Jamf Nation Community

Good spot, it does get us closer but that mpkg does not contain the pre-configured auto-update settings. Therefore if you use it on a fresh Mac or one on which you have cleaned out the previous installs preferences it does not know how to auto-update.

It will help with a different problem we have (which is not Sophos' fault) which is for some Macs never connected to the Internet. I can just periodically copy this .mpkg to them or have a tool like ARD push it to them (on this disconnected network).

It is worth looking at further though as in the past with SAV8 it was possible to have some settings files outside the mpkg itself but in the same folder...

Ok, I did a bit more testing, as mentioned the mpkg you found does not include the needed auto-update preferences. I have found that if you do the following in the following order the desired results seem to be achieved.

1. Uninstall SAV8. While it is possible to install SAV9 over the top of SAV8, SAV8 currently has auto-update settings pointing to SUM, we need to clear those settings and have SAV9 directly update from Sophos.

2. Copy pre-configured plist files from a previously manually setup SAV9 Mac, these will contain the auto-update settings we need, while probably just com.sophos.sau.plist is needed the others I copied were com.sophos.ac.plist, com.sophos.dc.plist and com.sophos.sav.plist these are all from /Library/Preferences these should be copied to a Mac after step 1, note the uninstall tool Sophos provided does not remove the old preferences so either over-write them or delete them before copying the new SAV9 ones in to their place

3. Now run the Sophos Anti-Virus.mpkg installer it should install, keep the preference files from step 2 above and then you end up with a SAV9 with the auto-update settings.

I still need to test this on a second Mac just in case those preference files are hard coded to a single Mac via a GUID.

Ugh!

Bit messier than I thought it was going to be, the following looks like being the 'official' way to do it.

Note: Sophos support don't know how to do this, but I got pointed in the right direction by a manager.

1. As per http://www.sophos.com/en-us/support/knowledgebase/119744.aspx build a pre-configured installer Application

2. Copy the Application to the client Mac either as is, or you could build a customer pkg containing it

3. As a post copy step, run a shell script and do the following command

path/to/Sophos Install Application/Contents/MacOS/InstallationDeployer --install

Contrary to what the built-in 'help' for the InstallationDeployer says, I did not need to specific a product name, in fact I could not find a valid product name to use - hence not using one.

If the InstallationDeployer command is executed from root it will run without a GUI session and without needing additional authentication.

So for ARD you could copy the Sophos standalone installer to a Mac, then remotely execute the InstallationDeployer command. I plan however to build an Apple PackageMaker pkg to copy the Sophos standalone installer and have a post 'install' shell script then run the InstallationDeployer command.

Either approach should remove SAV8 automatically before installing SAV9, and as I have pre-configured it to download directly from Sophos it should also then auto-update directly instead of via SUM which does not support SAV9.

I was able to build an installer package that uninstalls Sophos and installs a new copy of Sophos 9.x using the install application. I've posted the details here:

http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

After much troubleshooting I managed to get around this issue by doing the following (we're using Sophos Cloud)

1) Use a test VM to install "Sophos Installer.app" (~4Mb Cloud Installer which downloads a full version). Captured the changes using Composer

2) Took a copy of the Installer.app which shows up in the list of captured files. (Can't remember exact path but if you browse through the folders it should be under a folder called "saas". Put it somewhere temporary like Desktop.

3) Made a .pkg of the plists left in /Library/Preferences (excluding the apple plist)

4) Made a new Composer dmg including these 2 packages in the folder /private/tmp

5) Ran a script after installing the dmg (which dumps the 2 .pkg's into /private/tmp), which then calls the installer in the app and then applies the preferences for the cloud app:

#!/bin/bash
/private/tmp/Installer.app/Contents/MacOS/InstallationDeployer --install
installer -pkg /private/tmp/sophospreferences.pkg -target /

After rebooting the Mac and checking our cloud server the computer is showing in the control panel. Tested on a couple of separate clients and they're showing up as unique machines in the cloud control panel! :D

This doesn't help if you use a av relay server like we do.

The idea for us being an end user says they want to vpn in to the corporate network to work from home and we insist on av.

The user then installs SAV home but then never carries out any scans or looks further at the setup!

With an av relay server your users home machines show up in your SEC console and get policies from there.

At the moment the v9 deployer is still in development and im told they don't see it as a priority at the moment.

Speak to Sophos and you will probably be asked to fill out a feature request like i was, then speak to your Sophos account manager!

Also go on Sophos talk and view your opinion on there!

I had the same problem too, until I found a workaround this week.

This is what I did.

Created sophos installer dmg and added it to my imaging workflow.

When the machine finishes imaging the sophos installer is place on the root of the drive. (subject to change var is better location)

I also added the below script to the imaging workflow to run once the machine reboots after the image process completes.

#!/bin/bash
sudo /Sophos Installer.app/Contents/MacOS/Sophos Installer --install
exit 0

When you login into a freshly imaged machine the script will install sophos dmg which has been placed on the root of the drive.

This has worked for me.

Does anyone have a recipe for packaging SAV in the JAMF Composer tool?

I've attempted this by snapshotting a drag of the preconfigured 'Sophos Installer.app' into /Applications then adding a postinstall script similar to the ones suggested above but that doesn't work - I have to run the Installer manually to get it going.

@ianmb, we deploy the PKG from the Sophos Enterprise Console.

This contains our auto-update settings.

@bentoms How have you been deploying the PKGs from the Sophos Enterprise Console? When we try it fails every time. Is it possible to run that package with Composer on a blank/test machine, enter the credentials, and package with Composer to deploy? I haven't found a way to get the ./CreateUpdatePreconfig command to work with the PKG I grabbed from our Enterprise Console. (http://www.sophos.com/en-us/support/knowledgebase/119744.aspx)

@emilykausalik, i needed to prod the Sophos Admin guy but.. once we had applied a Mac policy to an OU in SEC & THEN created the pkg from that.. all we needed to do was install the PKG using casper.. the PKG contained all the rest.

Looking at this quickly..

We are deploying sophos via a script - as I couldn't be bothered to repackage every month or so when the app was updated.

- mount sophos share
- copy entire directory for mac installer and supporting files for update config/console to /tmp
- umount share
- install from tmp
- clean up /tmp

The macs are bound to AD, and the sophos console applies policies based on the AD OU. This means you have to make sure that macs will be in the correct location in AD when binding.

The console takes care of the updates/config changes.

@bentoms Any tips on how you created a pkg from within the SEC? Or did you just go to the bootstrap location and snag it from there?

@emilykausalik Snag it

@tkimpton for some reason I can't take the Sophos Anti-Virus.mpkg from the SEC bootstrap location and get it into anything that will deploy. When I put it in Composer, composer fails out. I must be missing something here.

@emilykausalik that won't work because the sav installer is a mpkg (other installer inside it)

I copy it to some where like /private/tmp/

I then drag all of /private/tmp to composer

Once tmp is in composer, delete the other stuff to on the sav mpkg is in there.

Then make a post flight script to install it via the command line like sudo installer -pkg (path to the mpkg) -target /

Give you package a name in composer and build it as a non flat pkg.

You can then upload your pkg to Casper Admin and start looking at smart groups and push it out via a policy.

Hope that makes sense and helps :)

@tkimpton I think I'm still too green to know how to do what you're referring to. I'll be reaching out to Sophos support to see if they can help.

Here's our procedure for installing our managed Sophos client using Casper. We're using v9.0.8 currently of the Mac client. We have a Windows 2003 Server (I know, time for an upgrade) running the Sophos Enteprise Console. It creates a .pkg file for Mac clients which can be downloaded.

1. Download the Sophos installer from our Sophos server. In our case I connect using smb to the share and locate the installer in /Sophos Update/CIDs/S000/ESCOSX/Sophos Anti-Virus.mpkg

2. Add the Sophos Anti-Virus package to Casper Admin

3. Make sure you set the option to "Install on boot drive after imaging" in the Options tab when you 'Get Info' of the Sophos package in Casper Admin.

4. Image a machine and hey presto it'll show up in the Sophos Enteprise Console on your Sophos server. If it's a brand new machine that's never had Sophos on it then you will probably need to assign it to a policy group in the Sophos Enteprise Console. if it's already been imaged then in my experience the SEP is already aware of the machine and it just reconnected auto-magically.

@pbenham yeah that's simpler, I forgot to mention I do it that way because I different sav installers for workstations and laptops with different mrinit configs in them to point workstations to the main sec and laptops to a relay server.

Sorry for replying late.

I'd second what @pbenham has mentioned.

Just deploy the pkg from SEC, no composer needed.

So thanks to posts here I can deploy Sophos from Casper, but does anyone have a recipe for packaging it for systems not managed by Casper?

I have a requirement to get Sophos installed on standalone Macs (managed by users) so it'd be great to send them a pkg file with the relevant update servers preconfigured. All Sophos can tell me is that I need to include the ESCOSX directory that's in the same directory as the mpkg file?! I have this, but not really sure how to proceed.

@ianmb, if you are just deploying the PKG... That should work via ARD too.

Yes, but will that contain the references to my local update servers?

I wasn't clear whether I need to repackage the mpkg and include the ESCOSX directory (if so where does that need to be placed on the client?) or do I just take the mpkg from that directory and distribute it (see my initial question).

I have always just deployed the MPKG from the ESCOSX directory on my Sophos server. I've never had to re-package it or include any other directories. That MPKG includes the address of your management server. So as long as the computers can get back to that address, you should be fine.

As per Richard Trouton's earlier post in this thread and my own, it is possible to take the standalone Sophos installer and convert it in to a pkg. As per my earlier reply one can do this with the Sophos update credentials saved in to it as well.

If your using Sophos Enterprise Library then you can in theory use the installer package it maintains, if you don't have Sophos Enterprise Library (which requires a Windows server) then you need to use Richard's and my instructions.

Richard's original instructions are here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/ they are based actually on the free Sophos Home Edition installer which is very similar to the paid for Standalone installer but not identical. I therefore took Richard's script and modified it to also work with the paid for standalone installer and my own instructions and version of script are available here http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

To summarise if your not using Sophos Enterprise Console but want to make a package to deploy the paid for Sophos Anti-Virus 9 for Mac you do the following

Download the standalone Sophos SAV9 installer,
Run the command line tool to embed the Sophos Update Credentials,
Use my modified script as per Richard's original instructions (instead of Richard's script)

You can then deploy the resulting package via ARD or locally run it. It will uninstall any previous versions of Sophos and replace with SAV9 and will also set the update credentials you defined as above.

I was using Sophos Update Manager (SUM) which ran on a Mac server but only supported SAV8, I have used the package I built as per this post to upgrade all our Macs to SAV9 and get them now to update directly from Sophos' servers since there is unfortunately no Mac replacement for SUM.

So we're looking to move from our old SEC to Sophos Cloud and SAV 9.x. I've been following Rich and jelockwood's instructions to build a native .pkg installer for SAV 9.x but have hit a snag.

When I download the "Sophos Installer.app" from our demo Sophos Cloud environment and build a package out of it, the postflight script fails to install the software. This is because, I think, the v9.1.4 installer I'm downloading doesn't appear to have the InstallationDeployer binary tool in it anymore. The post flight script calls for this tool but it's nonexistent so the script fails.

Any ideas? Is there somewhere else to obtain the Sophos Installer.app?

https://www.dropbox.com/s/bch3vsweijqt4hw/sophos9_grrr.png

Ah ha, I figured it out. At some point between 9.0.3 and the current 9.1.4, Sophos decided to rename the binary tool that's embedded in their .app installer. It's now called "Sophos Installer" and not "InstallationDeployer". Yes, some software engineer wizard decided to put a space in the name of their new Unix binary...

So you just have to modify Rich or John's postflight script to reflect this new binary name. Just replace every instance of "InstallationDeployer" with "Sophos Installer" and be sure to enclose in quotes so the space(s) are ignored.

@damienbarrett

Glad you sorted it. I just downloaded the current official versions of the free Sophos Home Edition installer which is 9.0.8 and Sophos Stand-alone installer which is 9.0.10 both still use a binary of InstallationDeployer. The release notes suggest 9.1.4 is not yet an official release i.e. iti is a preview version. I don't appear to have access to the preview versions.

If you could tell me the exact file name for the cloud installer version I will modify my script to support it as well.

You can see it in my screenshot in my Dropbox above. They appear to have changed the name from "InstallationDeployer" to "Sophos Installer"

I simply modified your script to call the new binary and it worked beautifully.

Still can't believe their software engineer called the binary "Sophos Installer", complete with a space.

@damienbarrett

I meant the name of the Sophos application it is in e.g. "Sophos Installer.app" or "Sophos Anti-Virus Home Edition.app" and not the name of the enclosed binary which you quite rightly point out is in your screenshot.

Ah, it's called "Sophos Installer.app". It's version 9.1.4.

After it updates from the Cloud, it becomes 9.1.5. Perhaps they'll eventually re-jigger the Sophos Cloud to offer a 9.1.5 installer...

We recently moved our SEC to a new server and need to shut down the old one. I tried using Composer to do a snapshot then entered the new AutoUpdate path and then created a dmg. Didn't work on a test Mac.

What is the best method to update the AutoUpdate Address to our new SEC server? All other settings are the same.

Thanks!

Corbin

@corbin3ci

Its been a while since I run Sophos Enterprise for Mac clients, but as I remember you set up a CID for the Mac version of Sophos and get SEC to download and populate it from Sophos' servers. You also use SEC to configure the CID with settings for the Macs including the auto-update settings.

Normally you would have the primary server as the credentials to access the CID on your file server, and the secondary server would be set to download directly from Sophos in case your file server is not accessible.

If you set up a new SEC and presumably also a new CID then I would do the same thing, i.e. setup the new CID, populate it and configure it. Then in answer to your question I would then copy the contents of the new CID in to the old CID directory. I would make sure the old SEC is turned off so it does not alter the new contents. You will need to keep the old file server running for a while so that the Mac clients can 'update' from the old CID and get the new auto-update details it contains which will then thereafter direct the Mac clients to the new CID.

For those let familiar with Sophos terminology, CID stands for "Central Installaiton Directory" and is the shared folder on a file server containing the Sophos Anti-Virus installer, settings and updates. You have a CID per version you are using e.g. Mac, Windows, Linux.

Sorry this doesn't help OP, but for anyone else looking for helpful SEC info, in v9 you can finally have installer point clients to right message relay.

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

After reading everyone's posts and external links, I found that the best method is to deploy the Sophos Anti-Virus.mpkg followed by a .dmg file created in Composer.

Installing it on a clean Mac, I did the initial Sophos install, then fired up Composer to take a snapshot, then populated the auto-update preferences, quit Sophos then finish running Composer.

Need to test a few more Macs before pushing it out to the general audience.

Corbin

@corbin3ci

It is now only possible to deploy a Sophos Anti-Virus.mpkg if you have a Windows Server and are running Sophos Enterprise Console as this is the only method to get a genuine Sophos produced installer package (or mpkg). This issue is what started this whole thread off in the first place.

The Sophos standalone installer, the Sophos cloud installer, and the free home edition installer are all custom applications and not installer packages.

The solution Richard Trouton and myself came up with was wrapping the Sophos installer application in an installer package along with a script to deploy i.e. run the application. This installer package can of course then be put in a disk image if needed.

Yes, making an installer by using Compuser to take a snapshot would be an approach but a cleaner more genuine installer is as per Richard's and my solution.

Note: There is a command-line tool inside the Sophos installer app (right click and open package) which lets you pre-configure the auto-update credentials. If you do this before putting it in an installer package the installer package will keep those settings since the script is running the same Sophos installer application and the settings are stored inside the application you are including in the installer package.

As a reminder on how to pre-configure the Sophos application see http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

It works great once we found how to do this. I can deploy the resulting package via DeployStudio, Apple Remote Desktop, Munki, etc. or even run it manually and clients properly remove any old version of Sophos if there is one, install the new version and get the auto-update credentials automatically. It works on all supported OS X versions which for Sophos SAV 9 means 10.6 to 10.9 at the moment.

All great suggestions but I still ended up using Composer to package the latest version of 9. Even after creating the pre-configured package as stated above. Really, for the following two reasons

1) The pre-configured package still requests the user to click through even when called using the script mentioned (which needed slight corrections) via Self-Service.

2) I prefer Self-Services un-install process over the Sophos uninstaller.

At my previous shop i had a nightmare with version 9 and Sophos end technical support getting me to download a Home edition standalone version!

It was a relitively small environment at the time and it meant there was too much problem with installing the original mpkg installer on the clients and waiting for the policies to be applied to the machines.

In a larger environment, it isn't feasible to wait for the policies to apply.

I have managed to follow all the Instructions and found Johns the clearest

http://jelockwood.blogspot.co.uk/2014/03/deploying-sophos-anti-virus-on-mac.html

Richs blog here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/

I changed the script around to allow for an uninstall of all SAV versions

http://pastebin.com/L7ZceVpW

This worked, but unfortunately this isn't any use to me because the end result is that the client machine has no RMS and will not talk to the Sophos Enterprise Console.

@CasperSally Thanks for link.

Looks like for SEC this is the only thing we can do in the Enterprise where we are still reliant on the clients communicating with SEC.

Im not sure how this is going to work if there are lots of different groups the clients need to be assigned to in SEC!

Its a shame Sophos are not listening because this has been an outstanding problem for a long time.