Leveraging vendor-signed Configuration Profiles helps ensure supported endpoints
TL;DR for Mac Admins: Distribute the “original”
Sophos Endpoint.mobileconfig
to all of your fleet running macOS Monterey (and earlier) and only distributeSophos Endpoint.mobileconfig
version1.1
to computers after they’ve upgraded to macOS Ventura
Background
In mid July 2022, Sophos began including a signed Configuration Profile with their installation archives for Mac Admins to deploy to their fleet.
While we had previously “rolled-our-own” Configuration Profile for Sophos Endpoint — occasionally in spite of the vendor’s documentation — the inclusion of a signed profile was a welcomed addition and we deployed it at the same time we switched to a scripted install of Sophos Endpoint.
(When vendor support is required, having deployed a vendor-signed Configuration Profile seems to help reduce finger-pointing.)
macOS Ventura’s Login and Background Items
For Mac Admins, the early part of the beta-testing cycle for macOS Ventura was dominated by the new Login and Background Items, the com.apple.servicemanagement
domain.
This new MDM payload, which can only be installed on macOS 13 by MDM, prevents users from disabling managed Login and Background Items in System Settings > General > Login Items.
In other words, “pre-installing” a Configuration Profile which includes a PayloadType
of com.apple.servicemanagement
before a computer upgrades to macOS Ventura is not an option.
.mobileconfig
s
A Tale of Two To the best of my current knowledge, Sophos began bundling the “original” Sophos Endpoint.mobileconfig
sometime after 18-Jul-2022 and the distribution of version 1.1
— which contains com.apple.servicemanagement
— started shortly after 26-Sep-2022.
If you’d like to only distribute vendor-signed settings for Sophos Endpoint, you’ll need both versions.
Filename | Version | Date | Target OS |
---|---|---|---|
Sophos Endpoint.mobileconfig | “Original” | 18-Jul-2022 | macOS Monterey (and earlier) |
Sophos Endpoint.mobileconfig | 1.1 | 26-Sep-2022 | macOS Ventura |
File Preparation
Part of the challenge of comparing the two versions is that regardless of the Sub-Estate, every download from the Sophos Central console is called SophosInstall.zip
and the Configuration Profile contained in the Deployment Tools folder is called Sophos Endpoint.mobileconfig
.
Let’s use Terminal to make a timestamped, unsigned copy of each Configuration Profile.
Screencast
file
Variable
1.
file
VariableWe’ll first assign a variable named file
to the path of the downloaded Configuration Profile.
Open a new Terminal window and type file=
(with no trailing space) then drag-and-drop the Sophos Endpoint.mobileconfig
to the open Terminal window and press Return. The output should look similar to the following:
file=/Users/dan/Downloads/SophosInstall/Deployment\ Tools/Sophos\ Endpoint.mobileconfig
2. Validate Signature
Now that we have file
assigned to the path of the profile, let’s first validate its signature:
openssl pkcs7 -inform DER -print_certs -in $file | grep subject
The output should match the following:
subject=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US subject=/UID=2H5GFH3774/CN=Developer ID Application: Sophos (2H5GFH3774)/OU=2H5GFH3774/O=Sophos/C=U
fileModificationDate
Variable
3.
fileModificationDate
VariableLet’s now use stat
to assign the modification date of the file to a fileModificationDate
variable by executing the following command:
fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $file)" "+%Y-%m-%d" ) ; echo $fileModificationDate
4. Create Timestamped Copy
Let’s create a copy of file
using its modification date as part of the filename:
cp -v "$file" "${file%.*}"-"$fileModificationDate"."${file##*.}"
5. Remove Signature
Now that we have a timestamped copy with which to work, let’s remove the signature:
openssl smime -inform DER -verify -in "${file%.*}"-"$fileModificationDate"."${file##*.}" -noverify -out "${file%.*}"-"$fileModificationDate"-unsigned."${file##*.}"
You should observe Verification successful
.
6. Format File
Finally, if needed, we can leverage plutil
to format the file:
plutil -convert xml1 "${file%.*}"-"$fileModificationDate"-unsigned."${file##*.}"
Then open the timestamped, unsigned file in your favorite text editor; repeat for second Configuration Profile.
File Comparison
A comparison of the two files shows the new payload type of com.apple.servicemanagement
in version 1.1
which should only be distributed to computers after they have upgraded to macOS Ventura.