SEC 5.2.1 and Sophos for MAC OS X Preview (9.0.3)

Hello Bob,

thanks again for your detailed information. Maybe the user gets complaints but he doesn't give them (if you forgive the pun).

The standalone installer is no good as we want the endpoints to be managed (at least whenever they are "inside").

the ability to specify the initial SEC group path

That's good news and will help quite a lot, and this is also what the Windows version's setup.exe offers. And we'd have similar problems building an appropriate  Windows package without the means to set a policy from the CID and the two-staged approach outlined in How to create a standalone or custom installer package (or by some scripting - but even if the same is possible on a Mac a "mostly Windows" shop often doesn't have the knowledge and/or tools to do it).

Guess it'll take some time until the Cloud product (whether Sophos hosted or on-premise) can replace the current infrastructure - until then (a way to set) an initial updating policy is desirable.

Christian 

Hi Christian,

Thanks for the reply, much appreciate the open communication.

I would have expected "managed endpoints" to receive their updating policy automatically, especially with the "group path" installer feature. The concept is: configure the .mpkg installer w/ the group path config file, deploy the .mpkg with whatever software management tools or processses you already use, and (like magic) those Mac installs will end up getting the correct updating policy based on their group in the SEC console.

We provided the feature to pre-configure updating credentials only to standalone installers, as those endpoints would not recieve an updating policy (no SEC or Cloud console).

Can you explain how your deployments are set up? Maybe I'm missing something important.

Hello Bob,

Thanks for the reply, much appreciate the open communication.

The same to you :smileyvery-happy: - really

I would have expected "managed endpoints" to receive their updating policy automatically

This should normally be the case. Now ... as we're a university not a few devices are more or less BYOD. A user might download the installer at home or use the Wi-Fi "guest" network (which nevertheless requires authentication but does not connect to the "internal" network) and therefore RMS can't connect. We do want to be able to manage these devices when they are brought in (or properly registered so they have access to the internal network). 

RMS is needed to have the chance to manage these devices (so the standalone installer falls short), OTOH the sooner they install and use a decent AV (actually it's required by the terms but we don't enforce it) the better - so the installer is available even if they are "out". 

Christian 

Forgive me for slightly butting in here but I was given this thread to view as a possibly solution to my delima as well.  (http://community.sophos.com/t5/Sophos-EndUser-Protection/Custom-Standalone-Mac-Installer/td-p/44747.)

After reading through this a bit it sounds like the possibility of creating a customized stand-alone installer will be available with the 9.0.5 release for the Mac now that SUM is gone?  Is that correct?

We had previously been using SUM to create both "managed" and "unmanaged" installers for our users depending on the needs and use of the computer.  The "managed" version is fine because we can use the .mpkg file from the proper CID directory basically as the installer.  However, we have no way of creating a customized "unmanged" installer now.  This install would only report to Sophos for updates (with no secondary) and contain a few customized settings regarding options, etc.

If it's true that 9.0.5 will bring back some of this fuctionality can you tell me when this will be available and also the steps necessary for me to create the installer?

Any help is appreciated.

Hi Carob,

To create a standalone installer that contains pre-configured updating preferences please follow this article:
http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

To create a managed installer that will point the endpoint install to a specific group in SEC please follow this article:
http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

By "managed" this means "managed by SEC". The standalone product is different and its installer is what you get from your MySophos account. We are chasing two different sets of requirements hence the two different features.

Hope that helps.

---

bobcook wrote:

Hi Carob,

To create a standalone installer that contains pre-configured updating preferences please follow this article:
http://www.sophos.com/en-us/support/knowledgebase/119744.aspx

To create a managed installer that will point the endpoint install to a specific group in SEC please follow this article:
http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

By "managed" this means "managed by SEC". The standalone product is different and its installer is what you get from your MySophos account. We are chasing two different sets of requirements hence the two different features.

Hope that helps.

---

Unfortunately, not really.

The options that exised in SUM don't seem to be available with this method.  Why was SUM discontinued?

With the above method how do you set update interval times?  How do you set scanning options?  I also don't understand the CreateUpdatePreconfig stuff.  There doesn't seem to be much documentation on this stuff.  Needless to say I am not a Unix geek.

Hi Carob,

The ability to customize the update credentials requires some work on the command line. Not sure if that is what you meant by "a Unix geek" but certainly wasn't our goal to make this out of reach for anyone. You can likely get some technical assistance via our Support team. This is a product feature that we intend to maintain and support.

I'm curious about your needs for managing the update schedule or scan options. Can you elaborate on why you want to change the defaults? We think the default values should be good enough for users who manage their own computer, although I accept I might be misunderstanding the situation. This question applies to the standalone installations, obviously with SEC-managed installations you can set whatever you want via the console policy.

Re: SUM for Mac, we were faced with a few challenges with that product. Most significantly, its not really a full-featured management solution, and as we continued to evolve the feature set of the endpoint we found ourselves unable to evolve SUM for Mac to keep up. We continue to put emphasis into the SEC-managed and Sophos Cloud-managed versions, and also the standalone version. My goal is to find ways to make the transition away from SUM for Mac easier for everyone (you, me, etc).

I tried to put one together using the article you mentioned and I guess it seemed to work.  For the most part anyway.  However, I'm not sure how because it looks like the time stamp on any of the files contained in the /Contents/MacOS directory were not changed.  I even opened them up looking for the credentials I entered but didn't seem them.  Maybe you can explain more on how this works.

After running the installer though I noticed a few things.

1)  The On-Access scanner was turned off for some reason. (A similar issue to an open case I have.)  This for sure needs to be on.

2) I didn't specify a Secondary Update Location, as I didn't want one, and I'm getting red arrows for those two fields  I would like to be able to have the checkbox for the Secondary Update Location turned off but don't know if that's possible.

3) I am testing this on a laptop that had a previous "managed" version installed reporting back to our local server and even after uninstalling and removing every possible file found relating to Sophos the "Messaging" section still has the info from the previous install.

4) The update interval is set for 2 hrs (that could also be coming from the previous "managed" install but would like to be able to preconfigure this for the users.

5) Would also like to preconfigure the "When a threat is found" setting options but that doesn't seem to be possible either.

I'm not sure how you can say SUM wasn't enough of a full-featured solution when it did more than what options we are left with now.  I very much would like to see the ability to preconfigure these settings (and possibly more) and until we can we can't really have an installer ready for our users.  At least the "unmanaged" version anyway.  I sincerely hope something can be worked out to give us, as well as the other Sophos customers, the ability to make these changes VERY soon.  Perhaps you would like to work with me directly on this since I don't seem to be getting anywhere with the phone support people.  (Regarding this or the other two open cases I have.)

Hi Carob,

Thanks for the frank dialog, I really do appreciate the feedback. My goal is to find the feature set from SUM for Mac that is needed to cover the use cases for standalone users (by "standalone" I mean not managed by SEC nor managed by Sophos Cloud - sometimes "managed" means different things for different organizations).

The pre-configuration process writes data into a file inside the installer in the Custom folder. The username and passwords you provide on the command line are encrypted in that file such that we minimize the chance of accidental disclosure.

On-access scanning should definitely be on by default. Our product is most effective when that is true. Let me know if you don't get to the bottom of that one.

Re: your other configuration issues, its likely that the "managed" settings are still resident on the endpoint. In the past, since day one of the product, the philosophy had been "don't delete preferences they might be useful if you reinstall" but that has turned out to be more confusing than helpful. In future versions the Remove app will turf the preferences files too. You can do it manually by deleting all files starting with "com.sophos." in the /Library/Preferences directory before you install again.

Re: the "When a threat is found" option, which option do you think is best for your organization? By default we just do "deny access" but I could see where "cleanup" could be more appropriate. In fact the default configuration for endpoints managed by Sophos Cloud will do that for you.

Re: my comments about SUM for Mac lacking features, yes I see your point because "lacking" is a relative term. We've continued to evolve the endpoint well beyond the configuration options offered by SUM for Mac, and we aren't prepared to maintain a Mac-specific solution. Both SEC and Sophos Cloud offer cross-product management (full policy functionality, event monitoring, reporting, etc) in ways that SUM for Mac could never sustain.

When I said I did remove all fiiles having to do with Sophos before reinstalling that did include all of the com.sophos.x files I could find.  As well as probably a few others.  But, if you want to send me a complete list of names and locations I will try it again.

the On-Access option is able to be turned on but it is not happening by default.  Obviously that is a problem and I don't know what is causing that.

The threat option cleanup we use is first try to clean then deny access.

Basically I am currently at a standstill with this option too.  Assistance would be appreciated though.