Saturday, 15 March 2014

Deploying Sophos Anti-Virus on a Mac network

Sophos have provided a Mac version of their Anti-Virus software for a long time and uniquely also used to provide a Mac tool for providing an internal corporate deployment and update service for this.

This tool was called 'Sophos Update Manager' (SUM) it did two things. Firstly it let you build a pre-configured installer package which would include the settings telling Mac clients how to get updates, and secondly it would automatically update this install and folder, it would also put in this folder new anti-virus definitions.

You would therefore normally have this folder on a Mac file server and have the installer package and hence client Macs configured to get updates from this folder. You could also define Sophos' own servers as the backup - secondary source for updates.

This solution was therefore comparable with Sophos' own Windows tools of in the past Sophos Library Manager and now Sophos Enterprise Console, and also comparable with equivalent Windows only tools from McAfee and Symantec. The big difference being that no-one else makes a similar Mac tool for Mac only environments.

In more recent times Sophos have failed to update SUM and officially it only runs on OS X 10.7 (Lion) or older, it did however continue to be able to distribute updates for Sophos Anti-Virus 8 for Macs even if client Macs were running Mountain Lion. However not only does SAV8 not officially support running on OS X 10.9 (Mavericks) SAV8 is also due to be discontinued in April 2014.

 It is therefore necessary to move all Macs to SAV9 by April 2014.

SUM does not support SAV9 and so far Sophos have shown no interest in providing an updated version. Sophos do provide a standalone installer for SAV9 which will automatically if needed uninstall SAV8 and replace it with SAV9, and this installer can be pre-configured with the credentials needed to get updates directly from Sophos' servers.

See http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

You might think therefore that all one needs to do is download the standalone SAV9 installer, pre-configure it as per the above article and then deploy it to all your Macs. Unfortunately the standalone SAV9 installer is not a standard Apple installer type package, it is an application that itself does the installation. This means it cannot be deployed using standard Apple administration tools like Apple Remote Desktop, Casper, or Munki. All these tools will merely see it as an application and at best just copy it to a client Macs Applications folder where it will just sit and do nothing.

As a reminder, the SAV8 installer was a standard installer package and after being configured using SUM could be deployed using standard Mac tools.

What was really annoying is that as someone who has also managed both Windows only and mixed environments with Sophos I happen to know that SAV9 when managed by Sophos Enterprise Console on a Windows server does still come as a standard Apple installer package.

Sophos technical support were not a lot of help regarding this and frankly seem pretty clueless about how Mac software is deployed in an enterprise environment. They suggested switching to Sophos Cloud. Sophos Cloud can be thought of as being a cloud based version of Sophos Enterprise Console in that it lets you manage settings and view the status of the client computers running Sophos Anti-Virus, and unlike the Sophos Enterprise Console can be accessed via a web-browser on a Mac. However the client installer used with Sophos Cloud for Mac is still the same custom application and not a standard Apple installer package, as such it still cannot be deployed using standard Mac administration tools.

As an aside the free home edition of Sophos Anti-Virus for Mac is also based on the same custom application.

So at this point the only official options were to buy a Windows Server just so you could run Sophos Enterprise Console, something that would have cost a fortune even if you run it in a virtual machine as you not only would have to buy Windows Server but also all the Client Access Licenses for all your Macs, or you would have to go round each and every Mac client and manually run the standalone installer application with the huge administrative overhead this entails and the often frequent difficulty to get access to machines.

Clearly this had moved Sophos from being by far the most friendly Mac solution thanks to SUM, to being actually worse than most since at least McAfee with their ePO system use standard Apple installer packages.

I raised this issue in some user forums including here https://jamfnation.jamfsoftware.com/discussion.html?id=9785 and also pursued this matter directly with another contact I had at Sophos. Via that contact I was able to find out that hidden inside the Sophos standalone installer application was a command line tool called InstallationDeployer and that this tool could be scripted and run via a standard Unix shell script. With this information which is still not on the Sophos website now listed at http://www.sophos.com/en-us/support/knowledgebase/14179.aspx, it then immediately became obvious that it would be possible to build an Apple installer package containing the Sophos standalone installer application and a post-install script which would automate running the Sophos standalone installer.

After updating the above forum with this information I had started building such an installer package but Richard Trouton beat me to it and to be honest his solution is cleaner than the one I was building. Richard has written this up here http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/ however Richard's script only works with the free home edition of Sophos Anti-Virus for Mac which would have been the only version he had access to. I have therefore taken his script and enhanced it so that it works for both the free home edition and also the paid-for official SAV9 standalone installer.

Update - SAV 9.2.x now stores the auto-update credentials outside the Sophos installer application in a separate folder. This means I had to modify my script to copy both the installer application and this folder, I did this by putting both the Sophos installer and their settings folder inside another folder. This folder (of both items) gets copied to the client Mac and my scripts looks inside the folder and then inside the Sophos installer to find and run the Sophos commandline tool to do the actual installation. If you look at my further updated script you will see the name of the folder that you must use or otherwise you need to modify my script to the name of the folder you have chosen.

My updated version of the script can be accessed here http://pastebin.com/uRT2VMw9
My further updated version of the script which now supports SAV 9.2.x is here http://pastebin.com/0EYi7V4c

Note: The free home edition is not authorised for business use, only for home use.

So if you have no Windows server and need to mass deploy Sophos Anti-Virus 9 for Mac the best solution is as follows.
  1. Download the SAV9 standalone installer
  2. Pre-configure it with your Sophos update credentials as per the Sophos article
  3. Convert it to an Apple installer package as per Richard's article but with my version of his script
  4. Deploy it using your favourite tool - ARD, Casper, Munki, or other
You don't need to keep building new versions of the installer as once installed the client Macs will then update themselves directly from the Sophos servers.

4 comments:

  1. Thanks John, very clear and precise explanation :)

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi John

    Here is my version of the script to also allow for SAV version 9 mpkg obtained and installed from the SEC to be uninstalled.

    http://pastebin.com/0VPTG95J

    ReplyDelete
  4. Hi John, Thanks for sharing updated version of the script.

    Network installation Chiswick

    ReplyDelete