Deploying Sophos Anti-Virus for Mac OS X 9.x
For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed by switching to using an application to install it. For their customers using Sophos Enterprise Console, Sophos will still provide a installer metapackage, but all other customers now need to use the application to install Sophos Anti-Virus 9.x on Macs.
Curiously, Sophos went to some lengths to make their install application look like a standard installer package.
This extended to the point of naming the actual application as Installer, which is the same name as Apple’s Installer.
This switch away from using installer packages was a problem for Mac admins who wanted to deploy Sophos 9.x, but did not have Sophos’ enterprise console. After doing some research and reading a very helpful thread on JAMF Nation, it looks like it is possible to repackage Sophos 9.x for deployment. For more details, see below the jump.
Sophos’ application can be run from the command line using the InstallationDeployer tool, which includes both install and remove switches. Here’s how to install and uninstall Sophos 9.x using the free Sophos Home Edition installer application:
Install:
/path/to/Sophos\ Anti-Virus\ Home\ Edition.app/Contents/MacOS/InstallationDeployer --install
Uninstall:
/Library/Application\ Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer --remove
With these commands, it’s possible to add the Sophos install application to an installer package and run the needed command(s) as a postinstall script.
Once I had this information and understood what was going on, here’s how I repackaged Sophos Anti-Virus Home Edition 9.x so that it could be deployed via an installer package.
Prerequisites:
The Sophos 9.x install application
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Sophos Anti-Virus 9.0.7
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation.
5. Click on the Scripts tab in your Packages project.
6. Select the Sophos install application and drag it into the Additional Resources section of your Packages project.
7. The last piece is telling the Sophos install application to run. For this, you’ll need a postinstall script. Here’s the one I’m using:
#!/bin/bash LOGGER="/usr/bin/logger" # Determine working directory install_dir=`dirname $0` # Uninstall existing copy of Sophos 8.x by checking for the # Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus. # If present, the uninstallation process is run. if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then ${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." /usr/sbin/installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target / elif [ -d "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then ${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." /usr/sbin/installer -pkg "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target / else ${LOGGER} "Sophos Anti-Virus 8.x Uninstaller Not Present" fi # Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer application # in /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS. If present, the # uninstallation process is run. if [[ -f "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then ${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." "/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" --remove else ${LOGGER} "Sophos Anti-Virus 9.x Uninstaller Not Present" fi # Install Sophos Anti-Virus 9.x $install_dir/"Sophos Anti-Virus Home Edition.app/Contents/MacOS/InstallationDeployer" --install exit 0
8. Once you’ve got the postinstall script built, run the following command to make the script executable:
sudo chmod a+x /path/to/postinstall
9. Once completed, add the postinstall script to your Packages project.
10. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly.
Note: If you’re installing the free Home Edition, it should be fully configured on installation and set to communicate back to Sophos for antivirus updates. If you’re installing a customized installer that communicates to an internal server for updates, you may need to do some configuration to point it to your internal server. Sophos has a KBase article on how to do this available here.
If this was the home edition being pushed out that would be breaking licensing wouldn’t it? Home Edition is for single use only I believe.
I used Home Edition in this example because it was free and I could test it easily. I would not recommed using Home Edition at a business because that’s not what it’s meant for.
It appears that the governing EULA here is Sophos’ End User License Agreement for Consumers:
http://www.sophos.com/en-us/legal/sophos-end-user-license-agreement-for-consumers.aspx
The relevant section is this one:
——-
3. RIGHTS AND RESTRICTIONS
3.1 LICENSE TERM. This End-User License Agreement starts when you download the Licensed Product and shall continue until terminated as provided in Clause 9 below.
Your obligations under this End-User License Agreement in respect of the intellectual property and confidential information of Sophos shall survive any expiry or termination of this End-User License Agreement.
3.2 RIGHTS. We grant to you a non-exclusive right to:
3.2.1 use the Licensed Product, subject to the terms and conditions contained within this End-User License Agreement, for your own non commercial purposes (the “Purpose”);
3.2.2 install, use, access, display and run one copy of the Licensed Product on a single computer, such as a workstation, terminal or other device;
3.2.3 except as provided in Clause 3.2.4 below, which relates only to the Documentation, make one copy of the Licensed Product or any part thereof for backup purposes provided that you reproduce our proprietary notices on any such backup copy of the Licensed Product. Such restriction shall not prevent you from backing up or archiving your data; and/or
3.2.4 use, copy or reproduce in whole or in part the Documentation for the purposes specifically permitted by this End-User License Agreement only.
Oh man thanks very useful!! Now I can deploy our sophos client with munki 😀
Also home edition is no good for your SEC because there is no RMS!
Thanks for sharing this! We’ve been long awaiting a clean way to install our standalone with munki.
We are, however, having trouble with the “`dirname $0`” line. The script fails with something like “dirname usage” error within the install.log. Seems like it’s a syntax thing, but we’ve not been able to find the magic string. Any thoughts?
Thanks.
Tim,
Would you please post the log somewhere, along with the script you’re using (even if it’s identical to the one in this post)? I want to take a look at both to see where the issue is coming in.
Also, my script was written for Sophos Home Edition. Are you using Sophos Home, Enterprise or Cloud?
Enterprise. I spoke with Sophos tech support at the time and they confirmed, in an Enterprise it would not work because the Home Edition does not have RMS.
The script is great for Home Edition. But the Home Edition will never ever talk to SEC!
It seems it is not possible to create an install using the official Enterprise Sophos Version 9 installer mpkg with the preconfigured auto updated details.
Only way is to create a stand alone installer, but then that doesn’t have RMS and so its not going to work properly in the Enterprise because the clients will not talk to the SEC.
Sophos really screwed up big time for SAV in the Enterprise for the Macss 😦