Deploy Sophos Endpoint as a Custom App

By Shannon Poole

Learn how to deploy Sophos Central to your macOS devices as a custom app.

Depending on the App product and version installed, the app path, privacy access, and kernel or system extension requirements may change. As with all Custom Apps, we urge you to test this thoroughly before deploying it to a Mac in production.

Prerequisites

  • Download the Sophos installer file from your Sophos admin portal.

    Endpoint Protection 10.4.0 will install, but is not supported by Sophos on macOS Ventura, and should be upgraded to 10.4.1 as soon as possible. Please review the following Sophos documentation for more information: Ventura release notes

  • Copy the sophos_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link).

  • Download the sophos_central_settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

    • This configuration profile enables Notifications, System Extensions, Privacy Preferences (PPPC) to have Full Disk Access, and a Network content filter.

    • A Legacy System Extension (KEXT) version of the profile for macOS Catalina and below can be downloaded here.

  • Download the sophos_management.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

    • This configuration profile allows managed background items for Sophos Central.

Add a Custom Settings Profile

  1. In the left-hand menu, click on Library.
  2. Near the top-right, click Add New.
  3. Select Custom Profile.
  4. Click Add & Configure.

Configure the Custom Settings Profile

  1. Give the profile a name.
  2. Assign the custom profile to a test Blueprint.
  3. For Install on, select Mac.
  4. If deploying the KEXT version of the configuration profile, configure an Assignment rule that will deploy the file to macOS Catalina and below.
  5. Upload either the sophos_central_settings.mobileconfig (or KEXT version) file you downloaded previously.
  6. Click Save.

Configure the Service Management Profile

  1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure.
  2. Give the profile a name.
  3. Assign your custom profile to the same test Blueprint as above.
  4. For Install on, select Mac.
  5. When adding this profile, add an Assignment Rule to only apply the profile to computers where the macOS Version is greater than or equal to 13.0, as shown below.

  6. Upload the profile that you downloaded previously from GitHub. 

  7. Click Save.

    Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.

Add a Custom App

  1. In the left-hand menu, click on Library
  2. Near the top-right, click Add New
  3. Select Custom app
  4. Click Add & Configure

Custom App

  1. Give the Custom App a name. (Example: Sophos Central.) Optionally, add a custom icon.
  2. Assign to a test blueprint.
  3. (optional) Configure Assignment Rules if you would like to limit the devices that received the custom app.
  4. Change the installation type to Audit and Enforce.
  5. Copy and paste the sophos_central_ae_script.zsh script from earlier into the Audit & Enforce text box. No modification needed.

    • The script looks for two profile identifiers and the name of the installed Sophos app before attempting to install the app. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

      Settings Profile prefix: io.kandji.sophos.EA69037E
      Background Service Management Profile prefix: io.kandji.sophos.service-management
      App name: "Sophos Endpoint.app"
  6. Select ZIP File (unzip contents into specified directory) as the deployment type.

  7. Set the Unzip Location to: /var/tmp

  8. Upload the installer zip file downloaded earlier.

  9. Click Add Postinstall Script.

  10. Paste the Post-Install Script from the script section below into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.
  11. Click Save.

Post install script

#!/bin/zsh

#
# Post-Install script for Sophos
#

# Unzip directory defined in Kandji
UNZIP_LOCATION="/var/tmp"

################################################################################################
############################ MAIN LOGIC - DO NOT MODIFY BELOW ##################################
################################################################################################

# Locate the Sophos Installer.app in the $UNZIP_LOCATION
SOPHOS_INSTALLER_APP=$(
/usr/bin/find "$UNZIP_LOCATION" -maxdepth 2 \
-name 'Sophos Installer.app' 2&>/dev/null
)

# Locate the 'Sophos Installer Components' folder in the $UNZIP_LOCATION
SOPHOS_INSTALLER_COMPONENTS=$(/usr/bin/find "$UNZIP_LOCATION" -maxdepth 2 \
-name 'Sophos Installer Components' 2&>/dev/null)

# Locate the 'Sophos Installer' binary in the $SOPHOS_INSTALLER_APP
SOPHOS_INSTALLER=$(/usr/bin/find "$SOPHOS_INSTALLER_APP" -maxdepth 4 \
-name 'Sophos Installer' 2&>/dev/null)

# Locate the 'com.sophos.bootstrap.helper' file in the $SOPHOS_INSTALLER_APP
SOPHOS_BOOTSTRAP_HELPER=$(/usr/bin/find "$SOPHOS_INSTALLER_APP" -maxdepth 4 \
-name 'com.sophos.bootstrap.helper' 2&>/dev/null)

# Confirm the 'Sophos Installer' binary and 'com.sophos.bootstrap.helper' file have been
# found
if [[ -n "$SOPHOS_INSTALLER" && -n "$SOPHOS_BOOTSTRAP_HELPER" ]]; then
/bin/echo "Setting permissions on installers ..."
/bin/chmod a+x "$SOPHOS_INSTALLER"
/bin/chmod a+x "$SOPHOS_BOOTSTRAP_HELPER"
/usr/bin/xattr -cr "$SOPHOS_INSTALLER_APP"
else
if [[ -n "$SOPHOS_INSTALLER_APP" ]]; then
rm -fR "$SOPHOS_INSTALLER_APP"
fi

if [[ -n $SOPHOS_INSTALLER_COMPONENTS ]]; then
rm -fR "$SOPHOS_INSTALLER_COMPONENTS"
fi
/bin/echo "Failed to locate the Sophos Installer ..."
exit 1
fi

/bin/echo "Running Sophos Installer ..."

# Execute the Sophos Install binary
"$SOPHOS_INSTALLER" --install
EXIT_STATUS=$?

/bin/echo "Removing installer and component files ..."

if [[ -d $(/usr/bin/dirname "$SOPHOS_INSTALLER_APP") &&
$(/usr/bin/dirname "$SOPHOS_INSTALLER_APP") != "$UNZIP_LOCATION" ]]; then
/bin/rm -fR "$(/usr/bin/dirname "$SOPHOS_INSTALLER_APP")"
fi

if [[ -d $(/usr/bin/dirname "$SOPHOS_INSTALLER_COMPONENTS") &&
$(/usr/bin/dirname "$SOPHOS_INSTALLER_COMPONENTS") != "$UNZIP_LOCATION" ]]; then
/bin/rm -fR "$(/usr/bin/dirname "$SOPHOS_INSTALLER_COMPONENTS")"
fi

# Exit based on status of the install
exit $EXIT_STATUS