We would like to install Sophos Intercept X on ~140 Macbooks using Systems Manager. Some quick threading yielded no usable results. Are there documents or use-case scenarios that show a successful deployment? Or is there another path for this seemingly straightforward task?
So, admittedly, I'm not familiar with Sophos products, but I'm willing to help you think around this issue if you still need a hand.
based on what I'm reading on the Sophos website, you'll need to start by distributing the files for the installation as stated here """
"""
So my thought (have no testing data to back up anything I'm saying, so feel free to quit reading) was that one could take the .zip, distribute it across the devices using Munki. This would require us to step back and determine how we would get Munki client installed on the devices..... which is where SM's ability to distribute .pkg files comes in.
so now:
1. set up server-side of Munki
2. import Intercept X into Munki Server
3. distribute Munki client .pkg via SM 'apps' interface, which should be able to silently install the Munki client on the targeted machines silently, though you may have to dig for the right flags for the install command
4. On the same page where you would import the Munki client pkg, you can provide CLI arguments. Now you could just put together the arguments to extract, move, and install the Intercept X stuff, but personally I feel like it'd be easier to just write up a script to accomplish this and call the script in that CLI spot. IDK, up to you.
5. By this point, the installation should be pretty much complete to my knowledge... but some additional checks and clean-up can be performed too, as per Sophos' documentation on post-client steps...
I hope that makes any kind of sense, I'm sort of having a day.
It is easier to put the installer onto a public s3 bucket with a complex name like "our_sohphos_unstaller_for_mdm.domain" and push a script to macs to download, unzip and install it.
I've used the steps below with other customers to install all sorts of packages. If you use AnyConnect, Umbrella, etc, you're probably familiar with them
You can place all of the files you wish into a DMG. Alternatively, a ZIP will work just as well
Open Terminal
Using mkdir Create a Directory. I’ve used InstallerPackage as the Example
In Terminal Type
cd InstallerPackage
mkdir Scripts
mkdir Content
cd Scripts
touch postinstall
Copy the DMG you need into the Content Folder
Using a text editor, edit the postinstall file and paste in your script (an example script is at the end of this post) that will move files in /tmp to where ever you need to
chmod a+x postinstall
cd ..
Build the package
sudo pkgbuild --identifier com.meraki.sophosinstaller --root Content --script Scripts --install-location /tmp com.meraki.sophosinstaller.pkg
pkgbuild: Inferring bundle components from contents of Content
pkgbuild: Adding top-level postinstall script
pkgbuild: Wrote package to com.meraki.sophosinstaller.pkg
Double Note: ensure that there is a space between /tmp and com.meraki.sophosinstaller.pkg
An example postinstall:
#!/bin/bash
dmgPath="/tmp/YourDMGName.dmg"
mountPath="/Volumes/YourDMGMounted"
currentuser="$(id -un)"
usersAppDir="$(sudo -u $currentuser echo $HOME)"
/usr/bin/hdiutil attach "$dmgPath" -nobrowse -quiet
if [[ -e "$mountPath" ]]
then
cp -r "$mountPath"/"YourApp.app" /Applications/"YourAppName.app"
fi
umount "$mountPath"
rm -rf "$dmgPath"
# insert the commands that you need to
# provision your application
exit 0
This may take a few attempts to get right. So, I'd install the installer manually first before deploying via SM
Also note: The name of the bundle ID that you use in SM when creating the custom app HAS to match the bundle ID of Sophos, else SM has no way to know that it's been installed correctly.