Addigy supports silent, automated deployment of Sophos Endpoint to managed Mac devices using Smart Software. This guide covers downloading the Sophos installer, configuring the installation script, and setting up the required Device Settings (MDM Profiles) for a fully automated deployment.
Prerequisites
Before you begin, make sure you have the following:
- A Sophos account with access to download the Mac installer
- Familiarity with Smart Software — see Creating Smart Software if you haven't set one up before
How to Deploy Sophos
Sophos is deployed using a Smart Software item with a downloaded installer zip and a custom installation script.
- Go to Sophos.com, log in, and download the Mac installer for the account you'll be managing. The downloaded file will be a
.zip. - In Addigy, navigate to Catalog > Software and create a new Smart Software item.
- Upload the
.zipfile as an Installation File. - In the Installation Script field, enter the following script — updating the
archivevariable to match the exact name of your uploaded.zipfile:
# Update this value to match the exact name of your uploaded .zip file archive="SophosInstall.zip" /usr/bin/unzip -o "./$archive" chmod a+x "Sophos Installer.app/Contents/MacOS/Sophos Installer" chmod a+x "Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper" "Sophos Installer.app/Contents/MacOS/Sophos Installer" --install
Note: The
archivevariable must exactly match the filename of the.zipyou uploaded, including capitalization.
How to Add a Condition Script (Optional)
A Condition script isn't required for Sophos installation, but adding one allows Addigy to auto-remediate devices where Sophos is missing or was removed. Add the following as the Custom Conditional Command in your Smart Software item:
if [ -e "/Applications/Sophos/Sophos Endpoint.app" ]; then
echo "Sophos already installed. Skipping."
exit 1
fiNote: This script requires Install if return value is 0 to be enabled in your Smart Software item settings (this setting is enabled by default). Sophos licensing may install different apps depending on your subscription — verify the expected application path before using this script.
How to Add the Required Device Settings (MDM Profiles)
A fully automated Sophos deployment requires four Device Settings to grant the necessary system permissions. Create each profile in Catalog > Device Settings before deploying the Smart Software item.
Important: Device Settings must be installed on a device before the Smart Software item runs. When added to a policy, this happens automatically based on default Installation Priority. If installing on an individual device via GoLive, deploy the Device Settings first.
1. PPPC Profile (Full Disk Access)
This profile grants Sophos processes access to protected and system admin files. For instructions on creating a PPPC profile, see How to Create a PPPC Payload for Full Disk Access.
Add each of the following entries to the profile. For each entry, enable both Access to Protected Files and Access to System Admin Files.
Bundle ID: com.sophos.updater
Code Requirement: identifier "com.sophos.updater" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.endpoint.scanextension Code Requirement: identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774" Product: All
Bundle ID: com.sophos.liveresponse
Code Requirement: identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: Central onlyBundle ID: com.sophos.SophosMDR
Code Requirement: identifier "com.sophos.SophosMDR" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: Central with MDR onlyBundle ID: com.sophos.autoupdate
Code Requirement: identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: OPM onlyBundle ID: com.sophos.macendpoint.CleanD
Code Requirement: identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.SophosScanAgent
Code Requirement: identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.macendpoint.SophosServiceManager
Code Requirement: identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.endpoint.uiserver
Code Requirement: identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: Central onlyBundle ID: com.sophos.SDU4OSX
Code Requirement: identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.endpoint.SophosAgent
Code Requirement: identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.sophos.SophosAntivirus
Code Requirement: identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllBundle ID: com.Sophos.macendpoint.SophosSXLD
Code Requirement: identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Product: AllTip: Only add entries relevant to your Sophos product. For example,
com.sophos.SophosMDRis only needed if you have a Central + MDR subscription.
2. System Extensions Profile
This profile allows Sophos network and scan extensions to load without prompting the user. For instructions on creating this profile type, see Allow System Extensions with Addigy MDM.
Configure the profile with:
- Allowed System Extensions: Enabled
-
Team ID:
2H5GFH3774 -
Bundle IDs:
com.sophos.endpoint.networkextensioncom.sophos.endpoint.scanextension
3. Kernel Extensions (KEXT) Profile
This profile whitelists Sophos kernel extensions on devices that require them. For instructions on creating this profile type, see How To: Whitelist Kernel Extensions (Kexts) with Addigy MDM.
Configure the profile with:
- Allowed Kernel Extensions: Enabled
-
Team ID:
2H5GFH3774 -
Bundle IDs:
com.sophos.nke.swicom.sophos.kext.sfmcom.sophos.kext.oas
4. Web Content Filter Profile
This profile enables Sophos's network filtering extension. Navigate to Catalog > Device Settings, create a new Web Content Filter profile, and configure it with the following settings:
- Filter Type: Plugin (Third Party App)
-
User Defined Name:
SophosWebNetworkExtension -
Plugin Bundle ID:
com.sophos.endpoint.network - Filter WebKit Traffic: Enabled
-
Filter Socket Traffic: Enabled
-
Bundle Identifier:
com.sophos.endpoint.networkextension -
Designated Requirement:
identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
-
Bundle Identifier:
-
Filter Network Packets: Enabled
-
Bundle Identifier:
com.sophos.endpoint.networkextension -
Designated Requirement:
identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
-
Bundle Identifier:
Frequently Asked Questions
What's the correct order of operations when deploying to individual devices?
When using GoLive to deploy to a single device, install the four Device Settings first, then run the Smart Software item. In a policy, this ordering is handled automatically based on default Installation Priority.
Which PPPC entries do I actually need?
It depends on your Sophos subscription. Entries marked "All" are required regardless of product. Entries marked "Central only," "Central with MDR only," or "OPM only" should only be added if your subscription includes those capabilities.
The Condition script path doesn't match what's installed on my devices. What should I check?
The default Condition script checks for Sophos Endpoint at /Applications/Sophos/Sophos Endpoint.app. Some Sophos licensing configurations install a different app. Verify the actual installed application path on one of your managed devices before deploying the Condition script fleet-wide.