MAC 14.2 Install script Automation Issue

Hi James,

Thanks for reaching out to the Sophos Community Forum. 

May I ask if you're using the "Install Sophos Script.txt" from the download package? 

If you're having issues executing the script using MDM specifically, I suggest checking if other scripts deployed through Manage Engine work as desired.

I am using a modified version of the script:

#!/bin/bash
cd /Users/Shared

# Installing Sophos
curl -L -O "link"
unzip SophosInstall.zip
chmod a+x Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer
chmod a+x Sophos\ Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper
Sophos\ Installer.app/Contents/MacOS/Sophos\ Installer --quiet 
exit 0

Any other script we push through the MDM works great, just this one stops the install partway through for some reason.

Thank You for the logs James. I'll update you soon. 

Hi James, 

From the SDU logs , I have identified some permission issues, where the SDU was unable to copy the system.log 

Failure: Unable to copy source at system.log -> Error Domain=NSCocoaErrorDomain Code=513 "“system.log” couldn’t be copied because you don’t have permission to access “system”." UserInfo={NSSourceFilePathErrorKey=/var/log/system.log, NSUserStringVariant=(
    Copy
), NSDestinationFilePath=/var/folders/hw/ddgm2w8n4534xyfl6jz0zflr0000gp/T/DT6794_20240119_083811_SDU/system/system.log, NSFilePath=/var/log/system.log, NSUnderlyingError=0x600002d3f3c0 {Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied"}}

1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	TZ824L8Y37	com.manageengine.protectord (1/1)	Protectord	[activated enabled]

There are a couple of key points to consider:

1. Permission Issues with System.log: The inability to copy system.log due to permission errors indicates that the script or the process running the script might not have sufficient privileges. This could be a part of the problem, especially if the Sophos installation requires access to system logs or similar resources.

2. System Extension Conflict: The presence of the ManageEngine Protectord as a system extension registered for endpoint security might be conflicting with the Sophos installation. Endpoint security solutions often operate at a low level within the system and can interfere with each other, especially if they try to access or modify similar system resources.

After some researching we found that the manageengine.protectord system extension is another form of Endpoint security:
https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

As a test, please remove this software/extension, perform a reboot and attempt to push the script again. 

Please let me know the results of this test.

Thank You.

Hi James, Just to add.

Although we have this manage engine extension  present in the machine, I wouldn't suspect it completely. The test we are doing is "just in case". I could see a lot of internal tickets raised for the same where installation  is failing if the manage engine extension is found to be present.

Moreover, If we are suspecting this extension is the cause, I am wondering if the installation  will succeed even if the script is run directly on the machine.

With that being said, I have few questions, but i'll ask after the test results cuz that would make more sense. 

Thank you for your time and patience.

Appreciate it. 

I have not been able to test yet without the extension but I can tell you that if I run the script directly on the machine it runs just fine and installs without any issues.  It is just failing when I am pushing the script from ManageEngine

How about we try the MDM profiles James ?

https://support.sophos.com/support/s/article/KB-000045806?language=en_US

If you haven't read the article , I suggest you take a look at it and follow the instructions under "MMD Correction" and then we push the script ? 

I strongly believe this would work. It all makes sense cuz the script is going to the endpoint through MDM and it fails where as if the script is run directly its working. In that case configuring MDM profiles may be a good choice for us.

Please do update me on how it goes. 

Really curious to find. Thanks again for you time James.

Followed your link above and we setup the two PPPC setups and restarted the MAC and tried the script again and its the same  result.

Hi James,

I'm sorry to hear that the previous steps didn't resolve the issue. Let's try a few more steps to see if we can get this sorted out.

First Approach:

1. Removing Sophos Files and Folders: Please follow the instructions below to remove Sophos files and folders, then reboot your Mac.

   Open Terminal and execute these commands:

   bashCopy code

   sudo rm -R /Library/Sophos\ Anti-Virus/ sudo rm -R /Library/Application\ Support/Sophos/ sudo rm -R /Library/Preferences/com.sophos.* sudo rm /Library/LaunchDaemons/com.sophos.* sudo rm /Library/LaunchAgents/com.sophos.* sudo rm -R /Library/Extensions/Sophos* sudo rm -R /Library/Caches/com.sophos.*

2. Add Full Disk Access via MDM: Once the Mac reboots, please ensure Full Disk Access is granted via MDM.

3. Push the Script: After the reboot and granting access, try pushing the script again.

If the Issue Persists:

1. Remove Sophos Files and Folders: Start by removing the Sophos files and folders as mentioned above and then reboot your Mac.

2. Remove the com.manageengine.protectord System Extension: This can be done through the Terminal or System Preferences. 

3. Add Full Disk Access via MDM: After removing the extension and rebooting, ensure Full Disk Access is granted via MDM.

4. Push the Script: Finally, attempt to push the script again.

I have spent a few days working on trying to disable or rename or remove protectord from the system and it is baked in as part of ManageEngine you are not able to remove it without removing ManageEngine all together which defeats the purpose of pushing the script out of ManageEngine.  We need it to work in there.  If that is the issue we need to find a work around.

Any ides on how else we can try to get this working for us?  Worried that the upcoming updated version in Feb will not fix our issue and we have a few macs this needs to get pushed to.

Hi James, 

Sorry about the delay. Unfortunately, I do not have a test setup to take this further. I'll try my best to find one and will update this thread soon. 

Hi James, 

Sorry about the delay. Unfortunately, I do not have a test setup to take this further. I'll try my best to find one and will update this thread soon.