Mac OS - pre-configuring Autoupdate

Just gave the 9.0.3 Preview a look. The plist hack will definitely no longer work (if it did at all with ML).

There is an article about pre-configuring the standalone installer but it is neither complete (it wasn't me who gave the very poor rating) - it does for example not tell you which URL to use for server type Sophos - nor does it apply to the managed version. So you can't even work around the lack of integration. Perhaps you can still provide a copy-plist-after-install script like remo/eniac suggested, Sophos should at least comment whether this is "permissible" or not. Maybe the management part ("classic" SEC with RMS and all related aspects) is no longer developed and all the effort goes into the Cloud solution, I don't know :smileysad: ...

Christian

I'm going to second Christian's note on Preview 9.0.x - it's surprising the AutoUpdate config is not there as there are many more Macs in the enterprise now and we're going to start feeling the pain of this as 9.0.x migrates from preview to a production warehouse. 

Please bump this higher in priority for Sophos Dev teams. 

Thx

Is there any update on pre-confguring OS X clients for auto-updates?  

I ran the ./CreateUpdatePreconfig script on a stand alone installer and when trying to install on a clean Mac (OS 10.9.4)I received and incompatible error.

Thanks!

Corbin

we need the tool to automatically create the update credentials again for 9.1.* ! :manmad:

It is pointless in an enterprise to only use the standalone installer, because this doesn't have RMS and will not talk to the SEC.

Sophos have now gone to the worst AV vender for mac in the Enterprise now.

I have been very patient, but this STILL has not been sorted out!!!

In an Enterprise with mainly remote users, this is an Admins nightmare!

see 

---

corbin3ci wrote:

Is there any update on pre-confguring OS X clients for auto-updates?  

I ran the ./CreateUpdatePreconfig script on a stand alone installer and when trying to install on a clean Mac (OS 10.9.4)I received and incompatible error.

---

Sorry, was not aware of this posting. Pre-configuration of the update details is definitely a supported feature and should work for you. Can you give me a bit more detail about "incompatible error" and I'll try to help.

Also, please raise a support ticket when you have problems with supported features, gets escalated much faster.

Hey Tim,

Our deployment workflow for Mac endpoints managed by Sophos Enterprise Console is to pre-configure their group membership so they will receive the correct policies as soon as they register via RMS.

http://www.sophos.com/en-us/support/knowledgebase/119791.aspx

This workflow allows you to establish the correct policies for not only updating but also for on-access and on-demand scans.

If this workflow isn't sufficient for your needs its certainly something I'd like to better understand. My team's goal is to build and support features that make your life easier, not harder.

Hello Bob,

[can't and therefore won't comment on the App vs. Package problems when using deployment tools]

The workflow for the managed version assumes that the endpoints can connect to the management server immediately after install. Provided that the group-assignment works the endpoint will receive the desired policies.

kimpton mentioned mainly remote users. and I assume remote means not always able to connect via RMS. If the management server isn't (directly or indirectly) accessible from "the Internet" and the endpoint is installed "outside" it won't have an updating policy. OTOH you want to have them managed when they call in via VPN or come "inside". Neither licensing the Cloud product nor "going Cloud" might be a viable short-term option - thus the inability to pre-configure the policies is a setback. In addition the loss of the "one-way management" provided by customized CIDs is a possible drawback.

Christian

Hello Christian,

Thanks for the thoughtful explanation. It would be great to hear back from Tim to confirm, but your description makes sense. This seems like a really weird deployment model, but hey if it works for people then we should figure out how to make it work better.

Two long-term recommendations: (1) move to Sophos Cloud, where there isn't such a thing as local users vs. remote users; or (2) poke holes in the firewall to let RMS chatter away as if it was inside the network. RMS wasn't really designed to work like this (despite the name!) so option (2) might not be an awesome solution.

I'll look into adding update pre-configuration for the on-premise package, we might be able to slip it into the 9.2 stream. If we did this, is it necessary to host this file in an existing CID? Or is it suitable to expect an admin to copy the installer app, insert the pre-configuration data, then distribute this modified installer app? The answer to this is very important as it affects the approach.

BTW its probably worth mentioning that as of 9.2 we are eliminating the MPKG installer and moving to an app, like the existing standalone installer. We are being forced into a severe restructuring of the installer package due to changes by Apple coming very soon to both Mavericks and Yosemite. This change will only start in 9.2 and it will remain in Preview for a while. Various communications about this change are ramping up and its possible you have already heard about it.

Hello Bob,

seems like a really weird deployment model

Bob, on this side there is bitter reality - we might tell our management we're in a sister ship of USS Enterprise yet under the covers lurks Apollo XIII :smileylol:. (2) sounds simple but in practice it's often complicated not only for technical/networking reasons. Cloud does not yet offer the same features as Endpoint and not all organizations embrace the idea of moving management off-premise. I can see that you are forced to make changes and not doing it for the fun of it.

is it suitable to expect an admin to copy the installer app

Speaking for myself - what we need is a package with the RMS and update configurations preferably with a flexible grouppath - the with Deployment Packager (or better, the Windows product) this is possible. Copy /insert is ok but it should be possible on MacOS X and Windows alike.

While we're at it - the ability to reinitialize (as long as the management server certificate is the same) RMS without uninstall/reinstall would help with management server migrations. Right now it's possible only on Windows, neither MacOS X nor Linux/*ix. Another weird model is the configuration of policies with a customized CID. This way endpoints which don't/can't connect via RMS (this includes stand-alone installations which update from an on-premise server) can be directed to a new update location.

Thanks for listening

Christian

Hello Christian,

Thanks for the thoughtful response. Funny you should mention Apollo 13, its one of my favorite movies, and I think its likely to be a favorite of many, many other engineers as well. Its a great story where the engineers save the day!

We'll be working on the pre-configuration feature in the coming weeks as we get 9.2 in shape for release, we'll try to incorporate your suggestions. The way it will work is that the pre-configuration values will be applied upon installation, and the group path will be applied as soon as RMS registration can occur. This means the pre-configuration values will be replaced with the actual policy from SEC. That seems normal and rational, and likely not unexpected by anyone.

The item about RMS re-configuration has come up recently as well, and we likely won't be able to slip it into the 9.2 stream (its not as simple of a change due to how its currently working) it will get into the software at some point.