MAC 14.2 Install script Automation Issue

We are using a MDM to automate the installation of Sophos Endpoint on MAC 14.2.  We try to use the installation script provided but it always fails to fully install.  The software appears on the Mac but is unable to start.  When I look at the install log output it just says "Installation Failed with: Installation failed (1) ...."  The script works great when running directly on the Mac the issue is when we are trying to push it from our MDM.  Anyone find a solution to this or have any ideas on how to get this to work from a MDM (we are using ManageEngine currently)? 

Added Tags
[edited by: GlennSen at 6:10 AM (GMT -8) on 30 Jan 2024]
  • Hi James,

    Thanks for reaching out to the Sophos Community Forum. 

    May I ask if you're using the "Install Sophos Script.txt" from the download package? 

    If you're having issues executing the script using MDM specifically, I suggest checking if other scripts deployed through Manage Engine work as desired.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I am using a modified version of the script:

    cd /Users/Shared

    # Installing Sophos
    curl -L -O "link"
    chmod a+x Sophos\\ Installer
    chmod a+x Sophos\
    Sophos\\ Installer --quiet 
    exit 0

    Any other script we push through the MDM works great, just this one stops the install partway through for some reason.

  • Thank You for the logs James. I'll update you soon. 

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • Hi James, 

    From the SDU logs , I have identified some permission issues, where the SDU was unable to copy the system.log 

    Failure: Unable to copy source at system.log -> Error Domain=NSCocoaErrorDomain Code=513 "“system.log” couldn’t be copied because you don’t have permission to access “system”." UserInfo={NSSourceFilePathErrorKey=/var/log/system.log, NSUserStringVariant=(
    ), NSDestinationFilePath=/var/folders/hw/ddgm2w8n4534xyfl6jz0zflr0000gp/T/DT6794_20240119_083811_SDU/system/system.log, NSFilePath=/var/log/system.log, NSUnderlyingError=0x600002d3f3c0 {Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied"}}

    Then we have a system extension that is registered as endpoint security as seen below

    1 extension(s)
    enabled	active	teamID	bundleID (version)	name	[state]
    *	*	TZ824L8Y37	com.manageengine.protectord (1/1)	Protectord	[activated enabled]

    There are a couple of key points to consider:

    1. Permission Issues with System.log: The inability to copy system.log due to permission errors indicates that the script or the process running the script might not have sufficient privileges. This could be a part of the problem, especially if the Sophos installation requires access to system logs or similar resources.

    2. System Extension Conflict: The presence of the ManageEngine Protectord as a system extension registered for endpoint security might be conflicting with the Sophos installation. Endpoint security solutions often operate at a low level within the system and can interfere with each other, especially if they try to access or modify similar system resources.

    After some researching we found that the manageengine.protectord system extension is another form of Endpoint security:

    As a test, please remove this software/extension, perform a reboot and attempt to push the script again. 

    Please let me know the results of this test.

    Thank You.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • Hi James, Just to add.

    Although we have this manage engine extension  present in the machine, I wouldn't suspect it completely. The test we are doing is "just in case". I could see a lot of internal tickets raised for the same where installation  is failing if the manage engine extension is found to be present.

    Moreover, If we are suspecting this extension is the cause, I am wondering if the installation  will succeed even if the script is run directly on the machine.

    With that being said, I have few questions, but i'll ask after the test results cuz that would make more sense. 

    Thank you for your time and patience.

    Appreciate it. 

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • I have not been able to test yet without the extension but I can tell you that if I run the script directly on the machine it runs just fine and installs without any issues.  It is just failing when I am pushing the script from ManageEngine

  • How about we try the MDM profiles James ?

    If you haven't read the article , I suggest you take a look at it and follow the instructions under "MMD Correction" and then we push the script ? 

    I strongly believe this would work. It all makes sense cuz the script is going to the endpoint through MDM and it fails where as if the script is run directly its working. In that case configuring MDM profiles may be a good choice for us.

    Please do update me on how it goes. 

    Really curious to find. Thanks again for you time James.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • Followed your link above and we setup the two PPPC setups and restarted the MAC and tried the script again and its the same  result.

  • Hi James,

    I'm sorry to hear that the previous steps didn't resolve the issue. Let's try a few more steps to see if we can get this sorted out.

    First Approach:

    1. Removing Sophos Files and Folders: Please follow the instructions below to remove Sophos files and folders, then reboot your Mac.

      Open Terminal and execute these commands:

      bashCopy code
      sudo rm -R /Library/Sophos\ Anti-Virus/ sudo rm -R /Library/Application\ Support/Sophos/ sudo rm -R /Library/Preferences/com.sophos.* sudo rm /Library/LaunchDaemons/com.sophos.* sudo rm /Library/LaunchAgents/com.sophos.* sudo rm -R /Library/Extensions/Sophos* sudo rm -R /Library/Caches/com.sophos.*
    2. Add Full Disk Access via MDM: Once the Mac reboots, please ensure Full Disk Access is granted via MDM.

    3. Push the Script: After the reboot and granting access, try pushing the script again.

    If the Issue Persists:

    1. Remove Sophos Files and Folders: Start by removing the Sophos files and folders as mentioned above and then reboot your Mac.

    2. Remove the com.manageengine.protectord System Extension: This can be done through the Terminal or System Preferences. 

    3. Add Full Disk Access via MDM: After removing the extension and rebooting, ensure Full Disk Access is granted via MDM.

    4. Push the Script: Finally, attempt to push the script again.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • I have spent a few days working on trying to disable or rename or remove protectord from the system and it is baked in as part of ManageEngine you are not able to remove it without removing ManageEngine all together which defeats the purpose of pushing the script out of ManageEngine.  We need it to work in there.  If that is the issue we need to find a work around.

  • Any ides on how else we can try to get this working for us?  Worried that the upcoming updated version in Feb will not fix our issue and we have a few macs this needs to get pushed to.

  • Hi James, 

    Sorry about the delay. Unfortunately, I do not have a test setup to take this further. I'll try my best to find one and will update this thread soon. 

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

Reply Children
No Data