Deploying Sophos Enterprise Anti-Virus for Mac OS X 9.x
For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed. Sophos has now switched to using an application to install their antivirus. However, for their customers using Sophos Enterprise Console, Sophos still provides an installer metapackage. This is good news for Mac admins, but the configuration and login credentials that used to be stored in /Library/Preferences/com.sophos.sau.plist in Sophos 8.x has been overhauled in Sophos 9.x. /Library/Preferences/com.sophos.sau.plist in Sophos 9.x now no longer contains login information, only server locations.
The login credentials no longer being available in /Library/Preferences/com.sophos.sau.plist meant that the Sophos Anti-Virus client was not able to connect back to the Sophos enterprise console and receive either management or updates. Since those login credentials were working in my shop for machines in Active Directory OUs that the Sophos enterprise console was managing, that meant that those credentials were available somewhere on the system. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:
Once I had this information and understood what was going on, I was able to build and deploy a Sophos Enterprise Anti-Virus for Mac OS X 9.x installer that was able to install a pre-configured set of auto-update settings. For more details, see below the jump.
A copy of the Sophos Anti-Virus.mpkg installer package from your Sophos enterprise server.
A copy of the Sophos.keychain file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:
A copy of the com.sophos.sau.plist file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Sophos Enterprise AntiVirus 9.1.6.
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation
5. Click on the Scripts tab in your Packages project.
6. Select the Sophos installer metapackage and drag it into the Additional Resources section of your Packages project.
7. Select the Sophos.keychain file and drag it into the Additional Resources section of your Packages project.
8. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings. For this, you’ll need a preinstall script and postinstall script.
Here are the preinstall and postinstall scripts that I’m using:
9. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:
sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall
10. Once completed, add the preinstall and postinstall scripts to your Packages project.
11. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.