SEC 5.2.1 and Sophos for MAC OS X Preview (9.0.3)

---

Carob wrote:

---

---

Hopefully you'll still post something here when that time comes so the new process can be looked at as I at least am still waiting and I'm checking this thread for updates.

---

9.2 has been held back while we do this work. The KBAs will be updated when we publish 9.2.

---

bobcook wrote:

---

test12234 wrote:

I've seen it take anywhere from 10to15 minutes every time I bothered to time it.. and I have over 5000 assets. Anyway the lack of functionality in the manged isntaller is kind of a bummer..next you'll say that the mac & windows agent are going to be completely cloud based and everything else will /no longer be developed.

---

Due to changes coming from Apple in Mac OS X 10.9.5 and 10.10 we are forced to change the deployment workflow for all of our endpoints (managed and un-managed, Cloud and on-premise, and Home Edition). Because of these changes by Apple we will no longer use the MPKG format for the on-premise installer starting in 9.2, when it comes to the Preview line. The existing 9.1 deployment packages will remain unchanged for the Recommended line. See KBA 121327 for the full story.

We've done a tremendous amount of engineering to continue supporting the legacy MPKG format this long, but this change from Apple has finally forced us to change.

I mention it in this thread because that change will also make it possible for us to properly support a pre-configured installer app for update and on-access settings. The existing KBAs will be updated when 9.2 is published.

And just to be super super clear, we have no plans to retire the on-premise managed agents.

---

Hopefully you'll still post something here when that time comes so the new process can be looked at as I at least am still waiting and I'm checking this thread for updates.

---

test12234 wrote:

I've seen it take anywhere from 10to15 minutes every time I bothered to time it.. and I have over 5000 assets. Anyway the lack of functionality in the manged isntaller is kind of a bummer..next you'll say that the mac & windows agent are going to be completely cloud based and everything else will /no longer be developed.

---

Due to changes coming from Apple in Mac OS X 10.9.5 and 10.10 we are forced to change the deployment workflow for all of our endpoints (managed and un-managed, Cloud and on-premise, and Home Edition). Because of these changes by Apple we will no longer use the MPKG format for the on-premise installer starting in 9.2, when it comes to the Preview line. The existing 9.1 deployment packages will remain unchanged for the Recommended line. See KBA 121327 for the full story.

We've done a tremendous amount of engineering to continue supporting the legacy MPKG format this long, but this change from Apple has finally forced us to change.

I mention it in this thread because that change will also make it possible for us to properly support a pre-configured installer app for update and on-access settings. The existing KBAs will be updated when 9.2 is published.

And just to be super super clear, we have no plans to retire the on-premise managed agents.

I've seen it take anywhere from 10to15 minutes every time I bothered to time it.. and I have over 5000 assets. Anyway the lack of functionality in the manged isntaller is kind of a bummer..next you'll say that the mac & windows agent are going to be completely cloud based and everything else will /no longer be developed.

---

test12234 wrote:

Thanks for the reply. I'm already utilizing the group path option but its kind of ineffienct. Can take anywhere from 10-15mins to get a policy

---

Yes, depending on a number of factors including the "busy-ness" of the console it can take anywhere from a few seconds to a number of minutes. With relays, in geographically-separated organizations, it can take longer. The endpoint can't really do much about it, other than continue to poll the console periodically to ask for updates.

We have no plans at the moment to create pre-configuration features for managed endpoints (Cloud or SEC).

Thanks for the reply. I'm already utilizing the group path option but its kind of ineffienct. Can take anywhere from 10-15mins to get a policy

---

test12234 wrote:

Ok but does this version include the RMS part? (remote management) .. it would be great to be able to create a custom installer with remote management capabilities and be able to embed our own update servers!

---

Hi test12234,

The feature to pre-configure stand-alone installers only applies to the unmanaged endpoints. When you are using a managed endpoint (and thus will have RMS) the endpoint will connect to the Sophos Enterprise Console and receive its update settings that way.

You may be interested in the feature that allows your endpoints to be assigned to a group on install. See KBA 119791:

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

Once you've configured a copy of the MPKG with this setting, any installations will automatically receive policy according to the group assignment in the console.

Ok but does this version include the RMS part? (remote management) .. it would be great to be able to create a custom installer with remote management capabilities and be able to embed our own update servers!

---

bobcook wrote:

Hi Carob,

You will need version 9.2 of the stand-alone client installer software. The command line tool to pre-configure the On-Access Scanning is only available inside the installer starting with that version. The installer for version 9.1 only includes the tool required to pre-configure the Update settings, as described in KBA.

The feature to pre-configure the Update settings already allows you to configure the primary and secondary locations. It might already do what you want (you aren't required to It doesn't have the ability to specify the update frequency though. The default is an hour. I recall the default setting in SEC is more frequent, something five or ten minutes. Just curious to understand your requirement so if we make changes it will actually make things better for you.

Hope that helps.

---

Oh.  Now I understand.  I thought you meant that the SEC client was somehow used to create the installer.

Yes, I believe the SEC default update time is either 2 or 5 minutes.  Something crazy frequent.  When I'm configuring at stand-alone setup for someone here I tend to set the update to about 4 hrs or so.  People don't like Sophos checking very often because the systems take a pretty good hit should updates be available.  Our Managed clients are about half that though.

Whether the abilities of the 9.2 client to create the installer package will really work for our needs or not remains to be seen.  When the product is available, and I see that notice here, I will check it out and read the KBA you provide.  I guess then we will see.

Hi Carob,

You will need version 9.2 of the stand-alone client installer software. The command line tool to pre-configure the On-Access Scanning is only available inside the installer starting with that version. The installer for version 9.1 only includes the tool required to pre-configure the Update settings, as described in KBA.

The feature to pre-configure the Update settings already allows you to configure the primary and secondary locations. It might already do what you want (you aren't required to It doesn't have the ability to specify the update frequency though. The default is an hour. I recall the default setting in SEC is more frequent, something five or ten minutes. Just curious to understand your requirement so if we make changes it will actually make things better for you.

Hope that helps.