MacOS Scripted Deployment - Security Permissions

Question

Hi Sophos Community, 
 I'm looking for some guidance. We have a requirement to deploy Sophos Endpoint to a number of MacOS devices. This guide has proved useful https://support.sophos.com/support/s/article/KB-000035045?language=en_US 
 However we find this incomplete as the Mac user then must perform additional steps, namely doc.sophos.com/.../index.html to enable Sophos protection. This has proved difficult to manage - does anyone have experience on how the security permissions element be automated / scripted? 
 We have an RMM tool which we can run remote commands using. The result should be that when deploying MDR. the changes to security permissions as part of installation. Can anyone help?

Jon Vassar · Answer

I've been fairly successful using Intune and a shell script. In the Sophos ZIP is also some mobileconfig files you can deploy to auto set the permissions, but I'll include it here as well if this will allow me Install, downloading from tenant URL #!/bin/bash mkdir /tmp/Intune if [ -d /Applications/Sophos/ ]; then echo "Already Installed" touch /tmp/Intune/Sophos_AlreadyInstalled.tmp exit 0 else SOPHOS_DIR="/tmp/Sophos_Install" mkdir $SOPHOS_DIR cd $SOPHOS_DIR # Installing Sophos curl -L -O "###URLFROMADMINTENANT###/SophosInstall.zip" echo "Sophos Install Downloaded" unzip SophosInstall.zip chmod a+x $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer chmod a+x $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper sudo $SOPHOS_DIR/Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --quiet echo "Sophos Installed" rm -rf $SOPHOS_DIR touch /tmp/Intune/Sophos_Installed.tmp exit 0 fi MobileConfig for Ventura PayloadUUID C815EF0E-6CA6-42EE-B402-6B9D94B051D8 PayloadType Configuration PayloadOrganization Sophos PayloadIdentifier C815EF0E-6CA6-42EE-B402-6B9D94B051D8 PayloadDisplayName Sophos Endpoint Ventura v1.2 PayloadDescription Allow full disk access, system extensions, transparent proxy, background item management, VPN and notifications for Sophos Endpoint. PayloadVersion 1 PayloadEnabled PayloadRemovalDisallowed PayloadScope System PayloadContent PayloadUUID C4431E6D-5005-48D4-BB30-37EB4DA49A57 PayloadType com.apple.TCC.configuration-profile-policy PayloadOrganization Sophos PayloadIdentifier C4431E6D-5005-48D4-BB30-37EB4DA49A57 PayloadDisplayName Privacy Preferences Policy Control PayloadDescription PayloadVersion 1 PayloadEnabled Services SystemPolicyAllFiles Identifier com.sophos.endpoint.scanextension CodeRequirement identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.liveresponse CodeRequirement identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier /Library/Sophos Managed Detection and Response/SophosMDR CodeRequirement identifier SophosMDR and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.autoupdate CodeRequirement identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.macendpoint.CleanD CodeRequirement identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.SophosScanAgent CodeRequirement identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.macendpoint.SophosServiceManager CodeRequirement identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.endpoint.uiserver CodeRequirement identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.SDU4OSX CodeRequirement identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.endpoint.SophosAgent CodeRequirement identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.sophos.SophosAntivirus CodeRequirement identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 Identifier com.Sophos.macendpoint.SophosSXLD CodeRequirement identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" IdentifierType bundleID StaticCode 0 Allowed 1 PayloadUUID 7FB910FB-9396-4E26-9F6A-AF35B8371DE8 PayloadType com.apple.system-extension-policy PayloadOrganization Sophos PayloadIdentifier 7FB910FB-9396-4E26-9F6A-AF35B8371DE8 PayloadDisplayName System Extensions PayloadDescription PayloadVersion 1 PayloadEnabled AllowUserOverrides AllowedSystemExtensions 2H5GFH3774 com.sophos.endpoint.networkextension com.sophos.endpoint.scanextension FilterPacketProviderBundleIdentifier com.sophos.endpoint.networkextension FilterPacketProviderDesignatedRequirement identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" FilterPackets FilterSockets FilterType Plugin PayloadDisplayName Web Content Filter Payload PayloadIdentifier E9072A8F-F979-4629-9F08-1105461968AF PayloadOrganization Sophos PayloadType com.apple.webcontent-filter PayloadUUID E9072A8F-F979-4629-9F08-1105461968AF PayloadVersion 1 PluginBundleID com.sophos.endpoint.network UserDefinedName SophosWebNetworkExtension PayloadDisplayName Notifications Payload PayloadIdentifier 410DF445-7669-451D-A527-6AAC985B9A9A PayloadOrganization Sophos PayloadType com.apple.notificationsettings PayloadUUID 410DF445-7669-451D-A527-6AAC985B9A9A PayloadVersion 1 NotificationSettings AlertType 2 BundleIdentifier com.sophos.endpoint.uiserver CriticalAlertEnabled NotificationsEnabled ShowInNotificationCenter SoundsEnabled BundleIdentifier com.sophos.enc.sophos-encryption-agent CriticalAlertEnabled NotificationsEnabled ShowInNotificationCenter SoundsEnabled PayloadDescription Payload for Background Item Management PayloadDisplayName Background Item Management PayloadIdentifier 8F2A7557-3C4F-42D7-B822-2A5B6A549D12 PayloadUUID 8F2A7557-3C4F-42D7-B822-2A5B6A549D12 PayloadType com.apple.servicemanagement PayloadOrganization Sophos Rules RuleType TeamIdentifier RuleValue 2H5GFH3774 Comment Sophos Developer Team ID IPv4 OverridePrimary 0 PayloadDescription Configures ZTNA settings PayloadDisplayName Sophos ZTNA PayloadIdentifier com.apple.vpn.managed.34401EA9-F766-4871-B89A-B84EAA777C5A PayloadType com.apple.vpn.managed PayloadOrganization Sophos PayloadUUID 34401EA9-F766-4871-B89A-B84EAA777C5A PayloadVersion 1 PayloadEnabled Proxies HTTPEnable 0 HTTPSEnable 0 UserDefinedName Sophos ZTNA VPN AuthName ZTNA AuthenticationMethod Password IncludeAllNetworks 0 ProviderBundleIdentifier com.sophos.endpoint.networkextension ProviderDesignatedRequirement identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[ field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" RemoteAddress www.sophos.com OnDemandUserOverrideDisabled 1 ProviderType packet-tunnel VPNSubType com.sophos.endpoint.network VPNType VPN VendorConfig fromMDM 1 OnDemandUserOverrideDisabled 1

MacOS Scripted Deployment - Security Permissions

Top Replies