Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MacOS Scripted Deployment - Security Permissions

Hi Sophos Community,

I'm looking for some guidance. We have a requirement to deploy Sophos Endpoint to a number of MacOS devices. This guide has proved useful https://support.sophos.com/support/s/article/KB-000035045?language=en_US

However we find this incomplete as the Mac user then must perform additional steps, namely doc.sophos.com/.../index.html to enable Sophos protection. This has proved difficult to manage - does anyone have experience on how the security permissions element be automated / scripted?

We have an RMM tool which we can run remote commands using. The result should be that when deploying MDR. the changes to security permissions as part of installation. Can anyone help?



This thread was automatically locked due to age.
  • I've been fairly successful using Intune and a shell script. In the Sophos ZIP is also some mobileconfig files you can deploy to auto set the permissions, but I'll include it here as well if this will allow me

    Install, downloading from tenant URL

    #!/bin/bash
    mkdir /tmp/Intune
    
    if [ -d /Applications/Sophos/ ];
    then
      echo "Already Installed"
      touch /tmp/Intune/Sophos_AlreadyInstalled.tmp
      exit 0
    else
    
    SOPHOS_DIR="/tmp/Sophos_Install"
    mkdir $SOPHOS_DIR
    cd $SOPHOS_DIR
    
    # Installing Sophos
    curl -L -O "###URLFROMADMINTENANT###/SophosInstall.zip"
    echo "Sophos Install Downloaded"
    unzip SophosInstall.zip
    chmod a+x $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer
    chmod a+x $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper
    sudo $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --quiet
    echo "Sophos Installed"
    rm -rf $SOPHOS_DIR
    touch /tmp/Intune/Sophos_Installed.tmp
    exit 0
    fi

    MobileConfig for Ventura

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1">
    	<dict>
    		<key>PayloadUUID</key>
    		<string>C815EF0E-6CA6-42EE-B402-6B9D94B051D8</string>
    		<key>PayloadType</key>
    		<string>Configuration</string>
    		<key>PayloadOrganization</key>
    		<string>Sophos</string>
    		<key>PayloadIdentifier</key>
    		<string>C815EF0E-6CA6-42EE-B402-6B9D94B051D8</string>
    		<key>PayloadDisplayName</key>
    		<string>Sophos Endpoint Ventura v1.2</string>
    		<key>PayloadDescription</key>
    		<string>Allow full disk access, system extensions, transparent proxy, background item management, VPN and notifications for Sophos Endpoint.</string>
    		<key>PayloadVersion</key>
    		<integer>1</integer>
    		<key>PayloadEnabled</key>
    		<true/>
    		<key>PayloadRemovalDisallowed</key>
    		<true/>
    		<key>PayloadScope</key>
    		<string>System</string>
    		<key>PayloadContent</key>
    		<array>
    			<dict>
    				<key>PayloadUUID</key>
    				<string>C4431E6D-5005-48D4-BB30-37EB4DA49A57</string>
    				<key>PayloadType</key>
    				<string>com.apple.TCC.configuration-profile-policy</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>PayloadIdentifier</key>
    				<string>C4431E6D-5005-48D4-BB30-37EB4DA49A57</string>
    				<key>PayloadDisplayName</key>
    				<string>Privacy Preferences Policy Control</string>
    				<key>PayloadDescription</key>
    				<string/>
    				<key>PayloadVersion</key>
    				<integer>1</integer>
    				<key>PayloadEnabled</key>
    				<true/>
    				<key>Services</key>
    				<dict>
    					<key>SystemPolicyAllFiles</key>
    					<array>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.endpoint.scanextension</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.liveresponse</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>/Library/Sophos Managed Detection and Response/SophosMDR</string>
    							<key>CodeRequirement</key>
    							<string>identifier SophosMDR and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.autoupdate</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.macendpoint.CleanD</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.SophosScanAgent</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.macendpoint.SophosServiceManager</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.endpoint.uiserver</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.SDU4OSX</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.endpoint.SophosAgent</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.sophos.SophosAntivirus</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    						<dict>
    							<key>Identifier</key>
    							<string>com.Sophos.macendpoint.SophosSXLD</string>
    							<key>CodeRequirement</key>
    							<string>identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    							<key>IdentifierType</key>
    							<string>bundleID</string>
    							<key>StaticCode</key>
    							<integer>0</integer>
    							<key>Allowed</key>
    							<integer>1</integer>
    						</dict>
    					</array>
    				</dict>
    			</dict>
    			<dict>
    				<key>PayloadUUID</key>
    				<string>7FB910FB-9396-4E26-9F6A-AF35B8371DE8</string>
    				<key>PayloadType</key>
    				<string>com.apple.system-extension-policy</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>PayloadIdentifier</key>
    				<string>7FB910FB-9396-4E26-9F6A-AF35B8371DE8</string>
    				<key>PayloadDisplayName</key>
    				<string>System Extensions</string>
    				<key>PayloadDescription</key>
    				<string/>
    				<key>PayloadVersion</key>
    				<integer>1</integer>
    				<key>PayloadEnabled</key>
    				<true/>
    				<key>AllowUserOverrides</key>
    				<true/>
    				<key>AllowedSystemExtensions</key>
    				<dict>
    					<key>2H5GFH3774</key>
    					<array>
    						<string>com.sophos.endpoint.networkextension</string>
    						<string>com.sophos.endpoint.scanextension</string>
    					</array>
    				</dict>
    			</dict>
    			<dict>
    				<key>FilterPacketProviderBundleIdentifier</key>
    				<string>com.sophos.endpoint.networkextension</string>
    				<key>FilterPacketProviderDesignatedRequirement</key>
    				<string>identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    				<key>FilterPackets</key>
    				<true/>
    				<key>FilterSockets</key>
    				<false/>
    				<key>FilterType</key>
    				<string>Plugin</string>
    				<key>PayloadDisplayName</key>
    				<string>Web Content Filter Payload</string>
    				<key>PayloadIdentifier</key>
    				<string>E9072A8F-F979-4629-9F08-1105461968AF</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>PayloadType</key>
    				<string>com.apple.webcontent-filter</string>
    				<key>PayloadUUID</key>
    				<string>E9072A8F-F979-4629-9F08-1105461968AF</string>
    				<key>PayloadVersion</key>
    				<integer>1</integer>
    				<key>PluginBundleID</key>
    				<string>com.sophos.endpoint.network</string>
    				<key>UserDefinedName</key>
    				<string>SophosWebNetworkExtension</string>
    			</dict>
    			<dict>
    				<key>PayloadDisplayName</key>
    				<string>Notifications Payload</string>
    				<key>PayloadIdentifier</key>
    				<string>410DF445-7669-451D-A527-6AAC985B9A9A</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>PayloadType</key>
    				<string>com.apple.notificationsettings</string>
    				<key>PayloadUUID</key>
    				<string>410DF445-7669-451D-A527-6AAC985B9A9A</string>
    				<key>PayloadVersion</key>
    				<integer>1</integer>
    				<key>NotificationSettings</key>
    				<array>
    					<dict>
    						<key>AlertType</key>
    						<integer>2</integer>
    						<key>BundleIdentifier</key>
    						<string>com.sophos.endpoint.uiserver</string>
    						<key>CriticalAlertEnabled</key>
    						<true/>
    						<key>NotificationsEnabled</key>
    						<true/>
    						<key>ShowInNotificationCenter</key>
    						<true/>
    						<key>SoundsEnabled</key>
    						<true/>
    					</dict>
    					<dict>
    						<key>BundleIdentifier</key>
    						<string>com.sophos.enc.sophos-encryption-agent</string>
    						<key>CriticalAlertEnabled</key>
    						<true/>
    						<key>NotificationsEnabled</key>
    						<true/>
    						<key>ShowInNotificationCenter</key>
    						<true/>
    						<key>SoundsEnabled</key>
    						<true/>
    					</dict>
    				</array>
    			</dict>
    			<dict>
    				<key>PayloadDescription</key>
    				<string>Payload for Background Item Management</string>
    				<key>PayloadDisplayName</key>
    				<string>Background Item Management</string>
    				<key>PayloadIdentifier</key>
    				<string>8F2A7557-3C4F-42D7-B822-2A5B6A549D12</string>
    				<key>PayloadUUID</key>
    				<string>8F2A7557-3C4F-42D7-B822-2A5B6A549D12</string>
    				<key>PayloadType</key>
    				<string>com.apple.servicemanagement</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>Rules</key>
    				<array>
    					<dict>
    						<key>RuleType</key>
    						<string>TeamIdentifier</string>
    						<key>RuleValue</key>
    						<string>2H5GFH3774</string>
    						<key>Comment</key>
    						<string>Sophos Developer Team ID</string>
    					</dict>
    				</array>
    			</dict>
    			<dict>
    				<key>IPv4</key>
    				<dict>
    					<key>OverridePrimary</key>
    					<integer>0</integer>
    				</dict>
    				<key>PayloadDescription</key>
    				<string>Configures ZTNA settings</string>
    				<key>PayloadDisplayName</key>
    				<string>Sophos ZTNA</string>
    				<key>PayloadIdentifier</key>
    				<string>com.apple.vpn.managed.34401EA9-F766-4871-B89A-B84EAA777C5A</string>
    				<key>PayloadType</key>
    				<string>com.apple.vpn.managed</string>
    				<key>PayloadOrganization</key>
    				<string>Sophos</string>
    				<key>PayloadUUID</key>
    				<string>34401EA9-F766-4871-B89A-B84EAA777C5A</string>
    				<key>PayloadVersion</key>
    				<integer>1</integer>
    				<key>PayloadEnabled</key>
    				<true/>
    				<key>Proxies</key>
    				<dict>
    					<key>HTTPEnable</key>
    					<integer>0</integer>
    					<key>HTTPSEnable</key>
    					<integer>0</integer>
    				</dict>
    				<key>UserDefinedName</key>
    				<string>Sophos ZTNA</string>
    				<key>VPN</key>
    				<dict>
    					<key>AuthName</key>
    					<string>ZTNA</string>
    					<key>AuthenticationMethod</key>
    					<string>Password</string>
    					<key>IncludeAllNetworks</key>
    					<integer>0</integer>
    					<key>ProviderBundleIdentifier</key>
    					<string>com.sophos.endpoint.networkextension</string>
    					<key>ProviderDesignatedRequirement</key>
    					<string>identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[	field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"</string>
    					<key>RemoteAddress</key>
    					<string>www.sophos.com</string>
    					<key>OnDemandUserOverrideDisabled</key>
    					<integer>1</integer>
    					<key>ProviderType</key>
    					<string>packet-tunnel</string>
    				</dict>
    				<key>VPNSubType</key>
    				<string>com.sophos.endpoint.network</string>
    				<key>VPNType</key>
    				<string>VPN</string>
    				<key>VendorConfig</key>
    				<dict>
    					<key>fromMDM</key>
    					<string>1</string>
    				</dict>
    				<key>OnDemandUserOverrideDisabled</key>
    				<integer>1</integer>
    			</dict>
    		</array>
    	</dict>
    </plist>

  • Hi Jay, I have been successful using Intune. I tried posting my code but the forum ate the post as "Spam"

    However, i'll suggest this.

    If you extract your Sophos install ZIP, you'll find some mobileconfig files for different MacOS versions, deploying these through your MDM solution should set the access permissions needed.

    I have our MDM check if the Sophos folder exists in /Applications, if not, it downloads the install from our tenant (just grabbed the install URL), installs, and if the MDM applied the Mobileconfig, extensions, notifications, and file access should be set to acceptable settings.