Sophos provides a solid suite of endpoint security tools for Mac devices. This article will briefly cover creating a Custom Software item in Addigy to install your Sophos software. Some additional resources that may prove helpful are our guide on Creating Custom Software and Sophos' own documentation: Sophos Anti-Virus for Mac: How to install or uninstall using the terminal.


TABLE OF CONTENTS


Prerequisites


With the advent of macOS 10.13.3 High Sierra, Apple released additional security for installing kernel extensions (kexts) like those installed by Sophos. Here is Sophos' article about this: System Extension Blocked appears on new installations on macOS High Sierra 10.13.

In macOS 10.13.3, kexts that are installed by Sophos will need to be approved by the end user or by configuring the MDM Profile for your devices (see: Addigy Mobile Device Management (MDM) Integration for more).

In macOS 10.13.4 and newer, kexts cannot be approved with just an MDM Profile. They require the Kernel Extension (kext) Whitelisting profile payload pushed out via MDM. Check out our article Kernel Extension (Kext) Whitelisting with Addigy MDM.


Download Sophos Installers

First, head over to Sophos.com, login, and download the Mac installer for the specific account you will be managing. This should be a .zip file that resembles the following image when extracted:



Upload this .zip file into your Custom Software.

Note: do not try to upload the extracted directory, as Addigy only accepts single-file uploads.


Installation Script

The next step is to create an installation script for the Custom Software. This will unzip the archive and call the Sophos installer. It should look similar to this:

# Copy the exact name of the file you uploaded
archive="SophosInstall.zip"

/usr/bin/unzip -o "./$archive"
chmod a+x "Sophos Installer.app/Contents/MacOS/Sophos Installer"
chmod a+x "Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper"
"Sophos Installer.app/Contents/MacOS/Sophos Installer" --install

The strings in the variables will need to be replaced with values that match your files and organization. Notably, the install_path string should be the working directory of the Custom Software.


Condition Script

While Condition scripts are not strictly necessary to successfully install Sophos, they can be an effective tool for automatically remediating failed installation attempts. Here is a sample condition script for Sophos that checks to see if the application exists in the device's Applications folder:

if [ -e "/Applications/Sophos Endpoint.app" ]; then
    echo "Sophos already installed. Skipping."
    exit 1
fi

This Condition script assumes that Install on Success is toggled on. Of course, your Sophos licensing may install different applications. So, please be cautious to copy-pasting this script and expecting it to be universally viable.


PPPC for Full Disk Access 


In order to have Sophos achive full functionality, you will need to create 2 MDM Configurations in order to whitelist it, a Kext (System Extension for Big Sur) and a PPPC payload.


Here is everything you'd need to create a PPPC payload for Full Disk Access: 


Please note that the fields required for Full Disk Access are Access To Protected Files AND Access To System Admin Files. 


IdentifierCode RequirementVald SinceProduct
com.sophos.endpoint.scanextensionidentifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.2All
com.sophos.liveresponseidentifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.1Central only
com.sophos.SophosMDRidentifier "com.sophos.SophosMDR" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.1Central with MDR only
com.sophos.autoupdateidentifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0OPM only
com.sophos.macendpoint.CleanDidentifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.sophos.SophosScanAgentidentifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.sophos.macendpoint.SophosServiceManageridentifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.sophos.endpoint.uiserveridentifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0Central only
com.sophos.SDU4OSXidentifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.sophos.endpoint.SophosAgentidentifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.sophos.SophosAntivirusidentifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All
com.Sophos.macendpoint.SophosSXLDidentifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"v10.0.0All




System Extensions (BIG SUR ONLY) 


For the System Extension you will need the below: 


Team ID:2H5GFH3774

  • com.sophos.endpoint.networkextension
  • com.sophos.endpoint.scanextension



Kernel Extensions (KEXT) 


For KEXT you will need the below information: 


  • com.sophos.nke.swi
  • com.sophos.kext.sfm
  • com.sophos.kext.oas

Please see the below articles for further information: 



Kernel Extension (Kext) Whitelisting with Addigy MDM
Creating and Deploying a PPPC Payload 

If you have an Addigy account and have additional questions, you can create a ticket by emailing support@addigy.com.

Alternatively, you can submit a support request within Addigy.