Home > Mac administration, Mac OS X, Packaging, Scripting, Sophos > Deploying Sophos Enterprise Anti-Virus for Mac OS X 9.x

Deploying Sophos Enterprise Anti-Virus for Mac OS X 9.x

For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed. Sophos has now switched to using an application to install their antivirus. However, for their customers using Sophos Enterprise Console, Sophos still provides an installer metapackage. This is good news for Mac admins, but the configuration and login credentials that used to be stored in /Library/Preferences/com.sophos.sau.plist in Sophos 8.x has been overhauled in Sophos 9.x. /Library/Preferences/com.sophos.sau.plist in Sophos 9.x now no longer contains login information, only server locations.

The login credentials no longer being available in /Library/Preferences/com.sophos.sau.plist meant that the Sophos Anti-Virus client was not able to connect back to the Sophos enterprise console and receive either management or updates. Since those login credentials were working in my shop for machines in Active Directory OUs that the Sophos enterprise console was managing, that meant that those credentials were available somewhere on the system. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:


/Library/Sophos Anti-Virus/Sophos.keychain

Once I had this information and understood what was going on, I was able to build and deploy a Sophos Enterprise Anti-Virus for Mac OS X 9.x installer that was able to install a pre-configured set of auto-update settings. For more details, see below the jump.



A copy of the Sophos Anti-Virus.mpkg installer package from your Sophos enterprise server.

A copy of the Sophos.keychain file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:

/Library/Sophos Anti-Virus/Sophos.keychain

A copy of the com.sophos.sau.plist file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:


1. Set up a new Packages project and select Raw Package.

Screen Shot 2014-09-02 at 10.49.08 AM

2. In this case, I’m naming the project Sophos Enterprise AntiVirus 9.1.6.

Screen Shot 2014-09-02 at 10.49.41 AM

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

Screen Shot 2014-09-02 at 10.49.49 AM

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Post-Installation Behavior section, set On Success: to Do Nothing

In the Options section, check the box for Require admin password for installation

Screen Shot 2014-09-02 at 10.50.24 AM

5. Click on the Scripts tab in your Packages project.

Screen Shot 2014-09-02 at 3.15.53 PM

6. Select the Sophos installer metapackage and drag it into the Additional Resources section of your Packages project.

Screen Shot 2014-09-02 at 10.51.42 AM

7. Select the Sophos.keychain file and drag it into the Additional Resources section of your Packages project.

Screen Shot 2014-09-02 at 10.51.54 AM

8. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings. For this, you’ll need a preinstall script and postinstall script.

Here are the preinstall and postinstall scripts that I’m using:



9. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:

sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall

10. Once completed, add the preinstall and postinstall scripts to your Packages project.

Screen Shot 2014-09-02 at 10.52.25 AM

11. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.

  1. Kevin S
    September 2, 2014 at 7:40 pm

    We are testing Sophos 9 Enterprise and I find it really annoying that removal can’t be done silently– they have made the installer an App instead of a package or script.

    • September 2, 2014 at 7:45 pm

      Removal can be done silently. Please take a look at the preinstall script in the post above for an example of how to do that.

  2. Kevin S
    September 2, 2014 at 7:49 pm

    I will give that a try—
    I was trying to utilize /Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.app
    If the installer under OPM uses –remove to install, then problem solved.

  3. September 2, 2014 at 7:50 pm

    “– remove”

  4. Josh Whitver
    September 3, 2014 at 1:57 pm

    Totally missed the “X” between Mac OS and 9.x – I was wondering why 1) Sophos would release an OS 9 version of their product, and 2) why you’d bother writing about how to distribute it!

  5. Joe Garfoot
    September 3, 2014 at 3:00 pm

    Another useful trick is to grab the mpkg from the Sophos Enterprise server and modify it to assign the endpoint to an Enterprise Console group after installation. (Sophos KB119791).

    Once the modded mpkg is installed the endpoint checks in to Enterprise Console, joins the group and the policy to configure auto-update is applied.

    Not sure how this will work when syncing group structure with AD though


  6. September 4, 2014 at 11:16 pm

    my sophos enterprise server doesnt produce an .mpkg it produces a .app Sophos Installer. Will it work anyways

  7. Tim Kimpton
    September 15, 2014 at 2:08 pm

    Also keep in mind if you take the Sophos Anti-Virus.mpkg from your CID of your SEC and put that in to Casper, then it will fail with the error

    Installation failed. ( The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. )

    Casper has never liked mpkgs and by packaging it up in this was for deployment, you are limiting the points of failure.

  8. Chris
    September 17, 2014 at 10:41 pm

    What version of Sophos does this start with? 9.2?

  9. October 19, 2014 at 10:51 pm

    This post is incredibly helpful. Thanks!

  10. Jon
    November 11, 2014 at 9:53 pm

    Joe, thanks for the Sophos KB grouppath link! Most of our MACs are not bound to the domain so being able to pre-populate the group information is really helpful.

  11. John
    February 12, 2015 at 4:26 pm

    Worked like a charm, thanks rtrouton. One thing that almost slipped passed me and I was wondering why there was no mention of the com.sophos.sau.plist file, then I saw it in the postinstall script. You have to insert the contents of your com.sophos.sau.plist into the postinstall script. Also, @joeg, yes, I was directed by our Sophos admin to this KB, and I did make the mod to the mpkg for our group path. We are an AD environment, so we’ll see what happens. Any idea of where this grouppath.plist info gets installed / located locally, or is it info that gets sent to the Sophos console at install. Thanks again. jk

  12. Matto-NZ
    March 5, 2015 at 5:25 am

    Kept getting a GUI prompt during the removal phase of the pre-install script in my environment on client Mac’s. Changed the opm-sa line to include the extra tools path to make it work. Seems the version of Sophos we have in the field has the InstallationDeployer in both places but only the ones in tools seems to run without a GUI.

    sudo “$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer” –remove

  13. June 11, 2015 at 7:13 pm

    Found this thread when researching how people are deploying our product (I work for Sophos). Please be aware that cloning the Sophos.keychain file from one machine to another is not supported, and will stop working in a future update. You can pre-configure the AutoUpdate and On-Access Scanner features in the installer, please see this KBA: https://www.sophos.com/en-us/support/knowledgebase/119744.aspx

    • Tony
      June 17, 2015 at 1:59 pm

      What about Enterprise deployment!???

      • June 17, 2015 at 2:42 pm

        Hi Tony, the article I linked to contains information that applies equally to both the stand-alone installer and SEC-managed installer.

    • Hugh
      July 3, 2015 at 11:59 am

      Hello, we are moving to OS X Sophos 9.2.4 and I want to send it out pre-confgured with certain settings. I have just read how to “embed” the update server credentials but can someone tell me how to pre-confgure the Sophos installer so it includes a weekly scan at a certain time.

      • July 3, 2015 at 8:06 pm

        Hello Hugh, there is currently no way to pre-configure scheduled scans for stand-alone endpoints. If your endpoints are set up for a management console they will receive the scheduled scans in your AV policy as soon as they establish contact. You can have the Mac endpoints automatically assigned to the correct group in the console with the Group Path feature (see our KBA 119791).

      • Hugh Burt
        July 6, 2015 at 10:24 am

        Hello I have tried to pre-configure the autoupdate as described in the article but it doesn’t seem to work. A folder called Sophos Installer Components was created next to the sophos installer application containing an updateconfig.plist. When I then ran the installer, it installs with no errors but the autoupdate is not configured. The sophos opm-sa folder has the same updateconfig.plist. Any ideas ?Thanks.

      • July 8, 2015 at 8:56 pm

        Hello Hugh, I’d encourage you to utilize our tech support team (our website has the contact info) if you haven’t got it working yet. Its definitely a supported feature, and was tested using the current Recommended version 9.2.7.

      • Hugh
        July 10, 2015 at 10:04 am

        Thanks. I have got is working. Still looking into how to set scanning. I have found if “root” creates a local scan schedule, the setting is saved in a plist in /Library/Application Support/Sophos Anti-Virus/Scans/Scan This Mac -root.plist.
        If this Sophos Anti Virus folder and its contents are then copied to another machine with no scheduled scans, the scan scheduled in the plist will run. So my idea is to make an installer package of this folder and send it out to all the machines after Sophos has been installed.

      • July 10, 2015 at 2:28 pm

        Hello Hugh, yes that is how scans are currently stored, and it will definitely work for any version in the field today. Please understand its not really a supported feature to create these files yourself; the product knows how to read/write these files, and we reserve the right to change the format or location without notice. Any upgrade that does that will migrate existing settings of course, but new / clean installations wouldn’t necessarily do the same migration. The interesting question this raised for me is “why do you do this?” Why do you not want to use our management console to manage these systems? We are definitely open to increasing the scope of the pre-configuration utilities, just trying to figure out why the management console isn’t a better choice in your case.

      • Hugh
        July 10, 2015 at 2:45 pm

        I probably would, but how does one hard code, into the installation package, the address of the server running the management console so it can “see” them?

      • July 10, 2015 at 3:04 pm

        Hello Hugh, the package you copy from the management console will have the server information already included. Have a look at the installer found in one of the CIDs, you’ll find an extra file in side the “Sophos Installer Components” directory called “mrinit.conf” – that has the server information included, its added to the package by your SEC installation when rendering the CID.

    • July 13, 2015 at 11:13 pm

      Hello Bob, you poor soul. Thanks for helping some of us out.

      Since the credentials aren’t pulled automatically anymore, what’s the best way to determine the credentials for the secondary server (Sophos)?

      • July 13, 2015 at 11:41 pm

        Hello Emily, if you are using the managed endpoint these will receive the correct credentials automatically from the SEC system. If you want to configure a stand-alone endpoint you will need to know the username and password issued to your company. Its the same information that would have been provided to the SEC system administrator, set in the Update Manager dialog box. Once you have these two strings, use the CreateUpdatePreconfig tool and specify -SecondaryServerType as 0, -SecondaryServerUserName and -SecondaryServerPassword as you normally would. Hope that helps.

      • Hugh
        July 20, 2015 at 8:10 am

        Hello Bob

        I actually find that looking after Macs with management console can be bit time consuming. My ideal would be a standalone installer, which I can push out with ARD or Munki, which contains all the settings pre-configured, such as update server, scan schedule and scan settings. This means that once installed, I can “forget” about Sophos and concentrate on maintaining and supporting the miserable Adobe and Microsoft products.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: