Deploy Sophos Endpoint as a Custom App

By Gwynn Clark

Deploying Sophos Central Mac Endpoint to your macOS computers as a Custom App.

The app path, privacy access, network content filter, notifications, and kernel or system extension requirements may change depending on the Sophos product and version installed. As with all Custom Apps, we urge you to test this thoroughly before deploying to a Mac in production.
Prerequisites
  • Download the Sophos_Central_Settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link)

    • This configuration profile enables Notifications, System Extensions, and Privacy Preferences (PPPC) to have Full Disk Access, and a Network content filter for Sophos

    • There is also a profile that includes the Sophos Kernel Extension if you have Mac computers running macOS Catalina or earlier (GitHub Link)

    • Mac computers with Apple silicon may require the installation of Rosetta 2 to install and run Sophos Endpoint successfully. 
  • Download the Sophos installer file from your Sophos admin portal

Custom Configuration Profile

  1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure

  2. Give the custom profile the following name: Sophos Settings

  3. Assign the library item to a Blueprint

    1. It is generally good practice to assign a new library item to a testing Blueprint to ensure that everything functions as expected

  4. Set Device Families to Mac

  5. Upload the Sophos_Central_Settings.mobileconfig file to Kandji as a custom configuration profile

  6. Click Save in the bottom-right

Custom App

  1. Create a Custom App in Kandji by Selecting Library > Add New > Custom App > Add & Configure

  2. Give the Custom App a name. Example: Sophos

  3. Assign to a test Blueprint

  4. Change the installation type to Audit and Enforce

  5. Copy and paste the Audit and Enforce script from the bottom of this page into the Audit & Enforce text box. No modification is needed.

    1. The Audit and Enforce script looks for a specific payload prefix inside the configuration profile before installing the app. Then, the script will look for the name of the app once installed to ensure that it remains installed on the Mac.
      Profile prefix: io.kandji.sophos.EA69037E
      App name: "Sophos Endpoint.app"
  6. Select ZIP File (unzip contents into specified directory) as the deployment type

  7. Set the Unzip Location to: /var/tmp

  8. Upload the installer zip file downloaded earlier.

  9. Click Add Postinstall Script and paste the post-install script from the bottom of this page

  10. Click Save

Audit Script

#!/bin/zsh


# Audit and Enforce script for Sophos Central


###################################################################################################
###################################### VARIABLES ##################################################
###################################################################################################

# Change the PROFILE_ID_PREFIX variable to the profile prefix you want to wait on before
# running the installer. The profile prefix below is associated with the Notifications payload in
# the Kandji provided configuration profile.
PROFILE_ID_PREFIX="io.kandji.sophos.EA69037E"

# Make sure that the app name matches the name of the app that will be installed. This script will
# dynamically search for the app in the Applications folder. So there is no need to define an app
# path. The app must install in the /Applications, "/System/Applications", or /Library up to 3 sub-
# directories deep.
APP_NAME="Sophos Endpoint.app"

###################################################################################################
###################################### MAIN LOGIC #################################################
###################################################################################################

# The profiles variable will be set to an array of profiles that match the prefix in
# the PROFILE_ID_PREFIX variable
profiles=$(/usr/bin/profiles show | grep "$PROFILE_ID_PREFIX" | sed 's/.*\ //')

# If matching profiles are found exit 1 so the installer will run, else exit 0 to wait
if [[ ${#profiles[@]} -eq 0 ]]; then
echo "No profiles with ID $PROFILE_ID_PREFIX were found ..."
echo "Will check again at the next Kandji agent check in before moving on ..."
exit 0
fi

echo "Profile prefix $PROFILE_ID_PREFIX present ..."

# Look for the app defined in APP_NAME
# This command looks in /Applications, /System/Applications, and /Library for the existance of the
# app defined in $APP_NAME
installed_path="$(/usr/bin/find /Applications /System/Applications /Library/ -maxdepth 3 -name $APP_NAME 2>/dev/null)"

# Validate the path returned in installed_path
if [[ ! -e $installed_path ]] || [[ $APP_NAME != "$(/usr/bin/basename $installed_path)" ]]; then
echo "$APP_NAME not installed. Starting installation process ..."
exit 1

else
# Get the installed app version
installed_version=$(/usr/bin/defaults read "$installed_path/Contents/Info.plist" CFBundleShortVersionString 2>/dev/null)

# make sure we got a version number back
if [[ $? -eq 0 ]]; then
/bin/echo "$APP_NAME version $installed_version is installed at \"$installed_path\"..."
else
/bin/echo "$APP_NAME is installed at \"$installed_path\"..."
fi
fi

exit 0


Post-Install Script

#!/bin/sh

#
# Post-Install script for Sophos
#

# Unzip path defined in Kandji
UNZIP_PATH="/var/tmp"

# Make sure that that installer and helper have excute permissions
/bin/echo "Setting permissions on installers ..."
/bin/chmod a+x "$UNZIP_PATH/Sophos Installer.app/Contents/MacOS/Sophos Installer"
/bin/chmod a+x "$UNZIP_PATH/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper"

echo "Running Sophos Installer ..."
"$UNZIP_PATH/Sophos Installer.app/Contents/MacOS/Sophos Installer" --install

echo "Removing installer and component files ..."
/bin/rm -fR "$UNZIP_PATH/Sophos Installer.app"
/bin/rm -fR "$UNZIP_PATH/Sophos Installer Components"

exit 0