Sophos provides a solid suite of endpoint security tools for Mac devices. This article will briefly cover creating a Custom Software item in Addigy to install your Sophos software. Some additional resources that may prove helpful are our guide on Creating Custom Software and Sophos' own documentation: Sophos Anti-Virus for Mac: How to install or uninstall using the terminal.
TABLE OF CONTENTS
- Prerequisites
- Download Sophos Installers
- Installation Script
- Condition Script
- PPPC for Full Disk Access
- System Extensions (BIG SUR ONLY)
- Kernel Extensions (KEXT)
Prerequisites
With the advent of macOS 10.13.3 High Sierra, Apple released additional security for installing kernel extensions (kexts) like those installed by Sophos. Here is Sophos' article about this: System Extension Blocked appears on new installations on macOS High Sierra 10.13.
In macOS 10.13.3, kexts that are installed by Sophos will need to be approved by the end-user or by configuring the MDM Profile for your devices (see: Addigy Mobile Device Management (MDM) Integration for more).
In macOS 10.13.4 and newer, kexts cannot be approved with just an MDM Profile. They require the Kernel Extension (kext) Whitelisting profile payload pushed out via MDM. Check out our article Kernel Extension (Kext) Whitelisting with Addigy MDM.
Download Sophos Installers
First, head over to Sophos.com, login, and download the Mac installer for the specific account you will be managing. This should be a .zip file that resembles the following image when extracted:
Upload this .zip file into your Custom Software.
Note: do not try to upload the extracted directory, as Addigy only accepts single-file uploads.
Installation Script
The next step is to create an installation script for the Custom Software. This will unzip the archive and call the Sophos installer. It should look similar to this:
# Copy the exact name of the file you uploaded
archive="SophosInstall.zip"
/usr/bin/unzip -o "./$archive"
chmod a+x "Sophos Installer.app/Contents/MacOS/Sophos Installer"
chmod a+x "Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper"
"Sophos Installer.app/Contents/MacOS/Sophos Installer" --install
The strings in the variables will need to be replaced with values that match your files and organization.
Condition Script
While Condition scripts are not strictly necessary to successfully install Sophos, they can be an effective tool for automatically remediating failed installation attempts. Here is a sample condition script for Sophos that checks to see if the application exists in the device's Applications folder:
if [ -e "/Applications/Sophos Endpoint.app" ]; then
echo "Sophos already installed. Skipping."
exit 1
fi
This Condition script assumes that Install on Success is toggled on. Of course, your Sophos licensing may install different applications. So, please be cautious in copy-pasting this script and expecting it to be universally viable.
In order to have Sophos achieve full functionality, you will need to create 3 MDM Configurations in order to whitelist it, a System Extension (KEXT for Catalina and lower), a PPPC payload, and a Web Content Filter.
Note: PPPC and System Extensions can be automatically generated
PPPC for Full Disk Access
Here is everything you'd need to create a PPPC payload for Full Disk Access:
Please note that the fields required for Full Disk Access are Access To Protected Files and Access To System Admin Files.
Identifier | Code Requirement | Valid Since | Product |
com.sophos.endpoint.scanextension | identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.2 | All |
com.sophos.liveresponse | identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.1 | Central only |
com.sophos.SophosMDR | identifier "com.sophos.SophosMDR" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.1 | Central with MDR only |
com.sophos.autoupdate | identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | OPM only |
com.sophos.macendpoint.CleanD | identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.sophos.SophosScanAgent | identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.sophos.macendpoint.SophosServiceManager | identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.sophos.endpoint.uiserver | identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | Central only |
com.sophos.SDU4OSX | identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.sophos.endpoint.SophosAgent | identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.sophos.SophosAntivirus | identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
com.Sophos.macendpoint.SophosSXLD | identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" |
v10.0.0 | All |
System Extensions (Big Sur+)
For the System Extension you will need the below:
Team ID:
2H5GFH3774
Bundle ID:
-
com.sophos.endpoint.networkextension
-
com.sophos.endpoint.scanextension
Kernel Extensions (KEXT)
For KEXT you will need the below information:
Team ID:
2H5GFH3774
Bundle ID:
- com.sophos.nke.swi
- com.sophos.kext.sfm
- com.sophos.kext.oas
Web Content Filter
As of 10.0.2, Sophos now requires a Web Content Filter MDM payload for filtering web traffic. This can be configured within Addigy:
Please see the below articles for further information: