Sophos provides a solid suite of endpoint security tools for Mac devices. This article will briefly cover creating a Custom Software item in Addigy to install your Sophos software. Some additional resources that may prove helpful are our guide on Creating Custom Software and Sophos' own documentation: Sophos Anti-Virus for Mac: How to install or uninstall using the terminal.


Prerequisites

With the advent of macOS 10.13.3 High Sierra, Apple released additional security for installing kernel extensions (kexts) like those installed by Sophos. Here is Sophos' article about this: System Extension Blocked appears on new installations on macOS High Sierra 10.13.


In macOS 10.13.3, kexts that are installed by Sophos will need to be approved by the end user or by configuring the MDM Profile for your devices (see: Addigy Mobile Device Management (MDM) Integration for more).


In macOS 10.13.4 and newer, kexts cannot be approved with just an MDM Profile. They require the Kernel Extension (kext) Whitelisting profile payload pushed out via MDM. Check out our article Kernel Extension (Kext) Whitelisting with Addigy MDM.


Download Sophos Installers

First, head over to Sophos.com, login, and download the Mac installer for the specific account you will be managing. This should be a .zip file that resembles the following image when extracted:



Upload this .zip file into your Custom Software.


Note: do not try to upload the extracted directory, as Addigy only accepts single-file uploads.


Installation Script

The next step is to create an Installation script for the Custom Software. This will unzip the archive and call the Sophos installer. It should look similar to this:


# Copy this install path from the Custom Software window
install_path="/Library/Addigy/ansible/packages/Sophos - MyOrg (1.0.0)"

# Copy the exact name of the file you uploaded
archive="Sophos Installer - MyOrg.zip"

# Copy this as the name of the folder that gets created when unzipping the .zip
#    It probably won't need to be changed if you didn't change it from what you
#    downloaded from Sophos.
dir="SophosInstall"

/usr/bin/unzip -o "./$archive"
chmod +x "$install_path/$dir/Sophos Installer.app/Contents/MacOS/Sophos Installer" 
chmod +x "$install_path/$dir/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper" 
"$install_path/$dir/Sophos Installer.app/Contents/MacOS/Sophos Installer" --install


The strings in the variables will need to be replaced with values that match your files and organization. Notably, the install_path string should be the working directory of the Custom Software.


Condition Script

While Condition scripts are not strictly necessary to successfully install Sophos, they can be an effective tool for automatically remediating failed installation attempts. Here is a sample condition script for Sophos that checks to see if the application exists in the device's Applications folder:


if [ -e "/Applications/Sophos Endpoint.app" ]; then
    echo "Sophos already installed. Skipping."
    exit 1
fi


This Condition script assumes that Install on Success is toggled on. Of course, your Sophos licensing may install different applications. So, please be cautious to copy-pasting this script and expecting it to be universally viable.