Skip to content

Installing Endpoint Protection using Jamf Pro


You can only use these instructions for Macs with macOS 11 Big Sur or later installed. You can't use them for Macs with macOS 10.15 or earlier installed. This is because of changes in KEXT authorization requirements. See Security permissions on macOS.

You can install Endpoint Protection on your Macs using Jamf Pro. This means you can install our protection software remotely.

We provide a Configuration Profile. The profile sets appropriate authorizations for settings. These include the following:

  • Full Disk Access
  • system extensions
  • notifications

These settings are required for Endpoint Protection to work correctly.

The latest macOS Endpoint Protection installer includes an updated Configuration Profile. This profile contains the settings needed to prevent users turning off Sophos Endpoint on Macs running macOS 13 Ventura.

These instructions are for JAMF Pro, however, the MDM profile and script should work in other MDM solutions.

This information is provided as-is and was created using Jamf Pro 10.40. Contact Sophos Professional Services if you require assistance with your specific environment.

To install Endpoint Protection on your Macs using Jamf Pro, do as follows:

  1. Download the installer from Sophos Central. You also need to copy the SophosInstall download URL.
  2. Save the configuration profile and installation script from the installer.
  3. Set up computer groups in Jamf Pro, if necessary.
  4. Add and assign a configuration profile in Jamf Pro.
  5. Create and configure script policies in Jamf Pro.
  6. Check that Endpoint Protection is installed.

Download installer

You need the macOS Endpoint Protection installer from Sophos Central. You also need the SophosInstall URL. You need this to use with the installation script.

To do this, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Devices > Installers.
  3. In Endpoint Protection, choose your installer.

    • Click Download Complete macOS Installer to download an installer with all endpoint products your license covers.
    • Click Choose Components… to choose which products will be included in the installer.

      For more help on downloading the installer see Endpoint Protection.

  4. Save the download URL. To do this, do as follows:

    1. Right click the folder and click Get Info.
    2. Under More Info, copy the URL shown in Where from.

      Copying SophosInstall URL.

      If the URL isn't shown in Where from, do as follows:

      1. Right-click the folder in your browser Downloads.
      2. Click Copy address.

        This gives you the URL of the downloaded installer.

    3. Save the copied URL.

      You need this to use with the installation script in Jamf Pro.

Save the configuration profile and installation script

Next, you need to save the configuration profile and installation script from the installer zip file.

To do this, do as follows:

  1. Find your downloaded installer zip file,
  2. Extract the following files:

    • Sophos Endpoint.mobileconfig
    • Install Sophos Script.txt
  3. Save these files.

Set up computer groups

You create groups using Jamf Pro to organize your Macs. You can use these groups to install Endpoint Protection remotely. You assign a configuration profile and installation script to groups to do this.

These instructions give a simple example of creating a group to get you started.

If you already have groups set up you can skip this section.

  1. Log in to Jamf Pro.
  2. Click Computers.
  3. Click Static Computer Groups.

    Static Computer Groups in Jamf Pro.

  4. Click + New on the right.

    This creates a new static computer group.

  5. Enter a Display Name for the group. Click Assignments.

  6. Select all the Macs you want to install Endpoint Protection on and click Save.

    Select devices.

    This creates a new static group.

  7. Check you can see your new group in Static Computer Groups.

    Created static group in Jamf Pro.

Add and assign configuration profiles


You must have a group before you do this.

Now, you need to add and assign your configuration profile. This is the Sophos Endpoint.mobileconfig file you saved from the installer zip file,

Add profile

To add your profile, do as follows:

  1. In Jamf Pro, click Configuration Profiles.
  2. Click Upload.
  3. Click Choose File and select Sophos Endpoint.mobileconfig.

    This is the Sophos signed configuration profile.

  4. Click Upload.

  5. When your upload is finished, click Scope.

Assign profile

Now you assign the profile to your Macs.

To do this, do as follows:

  1. Click + Add on the right.
  2. Click Computer Groups.
  3. Find your groups. For each group you want to assign the profile to, click Add to the right of the group.

    This screenshot shows an example target group.

    Example target group.

  4. After you add your groups they disappear from the list. Click Save at the bottom of the page.

  5. Click Configuration Profiles on the left menu.

    You should see the Sophos Endpoint configuration profile assigned to your chosen groups.

Create and configure a script policy


You must have a group before you do this.

Next, you need to create and assign the Sophos installation script to your target groups. You will use the Install Sophos Script.txt file you downloaded earlier. You will also need the installer download URL you copied earlier.

Create Sophos installation script

To create the script, do as follows:

  1. In Jamf Pro, click the Settings icon (top right).

    Jamf Pro Settings.

  2. Click Computer Management.

  3. Click Scripts.
  4. Click New to add a new script.
  5. Enter a Display Name.

    Adding a name for the script.

  6. Click Script.

  7. Set the Mode to Shell/Bash.
  8. Set the Theme to Default.
  9. Copy the contents of Install Sophos Script.txt into the script field.
  10. Replace "put installer URL in these quotes" with the installer download URL you copied earlier.

    Create installation script.

  11. Click Save.

For more information on the command-line options, see Installer command-line options for Mac.

Create policy

Next, you need to create a policy for your script and assign your script to it.

To do this, do as follows:

  1. Click Computers.
  2. Click Policies.

    Policies in Jamf Pro.

  3. Click New.

  4. Enter a Display Name.
  5. Select Recurring Check-in as the event that activates the policy.

    Policy settings in Jamf Pro.

  6. Click Scripts.

  7. Click Configure.
  8. Click Add and choose the script you added earlier.
  9. Click Scope to add your deployment targets.
  10. Click Add and then Computer Groups.
  11. Find the group you created earlier and click Add (on the right).

    Assigning policy to group.

  12. Click Save.

Your policy activates the next time Jamf Pro detects your Macs. This then runs the Endpoint Protection installation on your Macs.

Check Endpoint Protection is installed

You can check the Jamf Pro log files to see your policy has activated. You can also verify that the installation has worked by checking your Macs.

To do this, do as follows:

  1. In Jamf Pro, click Computers.
  2. Click Policies.
  3. Click on the policy you created earlier.
  4. Check the logs for the policy. You will see one of the following statuses for your groups:

    • Pending: script hasn't run yet and installation hasn't happened yet.
    • Completed: script has run and your Macs should now have Endpoint Protection installed on them.
  5. Check that your managed Macs have Sophos Endpoint installed on them. On each Mac, check the following:

    • In System Preferences check Profiles. You should see the name of the configuration profile you set up in Jamf Pro.
    • In Sophos Endpoint, check the Endpoint Self Help tool. Any issues with installation or configuration are shown here.

    For help on fixing permission issues, see Security permissions on macOS