Deploying Sophos Endpoint as a Custom App

Learn how to deploy Sophos Central to your Mac computers as a custom app

Please note that depending on the specific application and version you have installed, the app path, privacy access, and system extension requirements may vary. As a best practice, we recommend thoroughly testing any Custom Apps before deploying them to a Mac in a production environment.

Prerequisites

• Download the Sophos installer file from your Sophos admin portal.

• Copy the sophos_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link).

• Download the sophos_central_settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link).

  • This configuration profile enables Notifications, System Extensions, and Privacy Preferences (PPPC) to have Full Disk Access and a Network content filter. More information about Sophos's required System Extensions is available here.

  • A Legacy System Extension (KEXT) version of the profile for macOS Catalina and below can be downloaded here.

• Download the sophos_management.mobileconfig file from the Kandji support GitHub repository (GitHub Link).

  • This configuration profile allows managed background items for Sophos Central.
• Copy the Sophos postinstall script from the Kandji support GitHub repository (GitHub Link).

Add a Custom Settings Profile

1. In the left-hand menu, click on Library.
2. Near the top-right, click Add New.
3. Select Custom Profile.
4. Click Add & Configure.

Configure the Custom Settings Profile

1. Give the profile a name.
2. Assign the custom profile to a test Blueprint.
3. For Install on, select Mac.
4. If deploying the KEXT version of the configuration profile, configure an Assignment Rule that will deploy the file to macOS Catalina and below.
5. Upload either the sophos_central_settings.mobileconfig (or KEXT version) file you downloaded previously.

6. Click Save.

   

Configure the Service Management Profile

1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure.
2. Give the profile a name.
3. Assign your custom profile to the same test Blueprint as above.
4. For Install on, select Mac.

5. Add an Assignment Rule to apply this profile only to computers with a macOS Version greater than or equal to 13.0, as shown below.

   

6. Upload the profile that you downloaded previously from GitHub. 

7. Click Save.
   
   

   Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.

Add a Custom App

1. In the left-hand menu, click on Library
2. Near the top-right, click Add New
3. Select Custom app
4. Click Add & Configure

Configure the Custom App

1. Give your Custom App a name. Optionally, add a custom icon.
2. Assign to a test blueprint.
3. Optionally, configure Assignment Rules.
   
4. Change the installation type to Audit and Enforce.

5. Copy and paste the sophos_central_ae_script.zsh script from earlier into the Audit & Enforce text box. No modification is needed.

   • The script looks for two profile identifiers and the name of the installed Sophos app before attempting to install the app. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

     Settings Profile prefix: io.kandji.sophos.system-extension-policy
     Background Service Management Profile prefix: io.kandji.sophos.service-management
     App name: "Sophos Endpoint.app"

     
6. Select ZIP File as the deployment type.
7. Set the Unzip Location to: /var/tmp
8. Upload the installer zip file downloaded in the Prerequisites.
9. Click Add Postinstall Script, then paste the postinstall script from the Prerequisites into the Postinstall Script field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.
10. Click Save.