Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment
I had previously written about deploying Sophos Enterprise Anti-Virus for Mac 9.2.x, but I was recently notified that the method I had been using would stop working in a future release of Sophos.
Sophos has a KBase article about pre-configuring their installer application with the AutoUpdate settings, but I also wanted to be able to deploy Sophos using an installer package. Using the information from the KBase article, I was able to update my existing method for building an installer package for deploying Sophos Enterprise Anti-Virus for Mac 9.2.x. For the details, see below the jump.
Prerequisites:
A copy of the Sophos Installer application and the Sophos Installer Components directory from your Sophos server. The Sophos installer application should be available inside from your Sophos Enterprise server using an address similar to that shown below:
smb://sophos.server.address.here/SophosUpdate/CIDs/S000
Credentials to mount the SophosUpdate share on your Sophos Enterprise server
Credentials to download Sophos updates from Sophos, in the event that the Sophos AV client is unable to connect to your Sophos Enterprise server
Configuring the Sophos AntiVirus installer application
1. Connect to the following server address (substitute the hostname of your server where appropriate):
smb://sophos.server.address.here/SophosUpdate/CIDs/S000
2. Copy the ESCOSX folder available on that fileshare from your Sophos server to somewhere convenient on your Mac.
3. Open Terminal.
4. Change directory location with the following command:
cd /path/to/ESCOSX/Sophos\ Installer.app/Contents/MacOS
5. Run the following command to configure the Sophos installer with the needed credentials for your Sophos Enterprise server, with the fallback option of updating from the update feed hosted by Sophos:
Note: this command should all be on one line.
sudo ./CreateUpdatePreconfig -PrimaryServerType 2 -PrimaryServerUserName SMB_Username_Goes_Here -PrimaryServerPassword SMB_Password_Goes_Here -PrimaryServerURL smb://sophos.server.address.here/SophosUpdate/CIDS/S000/ESCOSX -SecondaryServerType 0 -SecondaryServerUserName Sophos_Username_Goes_Here -SecondaryServerPassword Sophos_Password_Goes_Here
Note: If your username contains special characters, use quotes around the username. For example, if the PrimaryServerUserName value is an Active Directory account where you need to include the domain, the PrimaryServerUserName value should look like this:
-PrimaryServerUserName "DOMAIN\username_goes_here"
6. Running the CreateUpdatePreconfig command should produce output similar to that shown below:
7. As part of running the CreateUpdatePreconfig tool, an updateconfig.plist file is created in /path/to/ESCOSX/Sophos Installer Components. This stores the login information for your Sophos server.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>PrimaryServerPassword</key> | |
<string>c5XSMZZo6xkEee7HRouCu1X0jo8Ml4dJnSFbH96JO65Ria0ENuWUfONTg4UyUoj</string> | |
<key>PrimaryServerType</key> | |
<integer>2</integer> | |
<key>PrimaryServerURL</key> | |
<string>smb://server.name.here/SophosUpdate/CIDS/S000/ESCOSX</string> | |
<key>PrimaryServerUserName</key> | |
<string>Nvuh5oRqEbb24ooMFLpCIFgB6ucZQmZlur28fjgAGA</string> | |
<key>SecondaryServer</key> | |
<true/> | |
<key>SecondaryServerPassword</key> | |
<string>DvysmNc20dp6eXNh9EWLDLyf3EVbAZWx3xm77OIAJjzzlhjV0NjDoHyPwzfnkOQu</string> | |
<key>SecondaryServerType</key> | |
<integer>0</integer> | |
<key>SecondaryServerUserName</key> | |
<string>bs4Tw3R8HnRZz9ajZD0fAJ1XaDB0ytUTxdARRVgrXY</string> | |
</dict> | |
</plist> |
Once the updateconfig.plist file has been created, a standard Apple installer package can now be created to install Sophos.
Building the installer package
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Sophos Enterprise Anti-Virus 9.2.4
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation.
5. Click on the Scripts tab in your Packages project.
6. Select the Sophos Installer application and its associated Sophos Installer Components directory and drag it into the Additional Resources section of your Packages project.
7. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings.
For this, you’ll need a preinstall script and postinstall script. Here are the ones I’m using:
Preinstall:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
LOGGER="/usr/bin/logger" | |
# Determine working directory | |
install_dir=`dirname $0` | |
# Uninstall existing copy of Sophos 8.x by checking for the | |
# Sophos Antivirus uninstaller package in /Library/Sophos Anti-Virus. | |
# If present, the uninstallation process is run. | |
if [ -d "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then | |
${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." | |
/usr/sbin/installer -pkg "$3/Library/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3" | |
killall SophosUIServer | |
elif [ -d "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" ]; then | |
${LOGGER} "Sophos AV present on Mac. Uninstalling before installing new copy." | |
/usr/sbin/installer -pkg "$3/Library/Application Support/Sophos Anti-Virus/Remove Sophos Anti-Virus.pkg" -target "$3" | |
killall SophosUIServer | |
else | |
${LOGGER} "Sophos Anti-Virus 8.x Uninstaller Not Present" | |
fi | |
# Uninstall existing copy of Sophos 9.x by checking for the InstallationDeployer application | |
# in the following locations: | |
# | |
# Sophos AV Cloud | |
# /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/ | |
# /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/ | |
# | |
# Sophos AV Home Edition | |
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS | |
# /Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools | |
# | |
# Sophos AV Standalone | |
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS | |
# /Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools | |
# | |
# Sophos AV Enterprise | |
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS | |
# /Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools | |
# | |
# If the InstallationDeployer application is present in the Contents/MacOS/tools directory, the | |
# uninstallation process is run using the InstallationDeployer tool located there. | |
# | |
# If the InstallationDeployer application is present only in the Contents/MacOS directory, the | |
# uninstallation process is run using the InstallationDeployer tool located there. | |
# | |
# The reason for the directory-specific check is that running the InstallationDeployer application | |
# from Contents/MacOS on Sophos 9.1.x and later will cause the Sophos uninstaller application to | |
# launch in the dock and interfere with a normal installation via installer package. | |
# | |
# For more information, see the link below: | |
# http://www.sophos.com/en-us/support/knowledgebase/14179.aspx | |
if [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
elif [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
elif [[ ! -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Home Edition present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/he/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Home Edition Uninstaller Not Present" | |
fi | |
if [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Standalone present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
elif [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Standalone present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
elif [[ ! -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Standalone present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm-sa/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Standalone Uninstaller Not Present" | |
fi | |
if [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
elif [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
elif [[ ! -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Enterprise present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Enterprise Uninstaller Not Present" | |
fi | |
if [[ -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ ! -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Cloud present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" –remove | |
elif [[ -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Cloud present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
elif [[ ! -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/InstallationDeployer" ]] && [[ -f "$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" ]]; then | |
${LOGGER} "Sophos AV Cloud present on Mac. Uninstalling before installing new copy." | |
"$3/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" –remove | |
else | |
${LOGGER} "Sophos Anti-Virus 9.x Cloud Uninstaller Not Present" | |
fi | |
exit 0 |
Postinstall:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Determine working directory | |
install_dir=`dirname $0` | |
# Install Sophos Anti-Virus | |
$install_dir/"Sophos Installer.app/Contents/MacOS/tools/InstallationDeployer" –install | |
exit 0 |
8. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:
sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall
9. Once completed, add the preinstall and postinstall scripts to your Packages project.
10. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.
This worked perfectly, thanks! I was able to use the resulting package installer with Casper, too.
Apparently this doesn’t work if you have a ! in the password. Go figure.
Awesome, as always… thanks Rich!
Hi There
Thanks for this info.
In our environment the Sophos Console is set to apply settings and manage a machine based on the OU container in AD. This means i don’t need to pre-configure the auto-update settings.
In this case is it possible to use Composer to capture the install?
Many thanks
Oli
Rich,
The installer seems to work fine if ran manually. The only issue I’m running into is that it seems to create the following directory /Builds. It has rwxr-x— rights and is owned by root:wheel. The bizarre thing is that I’m installing this package on firstboot after restart with Casper Imaging. Is this something you’ve seen before? OS in question is OS X 10.10.4.
Problem I am having after Sophos installs is the “Network Volume” location is blank and I need to manually fill in.
NM I forgot to put the location in the plist.
We want to turn on logging by default
UpdateLogIntoSyslog
Is there a way to build that into the pkg in a similar way to this?
OK, worked it out from looking through the other walk throughs. Added to the postinstall script the replacing of com.sophos.sau.plist and also added
# Adding logging for found items
sudo defaults write /Library/Preferences/com.sophos.sav LogIntoSyslog -bool TRUE
sudo defaults write /Library/Preferences/com.sophos.sav LogFileLimit -int 30
# Not sure this is needed but converts the plist back to xml format
sudo plutil -convert xml1 /Library/Preferences/com.sophos.sav.plist
You mention using quotes if you have a username with special characters, but what do you do with a password with special characters? Our password for the service account we use for Sophos has special characters in it – I tried using quotes but this did not work, so how do we escape the special characters for the password?
Try ‘single quoting’ the password.
Since quoting around the password with special characters should resolve the problem.
Have you seen any performance updating issues using SMB? Are you running any delay servers? We have seen some inconsistent updating behaviors and wonder if it is related to moving to a primary http update source. Thanks…great work as always.
Thank you! Can confirm this works with Munki too.
Is anyone having success packaging 9.6.2? I have tried multiple times now, it packages fine with no errors, and the installer goes through authentication ok, gets about 30% through the progress bar (writing files), then just fails with “The Installation Failed. The installer encountered an error that caused the installation to fail….” I can’t find anything wrong with how i’m configured (1 local server, username in quotes and password in single quotes, plus direct sophos download option).
Any help would be appreciated!
Just packaged 9.6.6 with these instructions and had no issues. Packaged installer must be on a local drive to work. Thanks!!
Hey Andrey, I’ve also followed these steps completely. Sophos installs fine, it even puts in the correct repo and updates files from the primary server…However, it never reports to the SEC. It sees the computers pulled from AD with Centrify, and I have don both OU and firewall/port troubleshooting.My original package I did back in 2016 worked fine, though now something has changed. The “rms” folder does not appear in new installations, and I suspect this may be the cause. I’ve tried talking to Sophos support, but they keep telling me my ports aren’t open and that just isn’t the case. Should there be an additional agent.config in the rms folder from the ESCOSX? I’m finding it troublesome to get exact information from Sophos. Any information would be helpful.