Sophos provides a solid suite of endpoint security tools for Mac devices. This article will briefly cover creating a Custom Software item in Addigy to install your Sophos software. Some additional resources that may prove helpful are our guide on Creating Custom Software and Sophos' own documentation: Sophos Anti-Virus for Mac: How to install or uninstall using the terminal.
With the advent of macOS 10.13.3 High Sierra, Apple released additional security for installing kernel extensions (kexts) like those installed by Sophos. Here is Sophos' article about this: System Extension Blocked appears on new installations on macOS High Sierra 10.13.
In macOS 10.13.3, kexts that are installed by Sophos will need to be approved by the end user or by configuring the MDM Profile for your devices (see: Addigy Mobile Device Management (MDM) Integration for more).
In macOS 10.13.4 and newer, kexts cannot be approved with just an MDM Profile. They require the Kernel Extension (kext) Whitelisting profile payload pushed out via MDM. Check out our article Kernel Extension (Kext) Whitelisting with Addigy MDM.
Download Sophos Installers
First, head over to Sophos.com, login, and download the Mac installer for the specific account you will be managing. This should be a .zip file that resembles the following image when extracted:
Upload this .zip file into your Custom Software.
Note: do not try to upload the extracted directory, as Addigy only accepts single-file uploads.
The next step is to create an Installation script for the Custom Software. This will unzip the archive and call the Sophos installer. It should look similar to this:
# Copy the exact name of the file you uploaded archive="SophosInstall.zip" /usr/bin/unzip -o "./$archive" chmod +x "Sophos Installer.app/Contents/MacOS/Sophos Installer" chmod +x "Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper" "Sophos Installer.app/Contents/MacOS/Sophos Installer" --install
The strings in the variables will need to be replaced with values that match your files and organization. Notably, the install_path string should be the working directory of the Custom Software.
While Condition scripts are not strictly necessary to successfully install Sophos, they can be an effective tool for automatically remediating failed installation attempts. Here is a sample condition script for Sophos that checks to see if the application exists in the device's Applications folder:
if [ -e "/Applications/Sophos Endpoint.app" ]; then echo "Sophos already installed. Skipping." exit 1 fi
This Condition script assumes that Install on Success is toggled on. Of course, your Sophos licensing may install different applications. So, please be cautious to copy-pasting this script and expecting it to be universally viable.
In order to have Sophos achive full functionality, you will need to create 2 MDM's in order to whitelist it, a Kext and a PPPC payload.