JumpCloud Community

In this article, we will go through the process of deploying Sophos Endpoint Security on macOS endpoints using JumpCloud.

Generally, when deploying macOS Antivirus and EDR solutions remotely via an MDM solution, before the security agent is installed, it needs to have pre-approved permissions like Full Disk Access, System Extensions, VPN, Notifications etc for the agent to function correctly. Therefore the configuration profiles have to be deployed prior to deploying the agent.

To install Sophos Endpoint Security on your Macs using JumpCloud, there are 5 steps:

• Download the configuration profiles.
• Download the installer from Sophos Central. You also need to copy the Installer download URL.
• Deploy the configuration profiles via JumpCloud MDM.
• Deploy the Sophos Endpoint Security using script via JumpCloud Commands.
• Verify that the Endpoint Protection is installed.

Download the configuration profiles:

First, we begin by downloading the required Sophos configuration profiles before downloading the Installer. To download the profiles:

• Sign in to Sophos Central.
• Go to Devices > Installers.
• In Endpoint Protection, under Deployment Tools, click the Download the macOS Deployment Tools (includes MDM profiles) download link.
• 

• Extract the contents of the SophosMacDeploymentTools.zip file.

  The extracted Deployment Tools folder contains the Sophos Endpoint and Sophos Endpoint and ZTNA folders. Each folder contains configuration files for each macOS version.

• 

Download the Installer:

Next, you need the macOS Endpoint Protection installer from Sophos Central. You also need the Install download URL to use it in the Installation script later. To download the installer:

• Sign in to Sophos Central.
• Go to Devices > Installers.

• In Endpoint Protection, choose your installer.

  • Click Download Complete macOS Installer to download an installer with all endpoint products your license covers.

  • Click Choose Components… to choose which products will be included in the installer.

  • 

  • For more help on downloading the installer see Endpoint Protection.

• Save the download URL. To do this, do as follows:

  • Right click the SophosInstall.zip folder and click Get Info.

  • Under More Info, copy the URL shown in Where from.

  • 
• Alternatively, you can check the URL from the browser:
  • Navigate to Downloads from the browser.
  • Click Copy address. For e.g., when using Chrome:
  • 
• Note the copied URL pointing towards .zip file. You need this to use with the installation script.

Deploy the configuration profile via JumpCloud MDM:

• We have required the configuration profiles downloaded in step-1 for each macOS version, individually from macOS 12 to 15.
• Depending on the macOS version of the target endpoints, we need to deploy the configuration profile leveraging JumpCloud’s Mac MDM Custom Configuration Profile policy. One policy for each macOS version.
• If your fleet consists of all macOS 15 devices, you can simply deploy theSophos Endpoint Sequoia vX.X profile. Likewise for Sonoma, Ventura and Monterey.
  

  • Sophos Endpoint for Monterey

    • This profile is suitable for using with macOS Monterey with support for the following products:

      • Sophos Intercept X

      • Sophos Device Encryption

    • This profile automatically:

      • Approves Sophos system extensions and transparent proxies

      • Approves Full Disk Access and notifications for Sophos processes

  • Sophos Endpoint for Ventura / Sonoma / Sequoia

    • These profiles are suitable for using with macOS Ventura / Sonoma / Sequoia with support for the following products:

      • Sophos Intercept X

      • Sophos Device Encryption

    • This profile automatically:

      • Approves Sophos system extensions and transparent proxies

      • Approves Full Disk Access and notifications for Sophos processes

      • Prevents user disablement of “Login Items” for Sophos processes

  • Sophos Endpoint and ZTNA for Monterey / Ventura / Sonoma / Sequoia

    • In addition to products and settings mentioned above, these profiles also support Sophos ZTNA by configuring VPN settings.

• Once deployed on macOS, the profile can be seen under System Settings > General > Device Management where 5 Settings are being enforced as seen below:
  • 
• While not mandatory, its recommended that the end user performs a device logout and login, to properly enforce the settings.

Deploy the Sophos Endpoint Security using script via JumpCloud Commands:

• From the contents extracted from the SophosMacDeploymentTools.zip, we have the Install Sophos Script.txt file. Open it in a text editor and copy the entire script as-is.
• In JumpCloud Admin Console, navigate to Commands and set up a new Command.
• Paste the script and in line 7, replace the installer URL within the quotes with the download URL (ending with .zip) you’ve noted down when downloading the installer zip.
• Set Command to run as ‘root’, set time out of ‘600’ seconds and assign it to the target Mac device(s).
• Upon successful executing of the Command, we see the below command result:
• 
• This indicates successful execution of the script.

Verify that the Endpoint Security is installed:

• On the endpoint, we see Sophos installed and activated silently without any end user intervention:
• We also see the endpoint registered in the Sophos Central ‘Computers and servers’ section under Devices:
• 

Hereafter, for further information and help from Sophos side, refer Getting Started article from Sophos or reach out to Sophos Support.