Home > Linux, Mac administration, Mac OS X, Scripting, Sophos > Fully automating installation of automatically-generated installers

Fully automating installation of automatically-generated installers

As part of your Mac’s standard build process for your environment, you may need to install certain packages that are generated for you by another process. A good example may be your workplace’s central antivirus management console, or a systems management tool.

Generally, these applications are installed once and then the centralized management server takes care of managing and updating them on your Macs afterward. For that first install though, they still need to be installed on your Macs and it’s usually a manual process for Mac admins to copy the latest installer from wherever it’s stored and add it to the build process.

However, if you have access to where the installer is stored, you can script the process of installation and fully automate the process of getting the latest installer and installing it on your Mac. See below the jump for an example of how to do this with Sophos Antivirus.

In this case, the script below is accessing a Windows SMB share that’s available on the Sophos management server to perform an automated uninstall and install of Sophos AntiVirus. Script assumes the following:

1. That Sophos is being managed by Sophos’s Enterprise Console.

2. The Sophos client installers are stored on an SMB share named Client_Installs, where the Mac installer and all needed config files are in Client_Installs/ESCOSX

The install process will first check to see if Sophos is installed on a system and uninstall it if found. After that, it will copy the latest Sophos installer down, using the information in the script to mount the correct SMB share, then install Sophos.

NOTE: This script may have issues with Kerberos, since it may be trying to log into an SMB share using different credentials than the logged-in user.

#!/bin/sh

# Checks for Sophos Antivirus uninstaller package.
# If present, uninstall process is run

if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
     /usr/sbin/installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /
elif [ -d "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
     /usr/sbin/installer -pkg "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /    
else
   echo "Sophos Antivirus Uninstaller Not Present"
fi

# Stops the Sophos menu bar process. Sophos icon will disappear.

killall SophosUIServer


# Make an SMB mount directory, after checking for and removing any leftover instances from a broken install

if [ -d /private/tmp/sophos_mount ]; then
	rm -rf /private/tmp/sophos_mount
	mkdir /private/tmp/sophos_mount
	logger "Sophos SMB mount directory created after removing old directory"
else
	mkdir /private/tmp/sophos_mount
	logger "Sophos SMB mount directory created"
fi


# Make a working directory, after checking for and removing any leftover instances from a broken install

if [ -d /private/tmp/sophos_install ]; then
	rm -rf /private/tmp/sophos_install
	mkdir /private/tmp/sophos_install
	logger "Sophos install temp directory created after removing old directory"
else
	mkdir /private/tmp/sophos_install
	logger "Sophos install temp directory created"
fi

# Mount the Sophos client installs share to /private/tmp/sophos_mount
# To make this script work, you will need to edit the mount_smbfs command
# below with the appropriate login information for your environment

mount_smbfs -o nobrowse //'DOMAIN;username:password'@server.name.here/Client_Installs /private/tmp/sophos_mount

# Zips the contents of the ESCOSX directory from 
# the Client_Installs share and stores it
# as /private/tmp/sophos/sophos.zip

ditto -c -k -X /private/tmp/sophos_mount/ESCOSX /private/tmp/sophos_install/sophos.zip

# Unmount the Client_Installs share and remove the SMB mount directory

umount /private/tmp/sophos_mount
rm -rf /private/tmp/sophos_mount

# Decompress the zip file 

cd /private/tmp/sophos_install/
unzip sophos.zip

# Install. Normally, installer requires sudo, but the jamf binary runs with admin rights, and using sudo here breaks the script.

if [ -d /private/tmp/sophos_install/sophos]; then
   logger "Installing Sophos"
   installer -dumplog -verbose -pkg /private/tmp/sophos/sophos/Sophos\ Anti-Virus.mpkg -target /
   logger "Sophos installation process completed"
else
   echo "Sophos Antivirus Installer Not Present. Aborting Install."
fi

# Write configuration file
# Note: Plist file here is only an example. You will
# need to provide your own plist settings between the
# following lines:
#
# /bin/cat > "/Library/Sophos Anti-Virus/com.sophos.sau.plist" << 'SOPHOS_CONFIG'
#
# ....plist data goes here....
#
# SOPHOS_CONFIG
#

/bin/cat > "/Library/Sophos Anti-Virus/com.sophos.sau.plist" << 'SOPHOS_CONFIG'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PrimaryServerPassword</key>
	<string>iQEHHMzvIdHYUwBJDp01cT3r16od4NZ</string>
	<key>PrimaryServerProxy</key>
	<integer>0</integer>
	<key>PrimaryServerProxyPassword</key>
	<string>AAA=</string>
	<key>PrimaryServerProxyPort</key>
	<integer>0</integer>
	<key>PrimaryServerProxyURL</key>
	<string></string>
	<key>PrimaryServerProxyUserName</key>
	<string>AAA=</string>
	<key>PrimaryServerType</key>
	<integer>2</integer>
	<key>PrimaryServerURL</key>
	<string>smb://server.name.here/SophosUpdate/CIDs/S000/ESCOSX</string>
	<key>PrimaryServerUserName</key>
	<string>oZjoEEiGKwXEg0conDHVQpqFLOXIrAT</string>
	<key>SecondaryServer</key>
	<true/>
	<key>SecondaryServerPassword</key>
	<string>V62NQG3gbqY5CPKSa5VT4TmFA0TOGhj</string>
	<key>SecondaryServerProxy</key>
	<integer>0</integer>
	<key>SecondaryServerProxyPassword</key>
	<string>AAA=</string>
	<key>SecondaryServerProxyPort</key>
	<integer>0</integer>
	<key>SecondaryServerProxyURL</key>
	<string></string>
	<key>SecondaryServerProxyUserName</key>
	<string>AAA=</string>
	<key>SecondaryServerType</key>
	<integer>0</integer>
	<key>SecondaryServerURL</key>
	<string></string>
	<key>SecondaryServerUserName</key>
	<string>a4yKGgTvRuB6vdDLpIp0igr4NVzNA73</string>
	<key>UpdateInterval</key>
	<integer>10</integer>
	<key>UpdateLogIntoFile</key>
	<true/>
	<key>UpdateOnConnection</key>
	<false/>
</dict>
</plist>
SOPHOS_CONFIG

# Restart SophosAutoUpdate to force the Sophos AutoUpdate process
# to read the settings stored in /Library/Sophos Anti-Virus/com.sophos.sau.plist

killall -HUP SophosAutoUpdate

# Cleanup

cd /
rm -rf /private/tmp/sophos_install

exit 0

This script has a possible security issue though, as it includes a username and password in the script itself. To help avoid this, you can also set up a script to copy the needed installer on a regular basis to a accessible web server. In this case, the script below is accessing a Windows SMB share that’s available on the Sophos management server and copying it to a Liunx web server. The script will also have a username and password in the script, but you should be able to restrict access to the server and avoid exposing the username and password to unauthorized view.

How it works: Script will mount an SMB share from the Sophos Enterprise console, verify that the mount is good, then tar a copy of the current Mac Sophos installer to /var/www/html/sophos.

Script assumes the following:

1. That Sophos is being managed by Sophos’s Enterprise Console.

2. The Sophos client installers are stored on an SMB share named Client_Installs, where the Mac installer and all needed config files are in Client_Installs/ESCOSX.


#!/bin/sh                           

# Checks for Sophos directory
# and creates it if needed.

if [ -d "/var/www/html/sophos" ]; then
     logger "Sophos Directory Found"
  else
     mkdir "/var/www/html/sophos"
     chown -R root:wheel "/var/www/html/sophos"
     logger "Sophos Directory Created"
fi

# Make an SMB mount directory, after checking for and removing
# any leftover instances from previous mounts

if [ -d /tmp/sophos_mount ]; then
        rm -rf /tmp/sophos_mount
        mkdir /tmp/sophos_mount
        logger "Sophos SMB mount directory created after removing old mount directory"
else
    	mkdir /tmp/sophos_mount
        logger "Sophos SMB mount directory created"
fi

# Mount the Sophos client installs share to /tmp/sophos_mount
# To make this script work, you will need to edit the mount command
# below with the appropriate login information for your environment

mount.cifs //server.name/Client_Installs /tmp/sophos_mount -o user=username,password=password,domain=DOMAIN

# Sanity check to see if the share mounted
# If share did not mount, script reports that
# the Sophos installer is not available and exits

if [ -d /tmp/sophos_mount/ESCOSX ]; then
   logger "Mount successful"
else
   logger "Sophos Antivirus Installer Not Present. Aborting Copy."
   umount /tmp/sophos_mount
   rm -rf /tmp/sophos_mount
   exit 0
fi

# If a previous version of the Sophos zip file is already
# in the backup directory, the previously copied zip file
# is removed.

if [ -f "/var/www/html/sophos/sophos.tgz" ]; then
      rm "/var/www/html/sophos/sophos.tgz"
      logger "Previous Sophos tar file removed"
fi

# Tars the contents of the ESCOSX directory from
# the Client_Installs share and stores it
# as /var/www/html/sophos/sophos.tgz

cd /tmp/sophos_mount

tar cvzf /var/www/html/sophos/sophos.tgz ESCOSX

if [ -f "/var/www/html/sophos/sophos.tgz" ]; then
      logger "New Sophos tar file created"
fi

# Unmount the Client_Installs share and remove the SMB mount directory

cd /

umount /tmp/sophos_mount
logger "Disconnecting from SMB share"

rm -rf /tmp/sophos_mount
logger "Mount directory removed"

exit 0

Once the installer is available on the web server, the build script below does an automated uninstall and install of Sophos AntiVirus. Script assumes the following:

1. That Sophos is being managed by Sophos’s Enterprise Console.

2. The Sophos client installers are available as a compressed tar file from a web server.

The install process will first check to see if Sophos is installed on a system and uninstall it if found. After that, it will copy the latest Sophos installer down, using the information in the script to download a compressed tar file using curl, then install Sophos.


#!/bin/sh

# Checks for Sophos Antivirus uninstaller package.
# If present, uninstall process is run

if [ -d "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
     /usr/sbin/installer -pkg "/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /
elif [ -d "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then
     /usr/sbin/installer -pkg "/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target /    
else
   echo "Sophos Antivirus Uninstaller Not Present"
fi

# Stops the Sophos menu bar process. Sophos icon will disappear.

killall SophosUIServer


# Make a working directory, after checking for and removing any leftover instances from a broken install

if [ -d /private/tmp/sophos/ ]; then
	rm -r /private/tmp/sophos/
	mkdir /private/tmp/sophos/
	logger "Sophos install temp directory created after removing old directory"
else
	mkdir /private/tmp/sophos/
	logger "Sophos install temp directory created"
fi

# Download tar'd Sophos installer files from web server
# to /private/tmp/sophos/ working directory

curl http://server.name.here/sophos/sophos.tgz > /private/tmp/sophos/sophos.tgz

# Decompress tar file

cd /private/tmp/sophos/
tar -zxvf sophos.tgz

# Install Sophos using the Sophos Anti-Virus metapackage stored inside /private/tmp/sophos/ESCOSX

cd /private/tmp/sophos/ESCOSX
installer -dumplog -verbose -pkg /private/tmp/sophos/ESCOSX/Sophos\ Anti-Virus.mpkg -target /

# Write configuration file
# Note: Plist file here is only an example. You will
# need to provide your own plist settings between the
# following lines:
#
# /bin/cat > "/Library/Sophos Anti-Virus/com.sophos.sau.plist" << 'SOPHOS_CONFIG'
#
# ....plist data goes here....
#
# SOPHOS_CONFIG
#

/bin/cat > "/Library/Sophos Anti-Virus/com.sophos.sau.plist" << 'SOPHOS_CONFIG'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PrimaryServerPassword</key>
	<string>iQEHHMzvIdHYUwBJDp01cT3r16od4NZ</string>
	<key>PrimaryServerProxy</key>
	<integer>0</integer>
	<key>PrimaryServerProxyPassword</key>
	<string>AAA=</string>
	<key>PrimaryServerProxyPort</key>
	<integer>0</integer>
	<key>PrimaryServerProxyURL</key>
	<string></string>
	<key>PrimaryServerProxyUserName</key>
	<string>AAA=</string>
	<key>PrimaryServerType</key>
	<integer>2</integer>
	<key>PrimaryServerURL</key>
	<string>smb://server.name.here/SophosUpdate/CIDs/S000/ESCOSX</string>
	<key>PrimaryServerUserName</key>
	<string>oZjoEEiGKwXEg0conDHVQpqFLOXIrAT</string>
	<key>SecondaryServer</key>
	<true/>
	<key>SecondaryServerPassword</key>
	<string>V62NQG3gbqY5CPKSa5VT4TmFA0TOGhj</string>
	<key>SecondaryServerProxy</key>
	<integer>0</integer>
	<key>SecondaryServerProxyPassword</key>
	<string>AAA=</string>
	<key>SecondaryServerProxyPort</key>
	<integer>0</integer>
	<key>SecondaryServerProxyURL</key>
	<string></string>
	<key>SecondaryServerProxyUserName</key>
	<string>AAA=</string>
	<key>SecondaryServerType</key>
	<integer>0</integer>
	<key>SecondaryServerURL</key>
	<string></string>
	<key>SecondaryServerUserName</key>
	<string>a4yKGgTvRuB6vdDLpIp0igr4NVzNA73</string>
	<key>UpdateInterval</key>
	<integer>10</integer>
	<key>UpdateLogIntoFile</key>
	<true/>
	<key>UpdateOnConnection</key>
	<false/>
</dict>
</plist>
SOPHOS_CONFIG

# Restart SophosAutoUpdate to force the Sophos AutoUpdate process
# to read the settings stored in /Library/Sophos Anti-Virus/com.sophos.sau.plist

killall -HUP SophosAutoUpdate

# Cleanup

cd /
rm -rf /private/tmp/sophos

exit 0

For those interested, all three scripts are available on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/sophos_av_scripts

Hat tip: Brian at Technopracticum

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: