Create a Standard Sophos Mac Installer pkg for Enterprise Deployment

At work, we use Sophos Anti-Virus for our Macs. We’ve have had it for almost a decade and have had few, if any, issues with it. One of the last items we had left over from our monolithic deployment image was Sophos, mostly because it was the last item that didn’t use a standard Mac .pkg installer that we needed a work-around for. We need standard .pkgs for easy deployment with Munki (or ARD or Casper, if those are your things) to our clients.

Not wanting to completely reinvent the wheel, I started looking around and found the Der Flounder blog had already accomplished this with Home Edition of Sophos using Packages, which is a piece of software I’m very fond of and use heavily here.

This Tech Trinket borrows large swaths from Der Flounder’s process because it’s elegant and smart. Where I differ is that we’re going to build it with the newer Sophos Installer that needs an additional directory of files available to it as well as using the installer from the Enterprise version so that it includes the rms directory so it can still talk to the Management Console.

First, you’re going to get the Mac installer from your Enterprise server which is called the Central Installation Directory (CID). Look in the folder at this path: /CIDs/S000/ESCOSX and drag out both Sophos Installer and Sophos Installer Components to a convenient location, I’d recommend making a Sophos folder on your desktop to put them into which we’ll use throughout this post. The installer items from this location will contain all the information needed, included the rms directory we need.

Next, we’re going to set options specific for your organization for the Sophos installation. Sophos has a knowledge base article for reference. Here is an example of what some options might look like:

These settings are written to two .plist files in the Sophos Installer Components directory: onaccessconfig.plist & updateconfig.plist.

Now, you’re going to need a Post-installation script to run the installer within the package. This is the example from Der Flounder and it’s perfect the way it is and note it also attempts to remove older versions first.

Save this into your Sophos folder, I called mine, and then chmod 755 it so that it is executable.

Next, open Packages, name your new project Sophos and make the project directory the one we’re using on the Desktop. We’ll go through each of the options below:


Nothing needs to be done on the Project tab if your settings look like the above defaults.


The Settings tab should have pre-filled in the Identifier. For Version, I typed in the current Sophos version we’re building with. This makes deployment with Munki easy because the installer will write a package receipt that Munki will use to determine the version installed and also display that version in Munki itself.  While true, Sophos auto-updates itself, Munki won’t try to re-install anything if it detects a newer version. Plus it’s just tidy if the day comes you want to update your build with a newer version or maybe change the pre-defined settings for Sophos.


Payload should be empty, your instinct might be to put the Sophos items here, but that isn’t where they go.


Scripts is where all the magic happens. Click Set… under Post-Installation and choose your script. Next, drag or click the + sign and select the Sophos Installer Components and the Sophos This is going to include those three items right inside the .pkg it builds.

When the installer runs, it calls the post-installation script which runs the Sophos installer, installing Sophos along with your custom settings.

The last tab is Comments which I didn’t use and is completely blank, so I didn’t put up a screenshot.

Finally, Save your project and then from the Build menu choose Build… If all goes well, in your Sophos folder you’ll have a now have a build folder with a standard .pkg file you can use to install Sophos. You can put the entire Sophos folder someplace safe. If you ever need to modify it you’ll have all of the files you need in a single location.

This entry was posted in macOS, Tech Trinkets, Work. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *