Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment
I had previously written about deploying Sophos Enterprise Anti-Virus for Mac 9.2.x, but I was recently notified that the method I had been using would stop working in a future release of Sophos.
Sophos has a KBase article about pre-configuring their installer application with the AutoUpdate settings, but I also wanted to be able to deploy Sophos using an installer package. Using the information from the KBase article, I was able to update my existing method for building an installer package for deploying Sophos Enterprise Anti-Virus for Mac 9.2.x. For the details, see below the jump.
A copy of the Sophos Installer application and the Sophos Installer Components directory from your Sophos server. The Sophos installer application should be available inside from your Sophos Enterprise server using an address similar to that shown below:
Credentials to mount the SophosUpdate share on your Sophos Enterprise server
Credentials to download Sophos updates from Sophos, in the event that the Sophos AV client is unable to connect to your Sophos Enterprise server
Configuring the Sophos AntiVirus installer application
1. Connect to the following server address (substitute the hostname of your server where appropriate):
2. Copy the ESCOSX folder available on that fileshare from your Sophos server to somewhere convenient on your Mac.
3. Open Terminal.
4. Change directory location with the following command:
cd /path/to/ESCOSX/Sophos\ Installer.app/Contents/MacOS
5. Run the following command to configure the Sophos installer with the needed credentials for your Sophos Enterprise server, with the fallback option of updating from the update feed hosted by Sophos:
Note: this command should all be on one line.
sudo ./CreateUpdatePreconfig -PrimaryServerType 2 -PrimaryServerUserName SMB_Username_Goes_Here -PrimaryServerPassword SMB_Password_Goes_Here -PrimaryServerURL smb://sophos.server.address.here/SophosUpdate/CIDS/S000/ESCOSX -SecondaryServerType 0 -SecondaryServerUserName Sophos_Username_Goes_Here -SecondaryServerPassword Sophos_Password_Goes_Here
Note: If your username contains special characters, use quotes around the username. For example, if the PrimaryServerUserName value is an Active Directory account where you need to include the domain, the PrimaryServerUserName value should look like this:
6. Running the CreateUpdatePreconfig command should produce output similar to that shown below:
7. As part of running the CreateUpdatePreconfig tool, an updateconfig.plist file is created in /path/to/ESCOSX/Sophos Installer Components. This stores the login information for your Sophos server.
Once the updateconfig.plist file has been created, a standard Apple installer package can now be created to install Sophos.
Building the installer package
1. Set up a new Packages project and select Raw Package.
2. In this case, I’m naming the project Sophos Enterprise Anti-Virus 9.2.4
3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)
In this example, I’m not changing any of the options from what is set by default.
4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.
To accomplish this, I’m choosing the following options in the Settings section:
In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation.
5. Click on the Scripts tab in your Packages project.
6. Select the Sophos Installer application and its associated Sophos Installer Components directory and drag it into the Additional Resources section of your Packages project.
7. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings.
For this, you’ll need a preinstall script and postinstall script. Here are the ones I’m using:
8. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:
sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall
9. Once completed, add the preinstall and postinstall scripts to your Packages project.
10. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)
Testing the installer
Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.