MacOS Agent Deployment via Intune - Allowing System Extensions

Hello,

I am looking for help with deploying Sophos Endpoint to MacOS via Intune. Specifically, I would like help configuring the configuration profile to set the permissions for:

Full Disk Access
system extensions
notifications

You have a good article for Jamf Pro available here Installing Endpoint Protection using Jamf Pro - Sophos Central Admin which details downloading the .mobileconfig files and uploading them to Jamf. I'm looking for something similar to this I can use with Intune.

This will prevent us having to manually allow the system extensions, disk access and notifications after the package is installed.

Thank you,

Jason

Added tags
[edited by: GlennSen at 7:46 AM (GMT -8) on 4 Nov 2024]

Top Replies

Qoosh 1 month ago in reply to Jason Bristow +1

Try doing the following on a macOS device. Download the installer Move the .mobileconfig file to a directory of your choice Open Terminal Enter the command " security cms -D -i name_of_config_file…

Parents

0 Qoosh 1 month ago

Hi Jason,

Thanks for reaching out to the Sophos Community Forum.

I was able to find the following Microsoft Documentation, which suggests using the same .mobileconfig file provided with the Sophos installer package.
See: Use custom settings for macOS devices in Microsoft Intune

Specifically, under "Custom configuration profile settings," it advises that a .mobileconfig file can be used.

Configuration profile file: Browse to the .xml or .mobileconfig file you created. The max file size is 1000000 bytes (just under 1 MB). The imported file is shown. You can also Remove a file after it's been added.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jason Bristow 1 month ago in reply to Qoosh

Hi Qoosh Thanks for posting that article, that's exactly what I've been trying to do but the .mobileconfig doesn't import into Intune. I don't know if it's corrupt or just doesn't support Intune since it seems to import properly when I try it on a Jamf Pro environment.

I'm hoping that Sophos can create a new profile/XMF file that we can use for Intune and provide instructions. Is that doable?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Qoosh 1 month ago in reply to Jason Bristow
Try doing the following on a macOS device.

Download the installer

Move the .mobileconfig file to a directory of your choice

Open Terminal

Enter the command "security cms -D -i name_of_config_file.mobileconfig > NewMobileconfig.xml"

Without the chevron, this will just output the contents of the .mobileconfig to the terminal if you'd like to inspect/confirm the contents beforehand.

Let me know if you find success with the resulting XML file as I'm certain others will also find this helpful.
Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jason Bristow 1 month ago in reply to Qoosh

The steps you provided are helpful and worked to convert the mobileconfig into an XML that Intune can read.

I would like to have Sophos update the documentation to provide steps specifically for Intune deployment, so the process is vetted and can be followed easily by others.

Is it possible for Sophos to do internal testing with Intune deployment and update the documentation?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Jason Bristow 1 month ago in reply to Qoosh

The steps you provided are helpful and worked to convert the mobileconfig into an XML that Intune can read.

I would like to have Sophos update the documentation to provide steps specifically for Intune deployment, so the process is vetted and can be followed easily by others.

Is it possible for Sophos to do internal testing with Intune deployment and update the documentation?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data