Sophos’s Enterprise Anti-Virus 9.2.x has been blogged about a few times & in the Mac Admin space most prominently by Gilbert Palau & Rich Trouton, but here comes another tale & post on the same subject.
Our saga with Sophos Enterprise Anti-Virus 9.2.x started on Feb 27th, which incidentally was the day after they change their installed to an app bundle which Rich had blogged about & at the time Sophos did not have any deployment articles on.
So what did they change & why the pitchforks & stink eye from the Mac Admin community?
The Sophos Enterprise Anti-Virus installer is generated on the server running your Sophos Enterprise Console.
Pre-9.2.x this would generate an .mpkg, come 9.2.x & this had changed to an “Installer App”
The below is why, & comes from the article here.
With the release by Apple Inc. of Mac OS X v10.9.5 (Mavericks) on 17th September 2014, and with the upcoming release of Mac OS X v10.10 (Yosemite), third-party software and apps that have not been digitally signed for those operating systems using Apple's v2 signing may be blocked from either installing or running.
So, the install moved from a simple deployable .mpkg to an app due to Apple’s v2 code-signing changes.
Why is this so wrong?
Well the clue is in the products title: Sophos Enterprise Anti-Virus. Signing an installer app is great for when doing GUI installs.. however for doing mass (READ: Enterprise) deployments GUI installs are neither feasible nor wanted.
Apple have a technical note here, from which the below is an excerpt:
Note: Installer packages are checked by Gatekeeper, but package signing is different from code signing and is not affected by these code signing changes. You do not need to re-sign your flat installer packages for them to remain compatible with Gatekeeper.
Most Mac Enterprise environments will deploy software using something like Casper or Munki, both would happily install a .pkg as root & would fall under the above criteria. All Sophos needed to do was to move from an .mpkg to a flat .pkg & we’d be golden. No posts or pitchforks needed.
Deal With It
So, that’s the why we’re in the mess.. now how do we get on things & deploy?
As mentioned earlier, the Installer is generated on you Sophos Enterprise Console. Once generated it will be in a location like the below, the folder for OSX clients is called “ESCOSX”:
The folder itself contains several items:
At this point, you may want to just grab the “Sophos Installer.app” & try that.. But if you moved the Installer out of that directory the install will fail:
Therefore, to deploy all the components we need to install we need to deploy the whole “ESCOSX” folder.
A great misconception of Composer is that it can only be used to create packages via snapshotting.
This probably has come about from the fact then when you launch Composer, the snapshotting pane opens. How to get past it? Press cancel.
We can then deploy the folder & begin the install… Except.. for some reason the Install cannot happen if the folder is within /private/tmp/, so put it somewhere else:
Thankfully, it is possible to install Sophos Enterprise Anti-Virus via terminal. So once we have packaged up the bits we need & deployed onto our Macs we can silently install.
The below will install Sophos from: /Library/Application Support/JAMF/ESCOSX/Sophos Installer.app & delete the installer app afterwards.
I deploy the DMG of the ESCOSX folder & run the above as a script afterwards via a policy in the JSS.
You could of course create you own .pkg & run something like the above as a post install script.
Why, oh why oh why?
Occasionally vendors do not get packaging for OSX, it’s up to us as admins to educate them either via support tickets or (if possible) by voting with our wallets.
The big shame with Sophos is that they have regressed, they used to be much friendlier to us admins. Their product, (to me), seems to be one of the lighter footprint Anti-Virus clients out there.
So the voices of displeasure seem to be mostly voiced in frustration.