Deploying Sophos Enterprise Anti-Virus for Mac OS X 9.x
For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed. Sophos has now switched to using an application to install their antivirus. However, for their customers using Sophos Enterprise Console, Sophos still provides an installer metapackage. This is good news for Mac admins, but the configuration and login credentials that used to be stored in /Library/Preferences/com.sophos.sau.plist in Sophos 8.x has been overhauled in Sophos 9.x. /Library/Preferences/com.sophos.sau.plist in Sophos 9.x now no longer contains login information, only server locations.
The login credentials no longer being available in /Library/Preferences/com.sophos.sau.plist meant that the Sophos Anti-Virus client was not able to connect back to the Sophos enterprise console and receive either management or updates. Since those login credentials were working in my shop for machines in Active Directory OUs that the Sophos enterprise console was managing, that meant that those credentials were available somewhere on the system. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:
/Library/Preferences/com.sophos.sau.plist
/Library/Sophos Anti-Virus/Sophos.keychain
Once I had this information and understood what was going on, I was able to build and deploy a Sophos Enterprise Anti-Virus for Mac OS X 9.x installer that was able to install a pre-configured set of auto-update settings. For more details, see below the jump.
Prerequisites
A copy of the Sophos Anti-Virus.mpkg installer package from your Sophos enterprise server.
A copy of the Sophos.keychain file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:
/Library/Sophos Anti-Virus/Sophos.keychain
A copy of the com.sophos.sau.plist file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:
/Library/Preferences/com.sophos.sau.plist
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Sophos Enterprise AntiVirus 9.1.6.
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation
5. Click on the Scripts tab in your Packages project.
6. Select the Sophos installer metapackage and drag it into the Additional Resources section of your Packages project.
7. Select the Sophos.keychain file and drag it into the Additional Resources section of your Packages project.
8. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings. For this, you’ll need a preinstall script and postinstall script.
Here are the preinstall and postinstall scripts that I’m using:
Preinstall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
LOGGER="/usr/bin/logger" | |
# Determine working directory | |
install_dir=`dirname $0` | |
# Uninstall existing copy of Sophos 8.x by checking for the | |
# Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus. | |
# If present, the uninstallation process is run. | |
if [ -d "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then | |
${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." | |
/usr/sbin/installer -pkg "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3" | |
killall SophosUIServer | |
elif [ -d "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then | |
${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." | |
/usr/sbin/installer -pkg "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3" | |
killall SophosUIServer | |
else | |
${LOGGER} "Sophos Anti-Virus 8.x Uninstaller Not Present" | |
fi | |
# Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer application | |
# in the following locations: | |
# | |
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS | |
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS | |
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS | |
# | |
# If the InstallationDeployer application is present, the uninstallation process is run. | |
if [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Home Edition Uninstaller Not Present" | |
fi | |
if [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Standalone present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Standalone Uninstaller Not Present" | |
fi | |
if [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Enterprise Uninstaller Not Present" | |
fi | |
exit 0 |
Postinstall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
LOGGER="/usr/bin/logger" | |
FILE_DATE=`date +%Y%m%d%H%M%S` | |
# Determine working directory | |
install_dir=`dirname $0` | |
# Location of Sophos keychain file | |
sophos_keychain="$3/Library/Sophos Anti-Virus/Sophos.keychain" | |
# Install Sophos Anti-Virus | |
/usr/sbin/installer -dumplog -verbose -pkg "$install_dir/Sophos Anti-Virus.mpkg" -target "$3" | |
# Remove existing Sophos autoupdate configuration file | |
/bin/mv "/Library/Preferences/com.sophos.sau.plist" /tmp/com.sophos.sau."$FILE_DATE".plist | |
# Remove and replace existing Sophos keychain file | |
if [[ -f "$sophos_keychain" ]]; then | |
mv "$sophos_keychain" /tmp/Sophos-"$FILE_DATE".keychain | |
cp "$install_dir/Sophos.keychain" "$sophos_keychain" | |
fi | |
# Write Sophos autoupdate configuration file | |
# | |
# Note: Plist file here is only an example. You will | |
# need to provide your own plist settings between the | |
# following lines: | |
# | |
# /bin/cat > "/Library/Sophos Anti-Virus/com.sophos.sau.plist" << 'SOPHOS_CONFIG' | |
# | |
# ….plist data goes here…. | |
# | |
# SOPHOS_CONFIG | |
# | |
/bin/cat > "/Library/Preferences/com.sophos.sau.plist" << 'SOPHOS_CONFIG' | |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>LastUpdated</key> | |
<string>September 1, 2014 11:19:09 PM EDT</string> | |
<key>PrimaryServerProxy</key> | |
<integer>0</integer> | |
<key>PrimaryServerProxyPort</key> | |
<integer>0</integer> | |
<key>PrimaryServerProxyURL</key> | |
<string></string> | |
<key>PrimaryServerType</key> | |
<integer>2</integer> | |
<key>PrimaryServerURL</key> | |
<string>smb://sophos_enterprise_server_name_goes_here/SophosUpdate/CIDs/S000/ESCOSX</string> | |
<key>SecondaryServer</key> | |
<true/> | |
<key>SecondaryServerProxy</key> | |
<integer>0</integer> | |
<key>SecondaryServerProxyPort</key> | |
<integer>0</integer> | |
<key>SecondaryServerProxyURL</key> | |
<string></string> | |
<key>SecondaryServerType</key> | |
<integer>0</integer> | |
<key>SecondaryServerURL</key> | |
<string></string> | |
<key>UpdateFrequency</key> | |
<integer>1</integer> | |
<key>UpdateInterval</key> | |
<integer>10</integer> | |
<key>UpdateLogIntoFile</key> | |
<true/> | |
<key>UpdateLogIntoSyslog</key> | |
<false/> | |
<key>UpdateOnConnection</key> | |
<false/> | |
<key>UpdateUnits</key> | |
<integer>1</integer> | |
</dict> | |
</plist> | |
SOPHOS_CONFIG | |
# Force Sophos to reload its configuration | |
/bin/launchctl unload /Library/LaunchDaemons/com.sophos.configuration.plist | |
/bin/launchctl load /Library/LaunchDaemons/com.sophos.configuration.plist | |
exit 0 |
9. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:
sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall
10. Once completed, add the preinstall and postinstall scripts to your Packages project.
11. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.
We are testing Sophos 9 Enterprise and I find it really annoying that removal can’t be done silently– they have made the installer an App instead of a package or script.
Removal can be done silently. Please take a look at the preinstall script in the post above for an example of how to do that.
I will give that a try—
I was trying to utilize /Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.app
If the installer under OPM uses –remove to install, then problem solved.
Thanks.
“– remove”
Totally missed the “X” between Mac OS and 9.x – I was wondering why 1) Sophos would release an OS 9 version of their product, and 2) why you’d bother writing about how to distribute it!
Another useful trick is to grab the mpkg from the Sophos Enterprise server and modify it to assign the endpoint to an Enterprise Console group after installation. (Sophos KB119791).
Once the modded mpkg is installed the endpoint checks in to Enterprise Console, joins the group and the policy to configure auto-update is applied.
Not sure how this will work when syncing group structure with AD though
[http://www.sophos.com/en-us/support/knowledgebase/119791.aspx]
my sophos enterprise server doesnt produce an .mpkg it produces a .app Sophos Installer. Will it work anyways
Also keep in mind if you take the Sophos Anti-Virus.mpkg from your CID of your SEC and put that in to Casper, then it will fail with the error
Installation failed. ( The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. )
Casper has never liked mpkgs and by packaging it up in this was for deployment, you are limiting the points of failure.
What version of Sophos does this start with? 9.2?
This post is incredibly helpful. Thanks!
Joe, thanks for the Sophos KB grouppath link! Most of our MACs are not bound to the domain so being able to pre-populate the group information is really helpful.
Worked like a charm, thanks rtrouton. One thing that almost slipped passed me and I was wondering why there was no mention of the com.sophos.sau.plist file, then I saw it in the postinstall script. You have to insert the contents of your com.sophos.sau.plist into the postinstall script. Also, @joeg, yes, I was directed by our Sophos admin to this KB, and I did make the mod to the mpkg for our group path. We are an AD environment, so we’ll see what happens. Any idea of where this grouppath.plist info gets installed / located locally, or is it info that gets sent to the Sophos console at install. Thanks again. jk
Kept getting a GUI prompt during the removal phase of the pre-install script in my environment on client Mac’s. Changed the opm-sa line to include the extra tools path to make it work. Seems the version of Sophos we have in the field has the InstallationDeployer in both places but only the ones in tools seems to run without a GUI.
sudo “$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer” –remove
Found this thread when researching how people are deploying our product (I work for Sophos). Please be aware that cloning the Sophos.keychain file from one machine to another is not supported, and will stop working in a future update. You can pre-configure the AutoUpdate and On-Access Scanner features in the installer, please see this KBA: https://www.sophos.com/en-us/support/knowledgebase/119744.aspx
What about Enterprise deployment!???
Hi Tony, the article I linked to contains information that applies equally to both the stand-alone installer and SEC-managed installer.
Hello, we are moving to OS X Sophos 9.2.4 and I want to send it out pre-confgured with certain settings. I have just read how to “embed” the update server credentials but can someone tell me how to pre-confgure the Sophos installer so it includes a weekly scan at a certain time.
Hello Hugh, there is currently no way to pre-configure scheduled scans for stand-alone endpoints. If your endpoints are set up for a management console they will receive the scheduled scans in your AV policy as soon as they establish contact. You can have the Mac endpoints automatically assigned to the correct group in the console with the Group Path feature (see our KBA 119791).
Hello I have tried to pre-configure the autoupdate as described in the article but it doesn’t seem to work. A folder called Sophos Installer Components was created next to the sophos installer application containing an updateconfig.plist. When I then ran the installer, it installs with no errors but the autoupdate is not configured. The sophos opm-sa folder has the same updateconfig.plist. Any ideas ?Thanks.
Hello Hugh, I’d encourage you to utilize our tech support team (our website has the contact info) if you haven’t got it working yet. Its definitely a supported feature, and was tested using the current Recommended version 9.2.7.
Thanks. I have got is working. Still looking into how to set scanning. I have found if “root” creates a local scan schedule, the setting is saved in a plist in /Library/Application Support/Sophos Anti-Virus/Scans/Scan This Mac -root.plist.
If this Sophos Anti Virus folder and its contents are then copied to another machine with no scheduled scans, the scan scheduled in the plist will run. So my idea is to make an installer package of this folder and send it out to all the machines after Sophos has been installed.
Hello Hugh, yes that is how scans are currently stored, and it will definitely work for any version in the field today. Please understand its not really a supported feature to create these files yourself; the product knows how to read/write these files, and we reserve the right to change the format or location without notice. Any upgrade that does that will migrate existing settings of course, but new / clean installations wouldn’t necessarily do the same migration. The interesting question this raised for me is “why do you do this?” Why do you not want to use our management console to manage these systems? We are definitely open to increasing the scope of the pre-configuration utilities, just trying to figure out why the management console isn’t a better choice in your case.
I probably would, but how does one hard code, into the installation package, the address of the server running the management console so it can “see” them?
Hello Hugh, the package you copy from the management console will have the server information already included. Have a look at the installer found in one of the CIDs, you’ll find an extra file in side the “Sophos Installer Components” directory called “mrinit.conf” – that has the server information included, its added to the package by your SEC installation when rendering the CID.
Hello Bob, you poor soul. Thanks for helping some of us out.
Since the credentials aren’t pulled automatically anymore, what’s the best way to determine the credentials for the secondary server (Sophos)?
Hello Emily, if you are using the managed endpoint these will receive the correct credentials automatically from the SEC system. If you want to configure a stand-alone endpoint you will need to know the username and password issued to your company. Its the same information that would have been provided to the SEC system administrator, set in the Update Manager dialog box. Once you have these two strings, use the CreateUpdatePreconfig tool and specify -SecondaryServerType as 0, -SecondaryServerUserName and -SecondaryServerPassword as you normally would. Hope that helps.
Hello Bob
I actually find that looking after Macs with management console can be bit time consuming. My ideal would be a standalone installer, which I can push out with ARD or Munki, which contains all the settings pre-configured, such as update server, scan schedule and scan settings. This means that once installed, I can “forget” about Sophos and concentrate on maintaining and supporting the miserable Adobe and Microsoft products.