Yet Another Sophos Enterprise Anti-Virus 9.2.x Post

Sophos Anti-Virus

Sophos’s Enterprise Anti-Virus 9.2.x has been blogged about a few times & in the Mac Admin space most prominently by Gilbert Palau & Rich Trouton, but here comes another tale & post on the same subject.

Our saga with Sophos Enterprise Anti-Virus 9.2.x started on Feb 27th, which incidentally was the day after they change their installed to an app bundle which Rich had blogged about & at the time Sophos did not have any deployment articles on.

So what did they change & why the pitchforks & stink eye from the Mac Admin community?

Installer App

The Sophos Enterprise Anti-Virus installer is generated on the server running your Sophos Enterprise Console.

Pre-9.2.x this would generate an .mpkg, come 9.2.x & this had changed to an “Installer App”


The below is why, & comes from the article here.

With the release by Apple Inc. of Mac OS X v10.9.5 (Mavericks) on 17th September 2014, and with the upcoming release of Mac OS X v10.10 (Yosemite), third-party software and apps that have not been digitally signed for those operating systems using Apple's v2 signing may be blocked from either installing or running.

So, the install moved from a simple deployable .mpkg to an app due to Apple’s v2 code-signing changes.


Why is this so wrong?

Well the clue is in the products title: Sophos Enterprise Anti-Virus. Signing an installer app is great for when doing GUI installs.. however for doing mass (READ: Enterprise) deployments GUI installs are neither feasible nor wanted.

Apple have a technical note here, from which the below is an excerpt:

Note: Installer packages are checked by Gatekeeper, but package signing is different from code signing and is not affected by these code signing changes. You do not need to re-sign your flat installer packages for them to remain compatible with Gatekeeper.

Most Mac Enterprise environments will deploy software using something like Casper or Munki, both would happily install a .pkg as root & would fall under the above criteria. All Sophos needed to do was to move from an .mpkg to a flat .pkg & we’d be golden. No posts or pitchforks needed.

Deal With It

So, that’s the why we’re in the mess.. now how do we get on things & deploy?

As mentioned earlier, the Installer is generated on you Sophos Enterprise Console. Once generated it will be in a location like the below, the folder for OSX clients is called “ESCOSX”:

Sophos Update folder

The folder itself contains several items:

Screen Shot 2015-06-05 at 15.52.39

At this point, you may want to just grab the “Sophos” & try that.. But if you moved the Installer out of that directory the install will fail:

Sophos manual failed


Therefore, to deploy all the components we need to install we need to deploy the whole “ESCOSX” folder.


A great misconception of Composer is that it can only be used to create packages via snapshotting.

This probably has come about from the fact then when you launch Composer, the snapshotting pane opens. How to get past it? Press cancel.

Composer Launch
Composer Copy

Once cancelled, items can be dragged to the SOURCES section of the left hand pane.


We can then deploy the folder & begin the install… Except.. for some reason the Install cannot happen if the folder is within /private/tmp/, so put it somewhere else:



Thankfully, it is possible to install Sophos Enterprise Anti-Virus via terminal. So once we have packaged up the bits we need & deployed onto our Macs we can silently install.

The below will install Sophos from: /Library/Application Support/JAMF/ESCOSX/Sophos & delete the installer app afterwards.

I deploy the DMG of the ESCOSX folder & run the above as a script afterwards via a policy in the JSS.

You could of course create you own .pkg & run something like the above as a post install script.

Why, oh why oh why?

Occasionally vendors do not get packaging for OSX, it’s up to us as admins to educate them either via support tickets or (if possible) by voting with our wallets.

The big shame with Sophos is that they have regressed, they used to be much friendlier to us admins. Their product, (to me), seems to be one of the lighter footprint Anti-Virus clients out there.

So the voices of displeasure seem to be mostly voiced in frustration.

7 thoughts on “Yet Another Sophos Enterprise Anti-Virus 9.2.x Post

  1. Quoting the immortal words of Graham Gilbert, you shouldn’t need to re-package. ever.
    but really good article, and thanks for the mention!

  2. bofh

    Since all my managed Macs are within the AD -> kerberos works.
    Which means i’m installing directly from our Enterprise Console Server
    mount_smbfs //EnterPriseConsole/SophosUpdate /mnt/
    /mnt/CIDs/S022/ESCOSX/Sophos\ –install

    Some Installations have other Shares / CIDs aswell – it seemed to be the most painless method here.

      • bofh

        Then you can use this:
        mount_smbfs //${SophosProxyUser}:${SophosProxyPass}@EnterPriseConsole/SophosUpdate /mnt/

        • Yep. Or this method.

          As the other issue becomes downloading & installing Sophos from a Mac in HK across the MPLS with Sophos sitting in London.

          Plus, we’ll have this in the JSS anyways to install on clients via a policy.

          In fact, I’m not even certain standard users can access our share. So that might have been fun with Kerberos.

          But thanks for sharing your method. Options are good.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.