Table of Contents
- Download Sophos Installers
- Installation Script
- Condition Script
- MDM Profiles for Automated Deployment
Download Sophos Installers
First, go to Sophos.com, log in, and download the Mac installer for the account you'll be managing. The downloaded file will be a .zip, which when extracted, should look like this:
Create a new Smart Software item and upload the .zip file (not the extracted directory) as an Installation File.
Installation Script
Use the following script as the Installation Script for the Smart Software item:
# Copy the exact name of the file you uploaded
archive="SophosInstall.zip"
/usr/bin/unzip -o "./$archive"
chmod a+x "Sophos Installer.app/Contents/MacOS/Sophos Installer"
chmod a+x "Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper"
"Sophos Installer.app/Contents/MacOS/Sophos Installer" --install
Note: Ensure the archive variable's value matches the exact name of the .zip Installation File for your item.
Condition Script (Optional)
Condition scripts aren't required for Sophos installation but can help auto-remediate failed installation attempts. Here's a sample script to check if the application exists in the Applications folder:
if [ -e "/Applications/Sophos Endpoint.app" ]; then
echo "Sophos already installed. Skipping."
exit 1
fi
This Condition script assumes "Install on Success" is enabled. Your Sophos licensing may install different apps, so use caution when copying this script.
MDM Profiles for Automated Deployment
Sophos requires 4 MDM Profiles for full functionality: PPPC for Full Disk Access, System Extensions, Kernel Extensions, & Web Content Filter.
Note: MDM Profiles must be installed prior to the Smart Software item for permissions to be properly whitelisted. This will occur automatically when the items are added to a policy (due to their default Installation Priority). Ensure MDM Profiles are deployed first when installing on individual devices via GoLive.
PPPC for Full Disk Access
For more information about creating a PPPC Profile, refer to: Addigy PPPC Payload Guide
Note: The fields required for Full Disk Access are Access to Protected Files and Access to System Admin Files.
Bundle ID: com.sophos.updater
Code Requirement: identifier "com.sophos.updater" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.9.5
Product: All
Bundle ID: com.sophos.endpoint.scanextension
Code Requirement: identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.2
Product: All
Bundle ID: com.sophos.liveresponse
Code Requirement: identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.1
Product: Central only
Bundle ID: com.sophos.SophosMDR
Code Requirement: identifier "com.sophos.SophosMDR" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.1
Product: Central with MDR only
Bundle ID: com.sophos.autoupdate
Code Requirement: identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: OPM only
Bundle ID: com.sophos.macendpoint.CleanD
Code Requirement: identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.sophos.SophosScanAgent
Code Requirement: identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.sophos.macendpoint.SophosServiceManager
Code Requirement: identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.sophos.endpoint.uiserver
Code Requirement: identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: Central only
Bundle ID: com.sophos.SDU4OSX
Code Requirement: identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.sophos.endpoint.SophosAgent
Code Requirement: identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.sophos.SophosAntivirus
Code Requirement: identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
Bundle ID: com.Sophos.macendpoint.SophosSXLD
Code Requirement: identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
Valid Since: v10.0.0
Product: All
System Extensions
For more information about creating a System Extensions Profile, refer to: Allow System Extensions with Addigy MDM
Team ID:
2H5GFH3774
Bundle ID:
com.sophos.endpoint.networkextension
com.sophos.endpoint.scanextension
Kernel Extensions (KEXT)
For more information about creating a Kernel Extensions Profile, refer to: How To: Whitelist Kernel Extensions (Kexts) with Addigy MDM
Team ID:
2H5GFH3774
Bundle ID:
com.sophos.nke.swi
com.sophos.kext.sfm
com.sophos.kext.oas
Web Content Filter
Navigate to Catalog > MDM Profiles and create a new Web Content Filter MDM Profile:
Configure the following settings within the profile:
Filter type: Plugin (Third Party App)
User Defined Name: SophosWebNetworkExtension
Plugin Bundle ID: com.sophos.endpoint.network
Bundle Identifier: com.sophos.endpoint.networkextension
Designated Requirement: identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"