Menu Close

macOS Ventura & Sophos-signed Configuration Profiles

Leveraging vendor-signed Configuration Profiles helps ensure supported endpoints

TL;DR for Mac Admins: Distribute the “original” Sophos Endpoint.mobileconfig to all of your fleet running macOS Monterey (and earlier) and only distribute Sophos Endpoint.mobileconfig version 1.1 to computers after they’ve upgraded to macOS Ventura

Background

In mid July 2022, Sophos began including a signed Configuration Profile with their installation archives for Mac Admins to deploy to their fleet.

While we had previously “rolled-our-own” Configuration Profile for Sophos Endpoint — occasionally in spite of the vendor’s documentation — the inclusion of a signed profile was a welcomed addition and we deployed it at the same time we switched to a scripted install of Sophos Endpoint.

(When vendor support is required, having deployed a vendor-signed Configuration Profile seems to help reduce finger-pointing.)

“Original” Sophos Endpoint Configuration Profile on macOS Monterey
Sophos Endpoint v1.1 Configuration Profile on macOS Ventura

macOS Ventura’s Login and Background Items

For Mac Admins, the early part of the beta-testing cycle for macOS Ventura was dominated by the new Login and Background Items, the com.apple.servicemanagement domain.

This new MDM payload, which can only be installed on macOS 13 by MDM, prevents users from disabling managed Login and Background Items in System Settings > General > Login Items.

In other words, “pre-installing” a Configuration Profile which includes a PayloadType of com.apple.servicemanagement before a computer upgrades to macOS Ventura is not an option.

A Tale of Two .mobileconfigs

To the best of my current knowledge, Sophos began bundling the “original” Sophos Endpoint.mobileconfig sometime after 18-Jul-2022 and the distribution of version 1.1 — which contains com.apple.servicemanagement — started shortly after 26-Sep-2022.

If you’d like to only distribute vendor-signed settings for Sophos Endpoint, you’ll need both versions.

FilenameVersionDateTarget OS
Sophos Endpoint.mobileconfig“Original”18-Jul-2022macOS Monterey (and earlier)
Sophos Endpoint.mobileconfig1.126-Sep-2022macOS Ventura

File Preparation

Part of the challenge of comparing the two versions is that regardless of the Sub-Estate, every download from the Sophos Central console is called SophosInstall.zip and the Configuration Profile contained in the Deployment Tools folder is called Sophos Endpoint.mobileconfig.

Let’s use Terminal to make a timestamped, unsigned copy of each Configuration Profile.

Screencast

Screencast (02:20; no audio)

1. file Variable

We’ll first assign a variable named file to the path of the downloaded Configuration Profile.

Open a new Terminal window and type file= (with no trailing space) then drag-and-drop the Sophos Endpoint.mobileconfig to the open Terminal window and press Return. The output should look similar to the following:

file=/Users/dan/Downloads/SophosInstall/Deployment\ Tools/Sophos\ Endpoint.mobileconfig

2. Validate Signature

Now that we have file assigned to the path of the profile, let’s first validate its signature:

openssl pkcs7 -inform DER -print_certs -in $file | grep subject

The output should match the following:

subject=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US
subject=/UID=2H5GFH3774/CN=Developer ID Application: Sophos (2H5GFH3774)/OU=2H5GFH3774/O=Sophos/C=U

3. fileModificationDate Variable

Let’s now use stat to assign the modification date of the file to a fileModificationDate variable by executing the following command:

fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $file)" "+%Y-%m-%d" ) ; echo $fileModificationDate

4. Create Timestamped Copy

Let’s create a copy of file using its modification date as part of the filename:

cp -v "$file" "${file%.*}"-"$fileModificationDate"."${file##*.}"

5. Remove Signature

Now that we have a timestamped copy with which to work, let’s remove the signature:

openssl smime -inform DER -verify -in "${file%.*}"-"$fileModificationDate"."${file##*.}" -noverify -out "${file%.*}"-"$fileModificationDate"-unsigned."${file##*.}"

You should observe Verification successful.

6. Format File

Finally, if needed, we can leverage plutil to format the file:

plutil -convert xml1 "${file%.*}"-"$fileModificationDate"-unsigned."${file##*.}"

Then open the timestamped, unsigned file in your favorite text editor; repeat for second Configuration Profile.

File Comparison

A comparison of the two files shows the new payload type of com.apple.servicemanagement in version 1.1 which should only be distributed to computers after they have upgraded to macOS Ventura.

Posted in Jamf Pro, macOS, Sophos Endpoint, Tips & Tricks

Related Posts