SEC 5.2.1 and Sophos for MAC OS X Preview (9.0.3)

---

Carob wrote:

---

You're talking about a client version 9.2, right?  If so I guess I'm confused.  Is a new tool built into the client then instead of being something stand-alone?

Also, if I remember correctly, the command line tool still only allowed certain things to be configured and not all being requested (by myself and others it seemed), is that right?

When there is a KBA on the subject would you post the number/link here?

---

Yes version 9.2 of the Mac agent (client). All the different version numbers across different products can get confusing, sorry.

The pre-configuration will require that you get a copy of the stand-alone installer and run a command-line tool from Terminal. That command-line tool is embedded within the stand-alone installer application. Its the same model / "style" as we provide for pre-configuring the Update settings as described in KBA 119744.

The settings that can be pre-configured for On-Access Scanning include the ability to specify whether scanning will be on or off. If on, other settings are available too:

• archive scanning
• network volume scanning
• file or directory path to exclude (can add multiple items)
• automatic cleanup
• action if automatic disinfect fails (nothing, move, delete)
• destination directory for moved threats

That pretty much covers the settings available in the On-Access Scanning preferences panel.

I'll be sure to post something to this thread when the software and KBA are available, and of course it will be in the release notes.

---

bobcook wrote:

---

Carob wrote:

---

You're talking about a client version 9.2, right?  If so I guess I'm confused.  Is a new tool built into the client then instead of being something stand-alone?

Also, if I remember correctly, the command line tool still only allowed certain things to be configured and not all being requested (by myself and others it seemed), is that right?

When there is a KBA on the subject would you post the number/link here?

---

Yes version 9.2 of the Mac agent (client). All the different version numbers across different products can get confusing, sorry.

The pre-configuration will require that you get a copy of the stand-alone installer and run a command-line tool from Terminal. That command-line tool is embedded within the stand-alone installer application. Its the same model / "style" as we provide for pre-configuring the Update settings as described in KBA 119744.

The settings that can be pre-configured for On-Access Scanning include the ability to specify whether scanning will be on or off. If on, other settings are available too:

• archive scanning
• network volume scanning
• file or directory path to exclude (can add multiple items)
• automatic cleanup
• action if automatic disinfect fails (nothing, move, delete)
• destination directory for moved threats

That pretty much covers the settings available in the On-Access Scanning preferences panel.

I'll be sure to post something to this thread when the software and KBA are available, and of course it will be in the release notes.

---

I guess I'm still confused.  If it will be required to get a copy of the stand-alone installer then how does needing to have version 9.2 of the client come into play?

How about setting Primary and Secondary Update Locations (including the ability to leave the Secondary location blank) and update interval times?

I guess I'll just wait to see your post when everything is ready and read through it at that time.

Hi Carob,

You will need version 9.2 of the stand-alone client installer software. The command line tool to pre-configure the On-Access Scanning is only available inside the installer starting with that version. The installer for version 9.1 only includes the tool required to pre-configure the Update settings, as described in KBA.

The feature to pre-configure the Update settings already allows you to configure the primary and secondary locations. It might already do what you want (you aren't required to It doesn't have the ability to specify the update frequency though. The default is an hour. I recall the default setting in SEC is more frequent, something five or ten minutes. Just curious to understand your requirement so if we make changes it will actually make things better for you.

Hope that helps.

---

bobcook wrote:

Hi Carob,

You will need version 9.2 of the stand-alone client installer software. The command line tool to pre-configure the On-Access Scanning is only available inside the installer starting with that version. The installer for version 9.1 only includes the tool required to pre-configure the Update settings, as described in KBA.

The feature to pre-configure the Update settings already allows you to configure the primary and secondary locations. It might already do what you want (you aren't required to It doesn't have the ability to specify the update frequency though. The default is an hour. I recall the default setting in SEC is more frequent, something five or ten minutes. Just curious to understand your requirement so if we make changes it will actually make things better for you.

Hope that helps.

---

Oh.  Now I understand.  I thought you meant that the SEC client was somehow used to create the installer.

Yes, I believe the SEC default update time is either 2 or 5 minutes.  Something crazy frequent.  When I'm configuring at stand-alone setup for someone here I tend to set the update to about 4 hrs or so.  People don't like Sophos checking very often because the systems take a pretty good hit should updates be available.  Our Managed clients are about half that though.

Whether the abilities of the 9.2 client to create the installer package will really work for our needs or not remains to be seen.  When the product is available, and I see that notice here, I will check it out and read the KBA you provide.  I guess then we will see.

Ok but does this version include the RMS part? (remote management) .. it would be great to be able to create a custom installer with remote management capabilities and be able to embed our own update servers!

---

test12234 wrote:

Ok but does this version include the RMS part? (remote management) .. it would be great to be able to create a custom installer with remote management capabilities and be able to embed our own update servers!

---

Hi test12234,

The feature to pre-configure stand-alone installers only applies to the unmanaged endpoints. When you are using a managed endpoint (and thus will have RMS) the endpoint will connect to the Sophos Enterprise Console and receive its update settings that way.

You may be interested in the feature that allows your endpoints to be assigned to a group on install. See KBA 119791:

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

Once you've configured a copy of the MPKG with this setting, any installations will automatically receive policy according to the group assignment in the console.

Thanks for the reply. I'm already utilizing the group path option but its kind of ineffienct. Can take anywhere from 10-15mins to get a policy

---

test12234 wrote:

Thanks for the reply. I'm already utilizing the group path option but its kind of ineffienct. Can take anywhere from 10-15mins to get a policy

---

Yes, depending on a number of factors including the "busy-ness" of the console it can take anywhere from a few seconds to a number of minutes. With relays, in geographically-separated organizations, it can take longer. The endpoint can't really do much about it, other than continue to poll the console periodically to ask for updates.

We have no plans at the moment to create pre-configuration features for managed endpoints (Cloud or SEC).

I've seen it take anywhere from 10to15 minutes every time I bothered to time it.. and I have over 5000 assets. Anyway the lack of functionality in the manged isntaller is kind of a bummer..next you'll say that the mac & windows agent are going to be completely cloud based and everything else will /no longer be developed.

---

test12234 wrote:

I've seen it take anywhere from 10to15 minutes every time I bothered to time it.. and I have over 5000 assets. Anyway the lack of functionality in the manged isntaller is kind of a bummer..next you'll say that the mac & windows agent are going to be completely cloud based and everything else will /no longer be developed.

---

Due to changes coming from Apple in Mac OS X 10.9.5 and 10.10 we are forced to change the deployment workflow for all of our endpoints (managed and un-managed, Cloud and on-premise, and Home Edition). Because of these changes by Apple we will no longer use the MPKG format for the on-premise installer starting in 9.2, when it comes to the Preview line. The existing 9.1 deployment packages will remain unchanged for the Recommended line. See KBA 121327 for the full story.

We've done a tremendous amount of engineering to continue supporting the legacy MPKG format this long, but this change from Apple has finally forced us to change.

I mention it in this thread because that change will also make it possible for us to properly support a pre-configured installer app for update and on-access settings. The existing KBAs will be updated when 9.2 is published.

And just to be super super clear, we have no plans to retire the on-premise managed agents.