Deploy Sophos Endpoint as a Custom App

Deploying Sophos Central Mac Endpoint to your macOS devices as a Custom App.

Download Custom Profile
For the easiest deployment, we've created a downloadable configuration profile that will approve the Sophos Central Mac Endpoint Kernel Extension, Full Disk Access for PPPC, and enable Notifications. Additional profiles may be required depending on the Sophos components deployed in your environment. If necessary, please refer to our support articles on determining requirements for Kernel Extensions, System Extensions, and PPPC.

Download the custom profile here.

Add a Custom Profile:

  1. Click Library in the left-hand navigation bar.
  2. Click Add New in the upper right-hand corner.
  3. Click Custom Profile from the Add New window.

Configure the Custom Profile:

  1. Upload the Sophos_Central_Settings.mobileconfig file you downloaded previously
  2. Set the Device Families to Mac.
  3. Assign your Custom Profile to a test Blueprint.
  4. Save your Custom Profile.

Add a Custom App:

  1. Click Library on the left-hand navigation bar.
  2. Click Add New in the upper right-hand corner.
  3. Click Custom App from the Add New window.

Configure the Custom App:

  1. Give your Custom App a Name.
  2. Assign your Custom App to a test Blueprint.
  3. Select Audit and Enforce as the execution frequency.
  4. Paste the Audit Script from below (no modifications needed if using the downloadable configuration profile above).
  5. Under Install Details, choose ZIP File.
  6. For the Unzip Location, choose /var/tmp.
  7. Upload the SophosInstall ZIP file.
  8. Paste the Post-Install Script from below.
  9. Click Save.

Depending on the Sophos product and version installed, the app path, privacy access, and kernel or system extension requirements may change. As with all Custom Apps, we urge you to test this thoroughly before deploying to a Mac that is in production.

Audit Script:


#Change the profileID variable to the profile prefix you want to wait on before running the installer

# the profiles variable will be set to an array of profiles that match the prefix in the profileID variable
profiles=$(/usr/bin/profiles list | grep "$profileID" | sed 's/.*\ //')

# if matching profiles are found exit 1 so the installer will run, else exit 0 to wait
if [[ ${#profiles[@]} -eq 0 ]]; then
echo "no profiles with ID $profileID were found"
exit 0

if [[ -e $appPath ]]; then
echo "$appPath was found. Exiting…"
exit 0

echo "$appPath was not found but Profile $i is present. Running $installer"
exit 1



exit 0

Post-Install Script:


echo "Running Sophos Installer..."
"/var/tmp/Sophos Installer" --install;

echo "Removing installer and component files..."
/bin/rm -fr "/var/tmp/Sophos"
/bin/rm -fr "/var/tmp/Sophos Installer Components"

exit 0