Leveraging vendor-signed Configuration Profiles helps ensure supported endpoints
TL;DR for Mac Admins: Distribute the “original”
Sophos Endpoint.mobileconfigto all of your fleet running macOS Monterey (and earlier) and only distribute
1.1to computers after they’ve upgraded to macOS Ventura
In mid July 2022, Sophos began including a signed Configuration Profile with their installation archives for Mac Admins to deploy to their fleet.
While we had previously “rolled-our-own” Configuration Profile for Sophos Endpoint — occasionally in spite of the vendor’s documentation — the inclusion of a signed profile was a welcomed addition and we deployed it at the same time we switched to a scripted install of Sophos Endpoint.
(When vendor support is required, having deployed a vendor-signed Configuration Profile seems to help reduce finger-pointing.)
macOS Ventura’s Login and Background Items
For Mac Admins, the early part of the beta-testing cycle for macOS Ventura was dominated by the new Login and Background Items, the
This new MDM payload, which can only be installed on macOS 13 by MDM, prevents users from disabling managed Login and Background Items in System Settings > General > Login Items.
In other words, “pre-installing” a Configuration Profile which includes a
com.apple.servicemanagement before a computer upgrades to macOS Ventura is not an option.
A Tale of Two
To the best of my current knowledge, Sophos began bundling the “original”
Sophos Endpoint.mobileconfig sometime after 18-Jul-2022 and the distribution of version
1.1 — which contains
com.apple.servicemanagement — started shortly after 26-Sep-2022.
If you’d like to only distribute vendor-signed settings for Sophos Endpoint, you’ll need both versions.
|macOS Monterey (and earlier)
Part of the challenge of comparing the two versions is that regardless of the Sub-Estate, every download from the Sophos Central console is called
SophosInstall.zip and the Configuration Profile contained in the Deployment Tools folder is called
Let’s use Terminal to make a timestamped, unsigned copy of each Configuration Profile.
2. Validate Signature
4. Create Timestamped Copy
5. Remove Signature
6. Format File
A comparison of the two files shows the new payload type of
com.apple.servicemanagement in version
1.1 which should only be distributed to computers after they have upgraded to macOS Ventura.