Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Deploy Sophos Endpoint as a Custom App

            By Emalee Firestein

            Learn how to deploy Sophos Central to your macOS devices as a custom app

            Depending on the App product and version installed, the app path, privacy access, and kernel or system extension requirements may change. As with all Custom Apps, we urge you to test this thoroughly before deploying it to a Mac in production.

            Prerequisites

            • Download the Sophos installer file from your Sophos admin portal.

            • Copy the sophos_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link).

            • Download the sophos_central_settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

              • This configuration profile enables Notifications, System Extensions, Privacy Preferences (PPPC) to have Full Disk Access, and a Network content filter. More information about Sophos's required System Extensions is available here.

              • A Legacy System Extension (KEXT) version of the profile for macOS Catalina and below can be downloaded here.

            • Download the sophos_management.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

              • This configuration profile allows managed background items for Sophos Central.
            • Copy the Sophos postinstall script from the Kandji support GitHub repository (GitHub Link).

            Add a Custom Settings Profile

            1. In the left-hand menu, click on Library.
            2. Near the top-right, click Add New.
            3. Select Custom Profile.
            4. Click Add & Configure.

            Configure the Custom Settings Profile

            1. Give the profile a name.
            2. Assign the custom profile to a test Blueprint.
            3. For Install on, select Mac.
            4. If deploying the KEXT version of the configuration profile, configure an Assignment rule that will deploy the file to macOS Catalina and below.
            5. Upload either the sophos_central_settings.mobileconfig (or KEXT version) file you downloaded previously.

            6. Click Save.

            Configure the Service Management Profile

            1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure.
            2. Give the profile a name.
            3. Assign your custom profile to the same test Blueprint as above.
            4. For Install on, select Mac.

            5. When adding this profile, add an Assignment Rule to only apply the profile to computers where the macOS Version is greater than or equal to 13.0, as shown below.

            6. Upload the profile that you downloaded previously from GitHub. 

            7. Click Save.

              Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.

            Add a Custom App

            1. In the left-hand menu, click on Library
            2. Near the top-right, click Add New
            3. Select Custom app
            4. Click Add & Configure

            Custom App

            1. Give the Custom App a name. (Example: Sophos Central.) Optionally, add a custom icon.
            2. Assign to a test blueprint.
            3. (optional) Configure Assignment Rules if you would like to limit the devices that received the custom app.
            4. Change the installation type to Audit and Enforce.

            5. Copy and paste the sophos_central_ae_script.zsh script from earlier into the Audit & Enforce text box. No modification needed.

              • The script looks for two profile identifiers and the name of the installed Sophos app before attempting to install the app. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

                Settings Profile prefix: io.kandji.sophos.EA69037E
                Background Service Management Profile prefix: io.kandji.sophos.service-management
                App name: "Sophos Endpoint.app"
            6. Select ZIP File (unzip contents into specified directory) as the deployment type.
            7. Set the Unzip Location to: /var/tmp
            8. Upload the installer zip file downloaded earlier.
            9. Click Add Postinstall Script.
            10. Paste the Post-Install Script from the Kandji support GitHub into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.
            11. Click Save.
            Preview
            0 of 0