SEC 5.2.1 and Sophos for MAC OS X Preview (9.0.3)

---

QC wrote:

(though I can't figure out what the L stands for :smileyhappy:).

---

I'm assuming Lion, since it's for 10.6 and above??  Or maybe the XL is for Extra Large :catwink:

I suppose a suitable workaround for the issue of unmanaged and off-site clients who can't pick up the new policy is to leave the existing policy as is but create a new one for your 10.6+ clients?  Given we're in the unfortunate situation of having any some 10.4 Macs around, we're going to have to keep the old policy valid as well.

Hi guys,

You might have noticed I deleted my previous post re: this issue, I deleted it so it wouldn't become confusing. We have decided it is less painful to stay the course e.g. the CID name will remain as "ESCOSXL" for version 9.

The implications of this:

(1) if you are using file-based CIDs with SEC, moving from v8 to v9 will work fine, your SEC console will send the right pat the endpoint during the policy change to use the v9 subscription

(2) if you are updating from Sophos directly then you are also ok (our servers know what to give to your v8 or v9 endpoint)

(3) if you have configured updating via your own servers (HTTP or otherwise), you may need to implement changes for v9 packages, depending on your customized configuration

Post questions here if you got them, I'll answer them the best I can.

Hello Bob,

[Edit name="Where are my manners?"]

thanks for the update (or rather: replacement), Bob. It's probably less confusing with only the "effective" reply, nevertheless it is not as clear to me (which might be my fault though) as I'd wish.

[/Edit]

(1) [...] will send the right path

(2) [...] our servers know what to give to your v8 or v9 endpoint

At the moment I don't see how (1) can send the right path, it might work with (2) and SDDM as mechanism. Right path meaning that 10.5 clients will still get v8. SEC would have to download and deploy two product versions for one subscription (i.e. both v8 and v9 for Recommended) unless the product is split and 10.5- and 10.6+ are treated as different platforms.

(1) if you are using file-based CIDs with SEC [...]  console will send the right path

(3) [...] via your own servers (HTTP or otherwise), you may need to implement changes for v9 packages

Maybe I'm dense - I don't quite get it, perhaps it's the via your own servers I'm failing to understand. As long as you are using managed policies SEC will append the partial path CIDs\counter\productfolder - and as it has to be there in the source you'll likely not publish/copy at the productfolder level.

Christian

Hi Christian,

Today administrators wanting to deploy version 9 will set up a new subscription with a new policy, assign that new policy to a group, and move their endpoints into that group. SEC will then send a new policy to the endpoint to direct them to the CID containing the version 9 package. Similar things happen when administrators move existing policies to a version 9 subscription (when not moving endpoints around in groups).

By "configured updating via your own servers" I mean to say that if administrators are using SEC to generate the CID but then copying or otherwise distributing the package to endpoints via a customized mechanism, there may be some changes needed, due to the change in the CID folder name to ESCOSXL. Its nearly impossible for me to predict what that might entail since I don't know how that sort of customization might have been set up.

Does that help?

Hello Bob,

thanks for the clarification. As said, IMO (3) doesn't really fit into a managed environment, can't say how significant it actually is.

As you didn't address the 10.5- clients question I infer that one has to either stick with Version 8 (until April 2014 or the release of OS X 10.9 - whichever comes earlier) or set up the necessary subscriptions, policies and groups to allow for current and legacy clients, right?

Christian

Hi Christian,

Stay tuned for further updates on the CID folder name issue. We are still looking at options.

Re: the 10.5 endpoints, yes these will need to remain on version 8 until their natural end of life. We are stopping support for this version of Mac OS X next April (same time as discontinuing support for version 8 across all versions of Mac OS X).

As you probably noticed, Apple released Mac OS X 10.9 yesterday. We are only supporting version 9.0.3 and higher for 10.9.

The new operating system release from Apple also triggers a general review of our long term plans for Mac OS X 10.6. Out of curiousity, when do you expect to have only 10.7+ systems? Our research shows a large number of 10.6 machines are still running but I expect many will upgrade to 10.9 given its now free.

Hello Bob,

right now SEC (5.2.1) gives me a somewhat confusing alert:

Software subscription 'Alternate Recommended (S001)' contains version Retiring - The Preview release of SAV for Mac is ending. For OS X 10.9 (Mavericks) support please subscribe to 9 Recommended of platform MAC OS X 10.4+. This version is nearing retirement. Your subscription will be automatically upgraded.

Ok, I understand that the Preview is about to be retired. But there's no 9 Recommended to subscribe to (yet). Furthermore the minimum platform for 9.0.x is MAC OS X 10.6. Naturally you can't put all the intricacies on a single line. I think a reference to a knowledgebase article would be necessary.

Just occurred to me that the name change might have the effect that Macs might be cut off from updates without anyone noticing for some time. Admittedly this would happen only under certain circumstances:

• the subscription is automatically upgraded to version 9
• the version 8 folder (ESCOSX) is not removed (as far as I know SEC doesn't do this)
• the Macs are "temporarily unmanaged" (e.g. because they are off-site) and therefore not informed of the name change

The Macs will continue to successfully check the update location known to them (ESCOSX) but won't find any threat detection data updates. Of course, an endpoint (and its user) can't detect a "stale CID" for some time. 

Christian

Hi Christian,

9.0.4 is released as Recommended. The retirement notice you are seeing is for 9.0.3 in the Preview line.

As of 9.0.4 the CID folder name is ESCOSX. No L, and the same as "8 Recommended".

9.0.3 Preview remains with the CID folder name of ESCOSXL. Because of this difference, we will not automatically resubscribe Preview to Recommended. That would have very undesirable consequences e.g. endpoints silently not updating.

As soon as "9 Recommended" appears in your SEC you can manually move endpoints over to it, either from 8.0.19 or from 9.0.3.

Thank you, Bob

If I understand your post and the Support for Mac OS X Mavericks article correctly there will be no automatic resubscription from 8 Recommended to 9 Recommended and there will not yet be an "unversioned" Recommended (like for Windows), right?

Meanwhile some endpoints have been upgraded to Mavericks while still updating from the version 8 CID.  I have also learned that one user successfully installed version 8 (we provide the zipped "customized" CID) apparently without problems. Didn't ask whether he fiddled with the security but if he did, he has obviously not found it worth mentioning. Also I saw that the "hack" with com.sophos.sau.plist was effective - the endpoint appeared in Unassigned with the correct update policy set. What to make of it?

In this context - what is the "best" way (if there is a way at all) to provide an installer package (assuming you do not want to hand out the updating credentials, How to install Endpoint Security and Control manually on networked computers)? The article I mentioned in Mac OS - pre-configuring Autoupdate for version 9.0.x seems to have been withdrawn and while the only potentially applicable article I've found (creating a customized Mac OS X installation file for remote computers) suggests creating a .dmg it seems to require SUM 2.5 for Mac OS X which won't work with version 9.

True, with RMS working the endpoints will appear in SEC in Unassigned and will receive the correct policy when you move them to the appropriate group. If you're not a 24/7 shop this could cause a significant delay until the Macs can update. Worse, the Mac might "go unmanaged" after install. If you have the - not unusual - configuration of RMS inside only/updates from everywhere it won't receive the policy which would otherwise enable it to update over the (Primary or Secondary) HTTP location. this is, I daresay, rather annoying.

Christian

Hi Christian,

Long list of questions! Hopefully the answers make sense.

Version 8 will run on OS X 10.9 "Mavericks" but we aren't going to provide support e.g. if your users have a problem, our support team is going to ask to have them upgraded to v9. The technical issue will be that our kext is not codesigned with the new Apple kernel extension signing process, so its likely the user is getting complaints (pop-up warnings) from the system.

The "Pre-configured updating" feature was intended to release with 9.0.3 but didn't make it, so we had to retract the KBA. This feature is intended to allow an administrator to pre-configure their updating credentials for users which are using the standalone installation package (the variant that is umanaged). Its designed to allow you to customize the installer directly, then you can distribute this installer using any mechanism you already use. You'll need the standalone installers in 9.0.5 to have this feature working as intended.

Also available in 9.0.5 will be the ability to specify the initial SEC group path for the .mpkg installer from a SEC CID. This feature is intended to allow you to pre-configure the group path such that Mac endpoints should immediately be placed into the correct group as soon as they are installed. This only applies to the SEC-managed version.

Hope that helps.