Home > Mac administration, Mac OS X, Scripting, Sophos > Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment

Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment

I had previously written about deploying Sophos Enterprise Anti-Virus for Mac 9.2.x, but I was recently notified that the method I had been using would stop working in a future release of Sophos.

Sophos has a KBase article about pre-configuring their installer application with the AutoUpdate settings, but I also wanted to be able to deploy Sophos using an installer package. Using the information from the KBase article, I was able to update my existing method for building an installer package for deploying Sophos Enterprise Anti-Virus for Mac 9.2.x. For the details, see below the jump.


A copy of the Sophos Installer application and the Sophos Installer Components directory from your Sophos server. The Sophos installer application should be available inside from your Sophos Enterprise server using an address similar to that shown below:


Credentials to mount the SophosUpdate share on your Sophos Enterprise server

Credentials to download Sophos updates from Sophos, in the event that the Sophos AV client is unable to connect to your Sophos Enterprise server


Configuring the Sophos AntiVirus installer application

1. Connect to the following server address (substitute the hostname of your server where appropriate):



2. Copy the ESCOSX folder available on that fileshare from your Sophos server to somewhere convenient on your Mac.

3. Open Terminal.

4. Change directory location with the following command:

cd /path/to/ESCOSX/Sophos\ Installer.app/Contents/MacOS


5. Run the following command to configure the Sophos installer with the needed credentials for your Sophos Enterprise server, with the fallback option of updating from the update feed hosted by Sophos:

Note: this command should all be on one line.

sudo ./CreateUpdatePreconfig -PrimaryServerType 2 -PrimaryServerUserName SMB_Username_Goes_Here -PrimaryServerPassword SMB_Password_Goes_Here -PrimaryServerURL smb://sophos.server.address.here/SophosUpdate/CIDS/S000/ESCOSX -SecondaryServerType 0 -SecondaryServerUserName Sophos_Username_Goes_Here -SecondaryServerPassword Sophos_Password_Goes_Here

Note: If your username contains special characters, use quotes around the username. For example, if the PrimaryServerUserName value is an Active Directory account where you need to include the domain, the PrimaryServerUserName value should look like this:

-PrimaryServerUserName "DOMAIN\username_goes_here"


6. Running the CreateUpdatePreconfig command should produce output similar to that shown below:


7. As part of running the CreateUpdatePreconfig tool, an updateconfig.plist file is created in /path/to/ESCOSX/Sophos Installer Components. This stores the login information for your Sophos server.

Once the updateconfig.plist file has been created, a standard Apple installer package can now be created to install Sophos.


Building the installer package

1. Set up a new Packages project and select Raw Package.


2. In this case, I’m naming the project Sophos Enterprise Anti-Virus 9.2.4


3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

In this example, I’m not changing any of the options from what is set by default.


4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Post-Installation Behavior section, set On Success: to Do Nothing
In the Options section, check the box for Require admin password for installation.


5. Click on the Scripts tab in your Packages project.

6. Select the Sophos Installer application and its associated Sophos Installer Components directory and drag it into the Additional Resources section of your Packages project.


7. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings.

For this, you’ll need a preinstall script and postinstall script. Here are the ones I’m using:



8. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:

sudo chmod a+x /path/to/preinstall
sudo chmod a+x /path/to/postinstall

9. Once completed, add the preinstall and postinstall scripts to your Packages project.


10. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.

  1. Alex S.
    June 17, 2015 at 5:20 pm

    This worked perfectly, thanks! I was able to use the resulting package installer with Casper, too.

  2. June 29, 2015 at 9:08 pm

    Apparently this doesn’t work if you have a ! in the password. Go figure.

  3. lashomb
    July 10, 2015 at 4:15 pm

    Awesome, as always… thanks Rich!

  4. Oli Giles
    July 14, 2015 at 2:51 pm

    Hi There
    Thanks for this info.
    In our environment the Sophos Console is set to apply settings and manage a machine based on the OU container in AD. This means i don’t need to pre-configure the auto-update settings.
    In this case is it possible to use Composer to capture the install?

    Many thanks

  5. BP
    August 10, 2015 at 9:25 pm


    The installer seems to work fine if ran manually. The only issue I’m running into is that it seems to create the following directory /Builds. It has rwxr-x— rights and is owned by root:wheel. The bizarre thing is that I’m installing this package on firstboot after restart with Casper Imaging. Is this something you’ve seen before? OS in question is OS X 10.10.4.

  6. dubprocess
    October 1, 2015 at 10:04 pm

    Problem I am having after Sophos installs is the “Network Volume” location is blank and I need to manually fill in.

    • dubprocess
      October 1, 2015 at 10:05 pm

      NM I forgot to put the location in the plist.

  7. David
    January 7, 2016 at 10:52 am

    We want to turn on logging by default

    Is there a way to build that into the pkg in a similar way to this?

    • David
      January 7, 2016 at 1:57 pm

      OK, worked it out from looking through the other walk throughs. Added to the postinstall script the replacing of com.sophos.sau.plist and also added
      # Adding logging for found items
      sudo defaults write /Library/Preferences/com.sophos.sav LogIntoSyslog -bool TRUE
      sudo defaults write /Library/Preferences/com.sophos.sav LogFileLimit -int 30
      # Not sure this is needed but converts the plist back to xml format
      sudo plutil -convert xml1 /Library/Preferences/com.sophos.sav.plist

  8. danarthurjackson
    January 27, 2016 at 8:32 am

    You mention using quotes if you have a username with special characters, but what do you do with a password with special characters? Our password for the service account we use for Sophos has special characters in it – I tried using quotes but this did not work, so how do we escape the special characters for the password?

    • Jon
      February 27, 2016 at 9:29 pm

      Try ‘single quoting’ the password.

  9. Jon
    February 27, 2016 at 9:27 pm

    Since quoting around the password with special characters should resolve the problem.
    Have you seen any performance updating issues using SMB? Are you running any delay servers? We have seen some inconsistent updating behaviors and wonder if it is related to moving to a primary http update source. Thanks…great work as always.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: