from tmp
\- clean up /tmp

The macs are bound to AD, and the sophos console applies policies based on the AD OU. This means you have to make sure that macs will be in the correct location in AD when binding.

The console takes care of the updates/config changes.

Like
SOLVED Posted: by emily

@bentoms Any tips on how you created a pkg from within the SEC? Or did you just go to the bootstrap location and snag it from there?

Like
SOLVED Posted: by tkimpton
Like
SOLVED Posted: by emily

@tkimpton for some reason I can't take the Sophos Anti-Virus.mpkg from the SEC bootstrap location and get it into anything that will deploy. When I put it in Composer, composer fails out. I must be missing something here.

Like
SOLVED Posted: by tkimpton

@emilykausalik that won't work because the sav installer is a mpkg (other installer inside it)

I copy it to some where like /private/tmp/

I then drag all of /private/tmp to composer

Once tmp is in composer, delete the other stuff to on the sav mpkg is in there.

Then make a post flight script to install it via the command line like sudo installer -pkg (path to the mpkg) -target /

Give you package a name in composer and build it as a non flat pkg.

You can then upload your pkg to Casper Admin and start looking at smart groups and push it out via a policy.

Hope that makes sense and helps :)

Like
SOLVED Posted: by emily

@tkimpton I think I'm still too green to know how to do what you're referring to. I'll be reaching out to Sophos support to see if they can help.

Like
SOLVED Posted: by pbenham

Here's our procedure for installing our managed Sophos client using Casper. We're using v9.0.8 currently of the Mac client. We have a Windows 2003 Server (I know, time for an upgrade) running the Sophos Enteprise Console. It creates a .pkg file for Mac clients which can be downloaded.

  1. Download the Sophos installer from our Sophos server. In our case I connect using smb to the share and locate the installer in /Sophos Update/CIDs/S000/ESCOSX/Sophos\ Anti-Virus.mpkg

  2. Add the Sophos Anti-Virus package to Casper Admin

  3. Make sure you set the option to "Install on boot drive after imaging" in the Options tab when you 'Get Info' of the Sophos package in Casper Admin.

  4. Image a machine and hey presto it'll show up in the Sophos Enteprise Console on your Sophos server. If it's a brand new machine that's never had Sophos on it then you will probably need to assign it to a policy group in the Sophos Enteprise Console. if it's already been imaged then in my experience the SEP is already aware of the machine and it just reconnected auto-magically.

Like
SOLVED Posted: by tkimpton

@pbenham yeah that's simpler, I forgot to mention I do it that way because I different sav installers for workstations and laptops with different mrinit configs in them to point workstations to the main sec and laptops to a relay server.

Like
SOLVED Posted: by bentoms

Sorry for replying late.

I'd second what @pbenham has mentioned.

Just deploy the pkg from SEC, no composer needed.

Like
SOLVED Posted: by ianmb

So thanks to posts here I can deploy Sophos from Casper, but does anyone have a recipe for packaging it for systems not managed by Casper?

I have a requirement to get Sophos installed on standalone Macs (managed by users) so it'd be great to send them a pkg file with the relevant update servers preconfigured. All Sophos can tell me is that I need to include the ESCOSX directory that's in the same directory as the mpkg file?! I have this, but not really sure how to proceed.

Like
SOLVED Posted: by bentoms

@ianmb, if you are just deploying the PKG... That should work via ARD too.

Like
SOLVED Posted: by ianmb

Yes, but will that contain the references to my local update servers?

I wasn't clear whether I need to repackage the mpkg and include the ESCOSX directory (if so where does that need to be placed on the client?) or do I just take the mpkg from that directory and distribute it (see my initial question).

Like
SOLVED Posted: by stevewood

I have always just deployed the MPKG from the ESCOSX directory on my Sophos server. I've never had to re-package it or include any other directories. That MPKG includes the address of your management server. So as long as the computers can get back to that address, you should be fine.

Like
SOLVED Posted: by jelockwood

As per Richard Trouton's earlier post in this thread and my own, it is possible to take the standalone Sophos installer and convert it in to a pkg. As per my earlier reply one can do this with the Sophos update credentials saved in to it as well.

If your using Sophos Enterprise Library then you can in theory use the installer package it maintains, if you don't have Sophos Enterprise Library (which requires a Windows server) then you need to use Richard's and my instructions.

Richard's original instructions are here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/ they are based actually on the free Sophos Home Edition installer which is very similar to the paid for Standalone installer but not identical. I therefore took Richard's script and modified it to also work with the paid for standalone installer and my own instructions and version of script are available here http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

To summarise if your not using Sophos Enterprise Console but want to make a package to deploy the paid for Sophos Anti-Virus 9 for Mac you do the following

Download the standalone Sophos SAV9 installer,
Run the command line tool to embed the Sophos Update Credentials,
Use my modified script as per Richard's original instructions (instead of Richard's script)

You can then deploy the resulting package via ARD or locally run it. It will uninstall any previous versions of Sophos and replace with SAV9 and will also set the update credentials you defined as above.

I was using Sophos Update Manager (SUM) which ran on a Mac server but only supported SAV8, I have used the package I built as per this post to upgrade all our Macs to SAV9 and get them now to update directly from Sophos' servers since there is unfortunately no Mac replacement for SUM.

Like
SOLVED Posted: by damienbarrett

So we're looking to move from our old SEC to Sophos Cloud and SAV 9.x. I've been following Rich and jelockwood's instructions to build a native .pkg installer for SAV 9.x but have hit a snag.

When I download the "Sophos Installer.app" from our demo Sophos Cloud environment and build a package out of it, the postflight script fails to install the software. This is because, I think, the v9.1.4 installer I'm downloading doesn't appear to have the InstallationDeployer binary tool in it anymore. The post flight script calls for this tool but it's nonexistent so the script fails.

Any ideas? Is there somewhere else to obtain the Sophos Installer.app?

https://www.dropbox.com/s/bch3vsweijqt4hw/sophos9_grrr.png

Like
SOLVED Posted: by damienbarrett

Ah ha, I figured it out. At some point between 9.0.3 and the current 9.1.4, Sophos decided to rename the binary tool that's embedded in their .app installer. It's now called "Sophos Installer" and not "InstallationDeployer". Yes, some software engineer wizard decided to put a space in the name of their new Unix binary...

So you just have to modify Rich or John's postflight script to reflect this new binary name. Just replace every instance of "InstallationDeployer" with "Sophos Installer" and be sure to enclose in quotes so the space(s) are ignored.

Like
SOLVED Posted: by jelockwood

@damienbarrett

Glad you sorted it. I just downloaded the current official versions of the free Sophos Home Edition installer which is 9.0.8 and Sophos Stand-alone installer which is 9.0.10 both still use a binary of InstallationDeployer. The release notes suggest 9.1.4 is not yet an official release i.e. iti is a preview version. I don't appear to have access to the preview versions.

If you could tell me the exact file name for the cloud installer version I will modify my script to support it as well.

Like
SOLVED Posted: by damienbarrett

You can see it in my screenshot in my Dropbox above. They appear to have changed the name from "InstallationDeployer" to "Sophos Installer"

I simply modified your script to call the new binary and it worked beautifully.

Still can't believe their software engineer called the binary "Sophos Installer", complete with a space.

Like
SOLVED Posted: by jelockwood

@damienbarrett

I meant the name of the Sophos application it is in e.g. "Sophos Installer.app" or "Sophos Anti-Virus Home Edition.app" and not the name of the enclosed binary which you quite rightly point out is in your screenshot.

Like
SOLVED Posted: by damienbarrett

Ah, it's called "Sophos Installer.app". It's version 9.1.4.

After it updates from the Cloud, it becomes 9.1.5. Perhaps they'll eventually re-jigger the Sophos Cloud to offer a 9.1.5 installer...

Like
SOLVED Posted: by corbinmharris

We recently moved our SEC to a new server and need to shut down the old one. I tried using Composer to do a snapshot then entered the new AutoUpdate path and then created a dmg. Didn't work on a test Mac.

What is the best method to update the AutoUpdate Address to our new SEC server? All other settings are the same.

Thanks!

Corbin

Like
SOLVED Posted: by jelockwood

@corbin3ci

Its been a while since I run Sophos Enterprise for Mac clients, but as I remember you set up a CID for the Mac version of Sophos and get SEC to download and populate it from Sophos' servers. You also use SEC to configure the CID with settings for the Macs including the auto-update settings.

Normally you would have the primary server as the credentials to access the CID on your file server, and the secondary server would be set to download directly from Sophos in case your file server is not accessible.

If you set up a new SEC and presumably also a new CID then I would do the same thing, i.e. setup the new CID, populate it and configure it. Then in answer to your question I would then copy the contents of the new CID in to the old CID directory. I would make sure the old SEC is turned off so it does not alter the new contents. You will need to keep the old file server running for a while so that the Mac clients can 'update' from the old CID and get the new auto-update details it contains which will then thereafter direct the Mac clients to the new CID.

For those let familiar with Sophos terminology, CID stands for "Central Installaiton Directory" and is the shared folder on a file server containing the Sophos Anti-Virus installer, settings and updates. You have a CID per version you are using e.g. Mac, Windows, Linux.

Like
SOLVED Posted: by CasperSally

Sorry this doesn't help OP, but for anyone else looking for helpful SEC info, in v9 you can finally have installer point clients to right message relay.

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

Like
SOLVED Posted: by corbinmharris

After reading everyone's posts and external links, I found that the best method is to deploy the Sophos Anti-Virus.mpkg followed by a .dmg file created in Composer.

Installing it on a clean Mac, I did the initial Sophos install, then fired up Composer to take a snapshot, then populated the auto-update preferences, quit Sophos then finish running Composer.

Need to test a few more Macs before pushing it out to the general audience.

Corbin

Like
SOLVED Posted: by jelockwood

@corbin3ci

It is now only possible to deploy a Sophos Anti-Virus.mpkg if you have a Windows Server and are running Sophos Enterprise Console as this is the only method to get a genuine Sophos produced installer package (or mpkg). This issue is what started this whole thread off in the first place.

The Sophos standalone installer, the Sophos cloud installer, and the free home edition installer are all custom applications and not installer packages.

The solution Richard Trouton and myself came up with was wrapping the Sophos installer application in an installer package along with a script to deploy i.e. run the application. This installer package can of course then be put in a disk image if needed.

Yes, making an installer by using Compuser to take a snapshot would be an approach but a cleaner more genuine installer is as per Richard's and my solution.

Note: There is a command-line tool inside the Sophos installer app (right click and open package) which lets you pre-configure the auto-update credentials. If you do this before putting it in an installer package the installer package will keep those settings since the script is running the same Sophos installer application and the settings are stored inside the application you are including in the installer package.

As a reminder on how to pre-configure the Sophos application see http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

It works great once we found how to do this. I can deploy the resulting package via DeployStudio, Apple Remote Desktop, Munki, etc. or even run it manually and clients properly remove any old version of Sophos if there is one, install the new version and get the auto-update credentials automatically. It works on all supported OS X versions which for Sophos SAV 9 means 10.6 to 10.9 at the moment.

Like
SOLVED Posted: by Chris_Hafner

All great suggestions but I still ended up using Composer to package the latest version of 9. Even after creating the pre-configured package as stated above. Really, for the following two reasons

1) The pre-configured package still requests the user to click through even when called using the script mentioned (which needed slight corrections) via Self-Service.

2) I prefer Self-Services un-install process over the Sophos uninstaller.

Like
SOLVED Posted: by tkimpton

At my previous shop i had a nightmare with version 9 and Sophos end technical support getting me to download a Home edition standalone version!

It was a relitively small environment at the time and it meant there was too much problem with installing the original mpkg installer on the clients and waiting for the policies to be applied to the machines.

In a larger environment, it isn't feasible to wait for the policies to apply.

I have managed to follow all the Instructions and found Johns the clearest

http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

Richs blog here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

I changed the script around to allow for an uninstall of all SAV versions

http://pastebin.com/L7ZceVpW

This worked, but unfortunately this isn't any use to me because the end result is that the client machine has no RMS and will not talk to the Sophos Enterprise Console.

Like
SOLVED Posted: by tkimpton

@CasperSally Thanks for link.

Looks like for SEC this is the only thing we can do in the Enterprise where we are still reliant on the clients communicating with SEC.

Im not sure how this is going to work if there are lots of different groups the clients need to be assigned to in SEC!

Its a shame Sophos are not listening because this has been an outstanding problem for a long time.

Like
SOLVED Posted: by emily

If your company uses Active Directory, the SEC can scope to computer groups. Or, you can set up manual groups in the SEC and apply different scanning policies to them. It's actually not too bad (depending on how large your environment is, anyway). I just set up an SEC and deployed our clients from the SEC's mpkg and could probably answer some basic questions about it if you want, @tkimpton.

Like
SOLVED Posted: by thuluyang

Hi For Mac Sophos deployment you can Create MacOSX client AV package
Go to c:\programdata\sophos\update manager\update manager\CID\S000\ESCOSX\
Zip “Sophos Anti-Virus.mpkg” folder
do not use RAR format, it does not work well on the Mac afterwards for some reason…
You can launch this mpkg on any Mac by double clicking on it! :) Or using Policy to deploy it to the managed machines.

Like
SOLVED Posted: by tkimpton

@emilykausalik thanks thats what i think is the only way as well.

@thuluyang Yes thanks we know that ;)

Like
SOLVED Posted: by tkimpton

Hi guys

It seem it is possible to create a Sophos Installer with the autoupdate settings. I first need to clarify the OLD method used to be so that this makes sense.

  1. In version 8 and below an administrator used to be able to get the Sophos Anit-Virus.mpkg off the network share of your Sophos Enterprise Console server

eg

smb://yourserver/SophosUpdate/CIDs/S000/ESCOSX/Sophos Anit-Virus.mpkg

2.Edit the mrinit inside the mpkg

  1. On a test machine install Sophos Anti-Virus.mpkg and configure the sophos updating manually and the usernames and passwords get written to a plist but they are obfuscated.

  2. copy the file /Library/Preferences/com.sophos.sau.plist and put it in the location here

Sophos Anti-Virus.mpkg\Contents\Packages\SophosAU.mpkg\Contents\Resources\com.sophos.sau.plist

  1. Change the mrinit.conf in Sophos Anti-Virus.mpkg/Contents/Packages/SophosRMS.mpkg/Contents/Resources/ appropriately

Now thats all well and good but the problem in version 9 and above is that the SoposAU.mkg doesn't exist any more in the Sophos Anti-Virus.mpkg

Instead for version 9+ the credentials are not stored in the /Library/Preferences/com.sophos.sau.plist but in a keychain.

/Library/Sophos Anti-Virus/Sophos.keychain

So what you need to differently is at step 4 by packaging up the Sophos.keychain, make sure the com.sophos.sau.plist just includes the PrimaryServerURL (not the obfuscated credentials) and include those in your deployment workflow :)

Like
SOLVED Posted: by Chris_Hafner

I found this to be super easy... assuming that you realy don't care about enterprise console distro.

1) As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx build a pre-configured installer Application as mentioned above.

2) After you've created the custom pkg with your associated accounts info and update schedule. Run composer and then install. Create a .dmg out of that and presto, you're A-OK.

This method works beautifully for me and makes future "un-installs" trivial (not that it was that complicated in the first place).

Like
SOLVED Posted: by tkimpton

@Chris_Hafner yes thats correct for a STANDALONE, but as already stated those of us reliant on the windows SEC this is not going to work because the standalone installer doesn't have RMS (will not communicate to your Sophos Enterprise Console)

Like
SOLVED Posted: by Chris_Hafner

@tkimpton

Heh, yea, sorry. I lost track of the thread and kind of replied without re-reading where everyone was in the post. Sorry about that ;-)

Like
SOLVED Posted: by rtrouton

Using @tkimpton 's info about the Sophos.keychain file, I was able to build an Sophos enterprise installer that works for both AD-bound and unbound Macs in my shop. I have a post with the details available here:

http://derflounder.wordpress.com/2014/09/02/deploying-sophos-enterprise-anti-virus-for-mac-os-x-9-x/

Like
SOLVED Posted: by tkimpton

@rtrouton awesome, thanks rich :)

Like
SOLVED Posted: by glennwyatt

Our office just did a Sophos Cloud deploy. We found the only way to how the Sophos Installer install correctly with unique device names is to create a DMG in Composer. The trick is to do the following steps:
Open Casper Composer (New & Modified Snapshot).
Take the Before Snapshot
Once the Before Snapshot is complete, run the Sophos Installer provided from the Sophos Cloud website.

The critical step to getting the snapshot correct is to:
Open Keychain Access, located in /Applications/Utilities.
Select the Sophos Keychain and choose the Category All Items
Delete the two Sophos Keychain entries:
Primary Server
Sophos Cloud Credentials

Open Activity Monitor, also located in /Applications/Utilities.
Highlight the process SophosMcsAgentD
Choose the icon to Kill the process.

Finally take the After Snapshot.

Like
SOLVED Posted: by glennwyatt

To un-install Sophos 9.1 before installing Sophos Cloud, Mark Posey wrote this script to run BEFORE the Sophos Cloud install.

# Purpose: To remove Sophos local distriubtion and install cloud distribution
\# Configuration
\# Uninstall Sophos 9.1.X (Local distribution)

/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

if ! [ "$?" = "0" ]; then echo "ERROR: Failed to uninstall" exit 1
fi

[ "$?" = "0" ] && echo "NOTICE: Removal of Sophos local distribution is successful"

Like
SOLVED Posted: by emily

Anyone have any tips on deploying updates to the client? Do you have to uninstall to upgrade? (Example: moving from 9.1.4 to 9.1.7; would you have to uninstall the old client before installing the newer one or can a push with the package suffice?)

Like
SOLVED Posted: by jelockwood

@emilykausalik

As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx you can pre-configure the Sophos installer to contain update credentials typically to update directly from Sophos' servers. Whereas with SAV 9.0.x and 9.1.x these details where stored in a plist inside the Sophos installer application with SAV 9.2.x they are now in a plist in a folder outside the application. You need SAV 9.2.2 for Yosemite compatibility.

Since Sophos Update Manager is discontinued the only ways to distribute updates to Mac clients are \-

  1. Configure each Mac to get updates directly from Sophos
  2. Setup a Windows server running Sophos Enterprise Console
  3. Once a month reinstall the latest SAV9 application, typically Sophos issue a new version once a month, this later choice of course means you don't get the benefit of updates every hour

If you have installed say 9.1.4 and it was configured to get updates directly from Sophos then it should should update itself to 9.2.2. If you are merely installing the newer version once a month then pushing the newer version will update it and it is not necessary to remove the older version. Obviously it is best to pre-configure it to get automatic hourly updates and not to just manually update it each month.

Like
SOLVED Posted: by emily

Hopefully everything @jelockwood][/url][/url][/url][/url mentioned above falls into deploying the mpkg from the bootstrap location on the Enterprise Console.

The problem I have is knowing which version to trust.

https://www.dropbox.com/s/smof1fl8f4i3x6x/Screen%20Shot%202014-11-12%20at%209.45.24%20AM.png?dl=0

So is it actually 9.1.4 or is it 9.1.8? (9.1.8 is the version available in the bootstrap location on our Enterprise Console.)

I understand how to deploy AV to the machines, I just don't know if I should trust if it updates itself correctly or if I need to re-distribute the application on a regular basis via policy in the JSS with the mpkg from the bootstrap location.

Like
SOLVED Posted: by tkimpton

what do you mean which version to trust?

Like
SOLVED Posted: by emily

If you can see the picture above @tkimpton, the app is reporting as version 9.1.4, but when you click About Sophos in the menubar icon it says 9.1.8.

Like
SOLVED Posted: by tkimpton

yeah, ignore the app version. quite funny its been taking weeks to get our techs to understand this

can't see picture above, has a question mark

the version is read from /Library/Sophos\ Anti-Virus/RMS/agent.config

my extension attribute is

#!/bin/bash

FILE=/Library/Sophos\ Anti-Virus/product-info.plist

if [[ -f $FILE ]]; then
command=`defaults read /Library/Sophos\ Anti-Virus/product-info.plist | grep ProductVersion | awk '{print $3}' | cut -d '"' -f2`

# Display the result
echo "<result>$command</result>" 

fi
exit 0
Like
SOLVED Posted: by stevewood

@emilykausalik I see the same thing, 9.1.4 if I get info on the app in Applications, and 9.1.8 if I use About Sophos. I believe it is a miss on the Get Info of the app bundle. If you go in and check the Sophos Anti-Virus.log file in the Sophos preferences, and do a search for "Version", you'll see that it comes up reporting as 9.1.8. I think they just forgot to update the app bundle.

Like
SOLVED Posted: by tkimpton

let me know if you need a hand with SAV, I've had to deal with this for a decade now and can be a pain.

Like
SOLVED Posted: by emily

@tkimpton sorry, Dropbox fail. Changed it to a link so it should be visible by clicking now.

Okay, so as long as the About Sophos dialogue is correct I'm good.

Our developers are having issues with AJAX calls being blocked by the client. The reply I got from Sophos claims that it was released in the 9.1.5 fix, so I'm wanting to confirm what version our machines have on them before I go back to Dev and tell them to fix their code rather than blame it on Sophos.

Thanks y'all.

Like
SOLVED Posted: by tkimpton

trust the one saying 9.1.8 that is the build version

9.1.4 is the app version http://tinyurl.com/q75rjw6

check out my extension attribute

Like
SOLVED Posted: by jelockwood

If you deploy from the Sophos Enterprise Console CID location then when it installs it includes settings to get updates from the CID.

If you use the standalone version you need to pre-configure the installer app to add update credentials which usually will be set to update directly from Sophos.

It is annoying that the plist within the main Sophos application does not match the headline version number but Sophos do provide the correct version number at /Library/Sophos Anti-Virus/product-info.plist and have made it clear this is the correct place to check it.

Note: It is also the correct place to check which type you have installed \-

Sophos Home Edition
Sophos Standalone Edition
Sophos Managed Edition (i.e. Sophos Enterprise Console)
Sophos Cloud Edition

By checking the type you can see if people are running the wrong one and not confuse those in any license counts.

defaults read /Library/Sophos\ Anti-Virus/product-info Product

gives you a number that indicates the product type.

1B897C99-EBD6-430D-AA97-EF71E7AC6C15 = home edition
C7CC7924-277E-431D-88E7-F6C956AD24D9 = standalone edition
F9A0034E-6549-41ED-BD37-88CF2AA4CC8A = managed edition
F268E38B-F647-4E06-AA73-3F3C2850E6F5 = sophos cloud edition

Clearly people should not be running the home edition on work computers.

Like
SOLVED Posted: by Karaiskakis

@lisacherie Are you able to share the script you use please? That is exactly how I would like to run the install but a bit over my head!

Like
SOLVED Posted: by rcorbin

Wow this is a big thread. I seem to only have to deal with getting a working Sophos package every couple of years. Most of the time it all gets updated via the SEC. Read this thread to refresh my knowledge of deploying Sophos. So much of information here. @tkimpton][/url][/url][/url][/url that is an amazing script for removing any version of Sophos. Thanks! It works for me but when I run it I do see an error that says "line 15: [: /Library/Application Support/Sophos: binary operator expected" That line reads "elif [ -d /Library/Application\ Support/Sophos Anti-Virus/Remove\ Sophos\ Anti-Virus.pkg ]; then" But it does seem to work. I used to install Sophos and then package with Composer but thanks to the tips in this thread I'm now using the .mpkg that is on the SEC in /Sophos Update/CIDs/S000/ESCOSX/ The problem I had at first was that Casper would give me this error that it couldn't verify the package or something to do with the integrity. I had a feeling that it was something to do with it being an .mpkg as it would install perfectly on a workstation on its own.

So I went back to searching JAMFnation on mpkg and and found a tip from @donmontalvo][/url][/url][/url][/url where he said to 1. Add the pkg to the policy, then under the action pop up select "Cache"
2. Then under the maintenance section check the box that says [x] Install cached packages.

So my policy first runs the @tkimpton][/url][/url][/url][/url script to clear out any former install of Sophos. Then it pushes out the .mpkg file to the machine and caches it. Then installs any cached packages. Other than that one error it all works great. A little digging around JAMFNation and I'm all set. This is an amazing community.

Like
SOLVED Posted: by tkimpton

My files in my package

I am currently deploying 9.1.8 Enterprise. Hope this helps someone. I also managed to set the update setting URL locations based on the machines computer name, include overrides and put in the Sophos Keychain.

The reason for this was that some remote sites were taking far too long to get credentials and left the machine in some cases vulnerable without AV.

/private/tmp/Sophos\ Anti-Virus.mpkg
/Library/Sophos\ Anti-Virus/Sophos.keychain
/Library/Management/Scripts/Sophos_Overrides.sh
/Library/LaunchDaemons/com.sn.savoverrides.Launchd.plist

PREINSTALL

#!/bin/bash
## preinstall


####### ENVIRONMENT VARIABLES #######

FILE1=/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer

FILE2=/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer

######### DO NOT MODIFY BELOW THIS LINE ###########


### Uninstall version 9.1
if [[ -f $FILE1 ]]; then
/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove > /dev/null 2>&1

### Uninstall version 9.0
elif [[ -f $FILE2 ]]; then
/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer --remove > /dev/null 2>&1
fi

# Pause 10 seconds
sleep 10

# Remove the old preferences
sudo rm -rf /Library/Preferences/com.soph* > /dev/null 2>&1

# Remove the old Caches
rm -rf /Library/Caches/com.sophos.*
rm -rf /Library/Application\ Support/Sophos\ Anti-Virus/
rm -rf  /Library/Application\ Support/Sophos/

# Remove the previous installers
rm -rf /Library/Scripts/SN/AV/Sophos\ Anti-Virus.mpkg > /dev/null 2>&1
rm -rf /tmp/Sophos\ Anti-Virus.mpkg > /dev/null 2>&1

exit 0          ## Success
exit 1          ## Failure

--------------------------
POST INSTALL

#!/bin/sh

## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

############


####### HISTORY ##############
#
#
# Written by Tim Kimpton 09.23.2014
#
# The Remote Management System (RMS) that deals with the communication between Sophos Anti-Virus for Mac OS X and the Sophos Enterprise Console can be
# configured to allow the Machine Name, Domain Name, and Computer Description to be overridden and alternative values to be used.
#
# http://www.sophos.com/en-us/support/knowledgebase/119758.aspx
#
############################

####### ENVIRONMENT VARIABLES ###########

# Get the machines current computername
ComputerName=`scutil --get ComputerName`

# Get machine location
LOCATION=`scutil --get ComputerName | cut -c 2-4`


# LONDON, AMSTERDAM, FRANCE, EUROPEAN REMOTE
if [[ "${LOCATION}" = LON && AMS && CDG && ERE ]]; then
PrimaryServerURL=XXX/SophosUpdate/CIDs/S000/ESCOSX

# SAN DIEGO
elif [ "${LOCATION}" = SAN ]; then
PrimaryServerURL=XXX/SophosUpdate/CIDs/S000/ESCOSX

# SEATTLE
elif [ "${LOCATION}" = SEA ]; then
PrimaryServerURL=XXX/SophosUpdate/CIDs/S000/ESCOSX

# SAN JOSE
elif [ "${LOCATION}" = SJC  ]; then
PrimaryServerURL=XXX/SophosUpdate/CIDs/S000/ESCOSX

# DEFAULT
else
PrimaryServerURL=XXX/SophosUpdate/CIDs/S000/ESCOSX

fi

### Domain Bindings ###

# Apple AD Plugin
AD=XXX

# Likewise AD Plugin
LikewiseAD="Likewise - Active Directory"

### LikeWise machine ###
LWmachine=`dscl /"${LikewiseAD}"/ -list /Computers | awk '{print $0}'`

### Apple AD machine ###
ADMachineCheck=`dsconfigad -show | grep "Computer Account" | awk '{print $4}' | cut -d "$" -f1`

### Check to see if the machine is bound to AD with the Apple Plugin
DomainCheck=`dsconfigad -show | grep -i "Active Directory Domain" | awk '{print $5}'`

############################### DO NOT MODIFY BELOW THIS LINE #################################

# install the pkg
sudo installer -pkg /tmp/Sophos\ Anti-Virus.mpkg -target /

sleep 10

############## ComputerNameOverride ###############

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep ComputerNameOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus ComputerNameOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus Override"

# Write the override file to the location
sudo echo "\"ComputerNameOverride\"=\""${ADMachineCheck}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist


# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus ComputerNameOverride"

# Write the override file to the location
sudo echo "\"ComputerNameOverride\"=\""${LWmachine}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist
fi

############## ComputerDescriptionOverride #############

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep ComputerDescriptionOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus ComputerDescriptionOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus ComputerDescriptionOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\""${ADMachineCheck}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus ComputerDescriptionOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\""${LWmachine}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

fi

################# DomainNameOverride ###################

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep DomainNameOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus DomainNameOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus DomainNameOverride"

# Write the override file to the location
sudo echo "\"DomainNameOverride\"=\"$AD"\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"


# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus DomainNameOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\"$AD"\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"


# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

fi

# Load the LaunchDaemon
launchctl load -w /Library/LaunchDaemons/com.sn.savoverride.Launchd.plist

# Hide the folder
chflags hidden /Library/Management/

# Hide the launchdaemon
chflags hidden /Library/LaunchDaemons/com.sn.savoverride.Launchd.plist

# Pause 10 seconds
sleep 10

############# Set Sophos PrimaryURL #################

# Set to use network volume for Primary server
defaults write /Library/Preferences/com.sophos.sau PrimaryServerType '<integer>2</integer>'

# Set the URL
defaults write /Library/Preferences/com.sophos.sau PrimaryServerURL smb://$PrimaryServerURL

# Set secondary server to Sophos
defaults write /Library/Preferences/com.sophos.sau SecondaryServerType '<integer>0</integer>'

defaults write /Library/Preferences/com.sophos.sau SecondaryServer '<true/>'

# Restart Sophos Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.*
launchctl load -w /Library/LaunchDaemons/com.sophos.*


exit 0      ## Success
exit 1      ## Failure

Sophos_Overrides.sh run with a launch daemon and watch path if /Library/Sophos\ Anti-Virus/RMS/agent.config is modified

#!/bin/bash

####### HISTORY ##############
#
#
# Written by Tim Kimpton 09.23.2014
#
# The Remote Management System (RMS) that deals with the communication between Sophos Anti-Virus for Mac OS X and the Sophos Enterprise Console can be
# configured to allow the Machine Name, Domain Name, and Computer Description to be overridden and alternative values to be used.
#
# http://www.sophos.com/en-us/support/knowledgebase/119758.aspx
#
############################


####### ENVIRONMENT VARIABLES ###########

# Get the machines current computername
ComputerName=`scutil --get ComputerName`

### Domain Bindings ###

# Apple AD Plugin
AD=XXX

# Likewise AD Plugin
LikewiseAD="Likewise - Active Directory"

### LikeWise machine ###
LWmachine=`dscl /"${LikewiseAD}"/ -list /Computers | awk '{print $0}'`

### Apple AD machine ###
ADMachineCheck=`dsconfigad -show | grep "Computer Account" | awk '{print $4}' | cut -d "$" -f1`

### Check to see if the machine is bound to AD with the Apple Plugin
DomainCheck=`dsconfigad -show | grep -i "Active Directory Domain" | awk '{print $5}'`

##### DO NOT MODIFY BELOW THIS LINE ######


############## ComputerNameOverride ###############

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep ComputerNameOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus ComputerNameOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus Override"

# Write the override file to the location
sudo echo "\"ComputerNameOverride\"=\""${ADMachineCheck}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist


# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus ComputerNameOverride"

# Write the override file to the location
sudo echo "\"ComputerNameOverride\"=\""${LWmachine}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist
fi

############## ComputerDescriptionOverride #############

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep ComputerDescriptionOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus ComputerDescriptionOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus ComputerDescriptionOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\""${ADMachineCheck}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus ComputerDescriptionOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\""${LWmachine}""\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

fi

################# DomainNameOverride ###################

# Check to see if the ComputerName is already in the file
if
cat /Library/Sophos\ Anti-Virus/RMS/agent.config | grep DomainNameOverride > /dev/null 2>&1 ;then

# If it is already in the file just echo out
echo "Sophos Anti-Virus DomainNameOverride already exists!"

# If the override does not exist then check again the Apple AD plugin against the computer name
elif [ "${DomainCheck}"  = corp.service-now.com ]; then
echo "The machine"${ADMachineCheck}" exists in Active Directory and bound to "${DomainCheck}"
Creating the Sophos Anti-Virus DomainNameOverride"

# Write the override file to the location
sudo echo "\"DomainNameOverride\"=\"$AD"\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

# Carry out the check if the machine is bound by Likewise plugin
elif
dscl /"${LikewiseAD}"/ -list Computers > /dev/null 2>&1 ;then
echo "The machine "${LikewiseAD}" exists in Active Directory and is bound to the Domain via the Likewise plugin
Creating the Sophos Anti-Virus DomainNameOverride"

# Write the override file to the location
sudo echo "\"ComputerDescriptionOverride\"=\"$AD"\" >> "/Library/Sophos Anti-Virus/RMS/agent.config"

# Restarting the Sophos RMS Services
launchctl unload -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl unload -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

launchctl load -w /Library/LaunchDaemons/com.sophos.managementagent.plist
launchctl load -w /Library/LaunchDaemons/com.sophos.messagerouter.plist

fi

exit 0

** NOTE IN JANUARY SOPHOS ARE RELEASING 9.2.2 will be released as recommended and we are going to have to go through all of this again and 9.2.2 is an app and is completely different!!!**

http://www.sophos.com/en-us/support/knowledgebase/120189.aspx

Like
SOLVED Posted: by rtrouton

With regards to Sophos 9.2.2's installer being an app, I took a look at repackaging Sophos Home Edition (as that's already at 9.2.2). I have a post with my findings available here:

http://derflounder.wordpress.com/2014/11/27/deploying-sophos-anti-virus-home-edition-for-mac-9-2-x-for-personal-use/

Like
SOLVED Posted: by tkimpton

Thanks rich we really appreciate it :)

I got nothing even from the head of Sophos development in Canada and numerous support calls.

:)

Like
SOLVED Posted: by tkimpton

I will play around with Enterprise 9.2.2 over Christmas when I get a breather from work and will let you know what I have come up with :)

Tim

Like
SOLVED Posted: by jelockwood

@rtoughton
@tkimpton

Quite some time ago I adapted Richard's original script to allow deploying the paid for but standalone version of SAV9.0.x, more recently I have updated my modified script to allow deploying SAV 9.2.2 see my article here http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html and follow the pastebin link to get a copy of the script.

The process is basically the same as Richard's original one \- using Packages to build an installer package containing the Sophos installer application along with the now externally stored update settings, and then running (my version of) a post-install script.

This works fine to deploy the standalone version on versions of OS X from 10.6 all the way up to and including 10.10.1

Like
SOLVED Posted: by tkimpton

@jelockwood

Unfortunately your update setting for 9.2.2 are not clear (externally stored update settings)

I have tried to look for this in your scripts and cannot see it. Please can you provide details?

Thanks

Like
SOLVED Posted: by jelockwood

@tkimpton

I did mention it on my webpage and earlier in this thread. For the Sophos standalone version you pre-configure the Sophos installer application as per their instructions here http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

You then package up the Sophos installer application and these settings (using Packages) and run the post-install script to install both. The Sophos installer app will look for the settings that should be included with it. The settings used to be inside the Sophos installer application but are now in a folder outside the application \- this folder is called "Sophos Installer Components" and contains a file called "updateconfig.xml". So the installer package needs to deliver both "Sophos Installer.app" and "Sophos Installer Components" (at the same level) I did this by putting both into a folder and delivering the parent folder.

As I don't have a Windows server I am using the standalone version of Sophos as mentioned. If Sophos Enterprise Console now stores the settings outside of the Sophos Installler.app and if it now uses the Sophos Installer.app rather than a package then a similar approach should be possible.

Like
SOLVED Posted: by tkimpton

thanks "Sophos Installer Components" is what i was looking for

Like
SOLVED Posted: by johnklimeck

I have had Sophos 9.1.7 working fine in our environment, has the update server name, and auto update as it should.

I repackaged the provided mpkg with a pkg, doing a snapshot in Composer. Has been working (does require a reboot)

Now I have an updated 9.1.8 mpkg, and the Sophos admins, want to include a GroupPath, grouppath.list, in the mpkg.

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

Did that, but this just doesn't install correctly / work anymore.

Is there an ultimate destination that this grouppath.list (or information contained thereof) is located PostInstall, that way, I can just include that with Composer. Any experiences / feedback greatly appreciated. John

Like
SOLVED Posted: by rtrouton
Like
SOLVED Posted: by jelockwood

@johnklimeck @rtoughton

As you are hopefully aware you need Sophos Anti-Virus 9.2.2 for full Yosemite compatibility, I think the latest version is now 9.2.3. I deploy the standalone (paid for) version of 9.2.2 using a tweaked version of Richard Troughton's original solution as documented here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/ with my tweaked version here http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

I pre-configure the Sophos installer application to include the download credentials to get updates direct from Sophos. As a reminder I don't have a Windows server to run Sophos Enterprise Console and hence cannot distribute updates internally.

I realise some people here need to deploy the Enterprise Console managed version and when I did last use this in a previous job where I had a Windows server to run it on it used to be the case that when a migration from one major version of SAV to another was taking place you could chose which to subscribe to to get updates to host on your server. Either you would replace your soon to be obsolete one and only have the new one, or you would create an additional separate folder \- aka. CID. I would presume a similar process still occurs so you might want to look at whether a 9.2.2 based option is now available.

Like
SOLVED Posted: by cforte

Greetings all. We've always had issues with our Mac Sophos clients, and our install base was an inconsistent and rather unprotected mess. When we set up a new Sophos server, we decided to use this as an opportunity to remove the messed up installations on our Macs and have our clients all configured consistently and talking to the new Enterprise Console. I was having issues getting Sophos 9.1.8 deployed; the installer would run as a policy from Casper but the autoupdate settings would not be properly populated in a consistent manner. I was referred to the guide already referenced here:

https://derflounder.wordpress.com/2014/09/02/deploying-sophos-enterprise-anti-virus-for-mac-os-x-9-x/

I modified that approach for our environment and it has been working great so far.

A couple notes on our environment:

  • Most of our Macs already have Sophos 9.x installed. The few that have no Sophos installed or still have Sophos 8 installed are excluded from our policy and will be remediated separately.
  • We've been using Iceberg to make our packages, so some options and what-not may be a little different

OK, so first we created an installer with our Enterprise Console with the appropriate settings we want. We then took a clean machine and manually ran this installer so that everything was configured properly. We then grabbed the following files to distribute later:

  • /Library/Preferences/com.sophos.sau.plist
  • /Library/Sophos Anti-Virus/Sophos.keychain

We then created a new project in Iceberg on an admin machine. We configured it to copy our Enterprise installer and the two files we harvested into a non-obvious local folder on the drive. For argument sake we'll call it /Library/MrFluffyKins. We then added the following preflight script which invokes the existing Sophos removal tool on clients and then deletes old files that had been used by Sophos:

#!/bin/sh

# ** REMOVE SOPHOS ANTI-VIRUS ***
# 2015-01-28 cforte

# Remove Current Install
/Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

# Timer to delay next steps until the removal process completes
sleep 30

# Delete Sophos Files
rm -fr /Library/Sophos\ Anti-Virus
rm -fr /Library/Application\ Support/Sophos
rm -fr /Library/Application\ Support/Sophos\ Anti-Virus
rm -f /Library/Preferences/com.sophos.*

exit 0

We then added the following postflight script which runs the installer we dumped on the local drive, copies the update files we had grabbed earlier, and relaunches Sophos:

#!/bin/sh
#!/bin/bash
# Reinstall Sophos Anti-Virus
# 2015-02-11 cforte
# Postflight script for a package that copies the installer to the /Library/MrFluffyKins folder and invokes the appropriate flags to install Sophos properly and copies settings files to appropriate locations

# Install cached package
installer -pkg '/Library/MrFluffyKins/Sophos Anti-Virus.mpkg' -target /

# Timer to give time for installation processes to complete before moving on
sleep 45

# Remove incorrect update files
rm -f /Library/Sophos\ Anti-Virus/Sophos.keychain
rm -f /Library/Preferences/com.sophos.sau.plist

# Move update settings files to their appropriate locations
mv -f /Library/MrFluffyKins/Sophos.keychain /Library/Sophos\ Anti-Virus/
mv -f /Library/MrFluffyKins/com.sophos.sau.plist /Library/Preferences/

# Relaunch Sophos to load new settings
/bin/launchctl unload /Library/LaunchDaemons/com.sophos.configuration.plist
/bin/launchctl load /Library/LaunchDaemons/com.sophos.configuration.plist 

exit 0

When building the package, I had to make sure that it was set to run with elevated privileges. To be safe, I also set permissions on the installer and settings files dumped in the MrFluffyKins folder so that everyone had read/execute rights. After building that and deploying it as a policy in Casper, it has been working on machines from OS X 10.6 \- 10.10.

Like
SOLVED Posted: by jagress

I had the same thought as @lisacherie and decided to script it. That was working great with the pkg installer from the previous version. I just had to update our script to work with the app installer. Here it is in case someone else finds it useful. We aren't hardcoding the update settings; instead, we're using the grouppath.plist to specify a group in which to enroll in the Enterprise Console. That group's settings determine primary and secondary update servers, definition update frequency, etc.

#!/bin/sh

# InstallSophos.sh

# Mount Sophos share
echo "Mounting SOPHOSAV..."
jamf mount -server "sophos.mydomain.com" -share "SophosUpdate" -type "smb" -username "username" -password "password"

# Copy package to machine
echo "Copying package to local directory..."
cp -R "/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer.app" /tmp/
cp -R "/Volumes/SophosUpdate/CIDs/S000/ESCOSX/Sophos Installer Components" /tmp/


# Unmount Sophos share
echo "Unmounting SOPHOSAV..."
jamf unmountServer -mountPoint /Volumes/SophosUpdate

# Add install data for Mac group in Enterprise Console
echo "Setting group path info..."
groupPath="/tmp/Sophos Installer Components/RMS/grouppath.plist"
echo '<?xml version="1.0" encoding="UTF-8"?>' > $groupPath
echo '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> $groupPath
echo '<plist version="1.0">' >> $groupPath
echo '<dict>' >> $groupPath
echo '<key>GroupPath</key>' >> $groupPath
echo '<string>\SOPHOS\Mac</string>' >> $groupPath
echo '</dict>' >> $groupPath
echo '</plist>' >> $groupPath

# Install package
echo "Installing Sophos app..."
"/tmp/Sophos Installer.app/Contents/MacOS/tools/InstallationDeployer" --install

# Trigger initial auto update
echo "Performing initial auto update..."
sleep 15
/usr/bin/sophosupdate

# Remove tmp files
rm -rf "/tmp/Sophos Installer.app"
rm -rf "/tmp/Sophos Installer Components"

exit 0

I find that sometimes that initial Auto Update doesn't work because it takes time for the Enterprise Console's group settings to apply to the client. Usually a reboot seems to fix this. If any one knows of a way to expedite this process, please share!

Like
SOLVED Posted: by wmateo

@jagress how did you handle existing installations of Sophos Clients? was this only for machines that didn't have it?

Like
SOLVED Posted: by jagress

@wmateo I first run an uninstall script.

I think there are some examples in this thread. Though I had some issues with the Sophos uninstaller not working 100% over the summer, so I ended up scripting my own.

Like
SOLVED Posted: by wmateo

@jelockwood I might try your method. However, that about the Sophos Installer Components. do you still need them with the .mpkg? I didnt see mention of that.

Like
SOLVED Posted: by jelockwood

@wmateo My method is known to work with the Sophos Home Edition and the Sophos Standalone Edition, it might in theory also work with the Sophos Cloud Edition. It has not however been tested with the Enterprise Console Managed version.

I have not had access to Sophos Enterprise Console for quite some time which is why I had to find a way of creating a standard Apple installer package approach for deployment. My approach is based on a script originally written by @rtrouton you could try my modified version as the basis for a solution. The address for it is listed earlier in this discussion.

Like
SOLVED Posted: by bentoms

@wmateo You'like need the installed components directorty to be in the same enclosing folder as the Folder the Sophos enterprise consoles installer is in.

For ease, I'd copy he ESCOSX folder (or whatever it's called).

To test, move the installed complements folder to another location & try the install via the GUI.

Like
SOLVED Posted: by wmateo

@bentoms Thank You for that. I tried to install the .app with the components folder elsewhere and it failed so I have to package everything into one folder, then deploy to clients, and run a post install to copy over the preferences and keychain as referenced in @rtrouton outon blog. Plus I have to use a removal script that uninstalls 8.x and 9.1.x versions as well. I Thank Sophos for keeping me employed! There is a positive in this!!! lol

Thanks @jelockwood I will def take pieces from your removal script.

Like
SOLVED Posted: by bentoms

@wmateo FWIW, I didn't need to copy over the plist or keychain.

But I'm not doing an upgrade.

Like
SOLVED Posted: by wmateo

@bentoms hmm. I will check that out and perform some more testing. I didi read somewhere if you are copying it from the ESCOX or whatever folder, its supposed to have those settings of AutoUpdate folder to my Enterprise Console.

Like
SOLVED Posted: by rtrouton

I have a post on how I'm deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

Like
SOLVED Posted: by wmateo

@rtrouton thanks!!

Like
SOLVED Posted: by wmateo

@rtrouton just tried your method and it worked pretty good. Thank You for posting that.

Like
SOLVED Posted: by tuinte

Where is this mpkg on SEC that people are referring to? CIDs/S000/ESCOSX has Sophos Installer.app not a mpkg. Is it somewhere else?

Like
SOLVED Posted: by rtrouton

@tuinte,

Sophos recently changed the Enterprise installer so that it's no longer an installer package. I have a post on how I'm repackaging the install.app and deploying Sophos 9.2.x for Enterprise available from here:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

Like
SOLVED Posted: by casper100

@tuinte Yeah, what @rtrouton said. I did my proof of concept for Sophos AV/SEC on the former package and just when I was waiting for my purchase order to go through (February, I believe) the "recommended" version changed to the app installer. It was with a bit of trepidation that I tried Rich's method (I, of limited scripting ability - and ugh, have to learn another 3rd party tool). It was more simple than I imagined (Rich did all of the heavy lifting for us) and the resulting installer worked great for my entire deployment via policy.

Like
SOLVED Posted: by CasperSally

With our renewal it comes with hours for a service engagement. I requested help building a Sophos installer pkg and have something scheduled for early June. I'm curious what they come up with or suggest. I know I have Rich's method to fall back on.

Like
SOLVED Posted: by tuinte

Thanks all for the info. I built a package using Rich's method, and got it working, though I then stumbled across this Sophos article that gives the automatable command-line method of installing the Sophos Installer app. And this article details how to pre-configure the installer so it has all the server connection info included and enables On-Access scanning (which we require). I got this working, and, to me, it's simpler.

Like
SOLVED Posted: by bbot

Awesome post. This helped me with configuring my Deploy Studio imaging software.

I'm noticing it takes about 15-20 minutes for the machines to show up in Sophos Enterprise Console.. Is there a command that'll force it to check-in with the SEC as soon as it installs?

Like
SOLVED Posted: by gregneagle

Rich writes: "Sophos recently changed the Enterprise installer so that it's no longer an installer package."

I have a hard time understanding how something that's not an install package can be considered (or called) an "Enterprise installer" #idonotthinkthatmeanswhatyouthinkitmeans

Keep complaining and filing issues with Sophos.

Like
SOLVED Posted: by rtrouton

To clarify, I called it the Enterprise installer to associate it with the Sophos Enterprise product. Likewise, Sophos also has a Home installer and a Cloud installer.

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

I'm trying to do a simple pkg that wraps the Sophos Cloud install app and there has to be something I am completely missing.

It I take the app and support plist from the zip file and run the terminal install command everything is fine. It downloads and installs silently in the background without issue.

Once I take that line and put it into the postinstall of my new package it no longer works. The last thing to show up in the install.log is:

Sophos Bootstrap[382]: [SMESophosBootstrapAppDelegate.m:1329] System Verified

After that nothing happens. The content is supposed to be downloaded at this point but the process will hang indefinitely (the only other log entry that would show up after this is the notification that the install is complete). Can anyone help me out with what might be going on here? I feel like I'm missing something obvious.

Like
SOLVED Posted: by rtrouton

@brysontyrrell Can you post a sanitized postinstall somewhere that folks can take a look at it?

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

@rtrouton

I have pared it down to just this without success:

#!/bin/bash

policy="SophosCloud"
loggertag="jamfsw-it-logs"

# IT logging
log() {
echo "$1"
/usr/bin/logger -t "$loggertag: $policy" "$1"
}

# TRAP statement and cleanup items upon EXIT
cleanup() {
log "Starting cleanup"
log "Removing temp files"
/bin/rm -r /private/tmp/SophosInstall
}

trap cleanup exit
log "Installing Sophos Cloud"
/private/tmp/SophosInstall/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --install

log "Running Recon"
/usr/sbin/jamf recon || log "jamf error code $?: There was an error running Recon"

exit 0
Like
SOLVED Posted: by rtrouton

Just out of curiosity, is there also a tools directory located in /path/to/Sophos Installer.app/Contents/MacOS/ ?

The reason I'm asking is that running the install application from /path/to/Sophos Installer.app/Contents/MacOS/ on Sophos 9.1.x and later will cause the Sophos install application to launch in the dock and interfere with a normal installation via installer package.

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

There is. The /tools/ directory contains the com.sophos.bootstrap.helper file that is launched when invoking '--install'.

Like
SOLVED Posted: by rtrouton

OK. In other Sophos installers, there's another copy of the Sophos InstallationDeployer install application located inside of tools, and ../tools/InstallationDeployer is the one that can be used by an installer package.

Like
SOLVED Posted: by lionelgruenberg

@brysontyrrell what version of the Sophos Installer.app are you using in your custom pkg?

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

I checked out the Home app and I see that. I'm guessing that the Enterprise version has that as well?~

Their Cloud installer doesn't seem to line up with the other two.

[upload](f03ae0088f184762b2e80cbaf60e5b85)

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

@lionelgruenberg

The app's version is 9.3.1

Like
SOLVED Posted: by lionelgruenberg

@brysontyrrell Can you try installing from a different directory? I use the JAMF Waiting Room for Sophos Cloud.
This is in my postinstall script:

/Library/Application\ Support/JAMF/Waiting\ Room/SophosInstall/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --install
Like
SOLVED Posted: by corbinmharris

I just use the instructions provided by Sophos -

https://www.sophos.com/en-us/support/knowledgebase/33050.aspx

Launch Composer before I start the install and configuration. Must not be connected to network when setting up the update preferences. Quit Sophos and reconnect to network, then add to the Admin and then push out to a test MBP. The final package is almost 200mb, so take that in consideration.

Corbin

Like
SOLVED Posted: by mkremic

@brysontyrrell I literally repackaged our Sophos installer 2 days ago...

+1 to @lionelgruenberg about using a different directory.

I started by trying to package the installer in /private/tmp so it would be cleared on a reboot and it would just sit for hours and hang.

Ended up repackaging so it was in /Users/Shared/Downloads with a postflight script:

sudo /Users/Shared/Downloads/SophosInstall/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --install

and it worked first go. Installed in a matter of minutes. Hope that helps! Our old package was a pre and post capture of a full install and it was a bit of a hit and miss on some of our Macs. This is much cleaner.

Cheers

Like
JAMFBadge
SOLVED Posted: by brysontyrrell

@lionelgruenberg @mkremic

Can someone save my sanity and explain to my why executing the Sophos silent install from /Users/Shared/ is different from /private/tmp/? This doesn't make any sense to me!

(yes, that worked moving it out of /private/tmp/)

Like
SOLVED Posted: by lionelgruenberg

@brysontyrrell Can't explain why but hopefully this saves your sanity... Here is a rough way to execute the silent install from /private/tmp

Create a custom Sophos Install package and include a script to kick off the silent install at /private/tmp/SophosInstall/install_sophos.sh:

#!/bin/bash
/private/tmp/SophosInstall/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --install

Execute the install_sophos.sh script from a postinstall script in your custom Sophos Install package:

#!/bin/bash
/private/tmp/SophosInstall/install_sophos.sh
Like
SOLVED Posted: by DanJ_LRSFC

I managed to create a Sophos package just fine, but what about changing the update server configuration on an already-installed copy of Sophos, is there a way to do that from a script? As installing the new package over the top of the old one does not have any effect.

Like
SOLVED Posted: by emily

It's built into a plist, so I would imagine you could deploy the plist to machines to update that info. Check out @rtrouton's post if you haven't already: https://derflounder.wordpress.com/2015/06/17/revisiting-sophos-enterprise-anti-virus-for-mac-9-2-x-deployment/

Like
SOLVED Posted: by stevewood

@DanJ_LRSFC you may want to have a look at this Sophos article on how to create a pre-configured installer:

How to create a pre-configured installer containing updating and On-Access scanning options

That's the process I use to create the PKG for our install.

Like
SOLVED Posted: by jelockwood

@DanJ_LRSFC As @stevewood mentions you can create a pre-configured stand-alone installer as per that Sophos article. As @emily mentions @rtrouton has done an excellent job of detailing how to deploy a pre-configured managed copy of the Sophos installer.

(Is this a record for the number of people referenced ;) )

What you can do when deploying a pre-configured stand-alone copy of the Sophos installer (via a package) is to have a pre-install script which uninstalls any existing copy first, this ensures the newly installed copy is not contaminated by old settings. This is how I do it.

Like