This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way for me to create a pre-configured installer for Mac from a Windows based Sophos Enterprise Console?

Hello - 

We currently have a Windows based Sophos Enterprise Console and we are updating and maintaining mac clients via our policy so the files are located in <servername>\SophosUpdate\CIDs\S000\ESCOSX

Is there a way to create a pre-configured Mac installation package that can be installed on the machine locally? 

Additionally, is there a way to utilize pre-configuration so the clients get placed in the proper group for management? 

Thanks!



This thread was automatically locked due to age.
Parents
  • Hello Jayson Saumer,

    a pre-configured Mac installation package [...] proper group
    what should be pre-configured (apart from the proper group)? "Internal" managed endpoints in the proper group will receive the policies shortly after install. Please see How to automatically assign a Mac endpoint to a defined group. As to a package - we simply zip the ESCOSX CID, users download the archive and run the Installer.app.

    Christian

  • We were hoping for the pre-configuration of the package to include as much as the windows packages for when our techs go on-site to our clients to minimize time and effort.

    I do like the solution for the adding the end point to the defined group file edit. We will probably try and utilize this in our deployment with our client.
  • Hello Jayson,

    maybe (one of) your techs can "borrow" a Mac for a few minutes to run one or both Create...Preconfig programs. Note that it's not necessary to run them from the mounted CID (as you can see from the Standalone instructions). Once the two plists (onaccessconfig.plist and updateconfig.plist) are created they can be ported to their place in the CID (...\ESCOSX\Sophos Installer Components\). As these are plists you can easily change the values (except for the ...UserName and ...Password keys) in them if necessary.

    Christian

  • Good news, I have my hands on a Mac. Bad news, I am struggling to get the config right so that it updates properly and also adds into the enterprise console. I'll continue testing it out, but I figured I would see if you have any sage advise.

    What is your recommended full update path of Mac?

    The only configuration I got to "work" was setting it to av.mycompany.net/.../

    With this setting, it looks like it went through and updated files and then said "Couldn't find http://av.mycompany.net" and it was an invalid URL. I set it up exactly like our windows configurations, and it just isn't working properly.

    Prior to this, I was trying "http://av.mycompany.net" and "av.mycompany.net/sophosupdate" both saying it was an invalid URL, even though I could successfully reach those in a browser session.
  • Hello Jayson,

    the path ending in ESCOSX is the correct one (you want only HTTP not SMB?). 
    From your description I think that SAV for Linux / Unix / OS X : IIS WebCID update troubleshooting could help. Please note that invalid URL in this context means no CID there - i.e AutoUpdate can't find the expected files (which is expected - forgive the pun - if you don't point to the root, otherwise it might be one of the reasons mentioned in the article).

    Christian

  • Thanks for the information. We are now updating successfully!!

    One problem still I need to figure out, it still isn't showing up in the enterprise console.

    in the grouplist.plist, I have tried the path with quotes and without quotes, because our structure has spaces in it.

    sophosmgr\MSP Top Level\mac is the path I am attempting to put the computer in.

    Does this feature break with spaces?
    Also, is there a way to configure it to "phone home" with the IP instead of the name? I am seeing DNS issues.

    I have logs from the mac as well, I am unsure if they are related. These are the only errors coming up after it is successfully updating.

    SophosMessageRouter

    23.02.2016 09:26:19 2000 I SOF: /Library/Logs/SophosMessageRouter/Router-20160223-152619.log
    23.02.2016 09:26:19 2000 I Sophos Messaging Router 3.0.14.1748 starting...
    23.02.2016 09:26:19 2000 I Setting ACE_FD_SETSIZE to 138
    23.02.2016 09:26:19 2000 I Initializing CORBA...
    23.02.2016 09:26:20 2000 I Setting connection cache limit to 10
    23.02.2016 09:26:20 2000 I Creating ORB runner with 4 threads
    23.02.2016 09:26:20 2000 I Getting parent router IOR from sophosmgr.mycompany.int:8192
    23.02.2016 09:26:20 2000 E ACE_INET_Addr::ACE_INET_Addr: sophosmgr.mycompany.int: Undefined error: 0
    23.02.2016 09:26:20 2000 I This computer is part of the workgroup WORKGROUP
    23.02.2016 09:26:20 2000 I Getting parent router IOR from sophosmgr:8192
    23.02.2016 09:26:20 2000 E ACE_INET_Addr::ACE_INET_Addr: sophosmgr: Undefined error: 0
    23.02.2016 09:26:20 2000 I This computer is part of the workgroup WORKGROUP
    23.02.2016 09:26:20 2000 E Failed to get parent router IOR
    23.02.2016 09:26:20 2000 E Failed to get certificate, retrying in 600 seconds

    Agent log
    23.02.2016 09:31:29 3000 E Failed to read in the router's IOR from the supplied address and port.
    23.02.2016 09:31:29 3000 E NoRouterIORException: Caught MessagingSystemClientLib::NoRouterIORException (failed to get router's IOR from supplied address and port) ClientConnection::Reconnect()

    ReportData.xml


    <?xml version='1.0' encoding='UTF-8' ?>
    <?xml-stylesheet type='text/xsl' href='transform.xslt' ?>
    <RMS_status_report>
    <string msg='explanation' />
    <sections>
    <section name='DNS'>
    <alert><problem>
    <string msg='DNS_error' />
    </problem>
    <summary>
    <string msg='failed_to_resolve_computer_name' />
    </summary>
    <cause>
    <string msg='DNS_misconfigure_or_unavailable' />
    </cause>
    <action>
    <string msg='correct_DNS_or_use_static_IP' />
    </action>
    <more_info>
    DNS_KB_number
    </more_info>
    </alert>
    </section>

    <!-- And another -->
    <section name='Certification'>
    <string msg='OK' />
    </section>

    <!-- And another -->
    <section name='Incoming'>
    <string msg='OK' />
    </section>

    <!-- And another -->
    <section name='Outgoing'>
    <string msg='OK' />
    </section>

    <!-- And another -->
    </sections>
    <computer_data>
    <language>
    C
    </language>
    <local_time>
    Tue Feb 23 09:26:20 2016
    </local_time>
    <GMT>
    Tue Feb 23 15:26:20 2016
    </GMT>
    <computer_name>
    COMPANY-MAC
    </computer_name>
    <workgroup>
    WORKGROUP
    </workgroup>
    <router_name>
    <string msg='not_available' />
    </router_name>
    <IOR_port>8192</IOR_port>
    <SSLIOP_port><string msg='not_available' /></SSLIOP_port>
    <parent_addresses>
    sophosmgr.mycompany.int,sophosmgr
    </parent_addresses>
    <actual_parent>
    <string msg='not_available' />
    </actual_parent>
    <router_type>
    endpoint
    </router_type>
    </computer_data>
    </RMS_status_report>
  • Hello Jayson,

    apparently your mrinit.conf contains only the server name(s) - does it get its IP via DHCP? If the IP is in fact static (i.e. reserved) you can amend mrinit.conf - actually for Macs it's mrinit.custom (while the article talks about message relays it's generally applicable). Once the Macs can connect to the server's 8192 they should report to the console (as to the path I'd try without the quotes first). BTW - did you configure the updates with the IP (or are the CIDs published by another server) as name resolutions should be the same for updates and management (RMS)?

    Christian 

  • Funny thing, I was just about to look at that file before you replied :)

    I noticed the wrong server address in that file, I changed it, and it now works properly.

    The updates are working, and it is now being picked up in the EC. However, at first it was going to the Unassigned group.

    I realized I was updating the grouplist.plist in TextEditor *DUH* so I just fired up a terminal and edited it properly in nano, and it is now going to the correct location.

    Everything is now good! Thank you for your help!!
Reply
  • Funny thing, I was just about to look at that file before you replied :)

    I noticed the wrong server address in that file, I changed it, and it now works properly.

    The updates are working, and it is now being picked up in the EC. However, at first it was going to the Unassigned group.

    I realized I was updating the grouplist.plist in TextEditor *DUH* so I just fired up a terminal and edited it properly in nano, and it is now going to the correct location.

    Everything is now good! Thank you for your help!!
Children
No Data