Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

We have developed new versions of our MDM profiles for macOS, we have added a profile for macOS Sonoma and also updated all profiles to add Full Disk Access (FDA) for the SophosUpdater Service and Sophos Installer app (bootstrap installer).

As part of this update we have added FDA to these processes as we have seen some instances where macOS has been blocking Sophos processes from completing installs and updates, adding FDA resolves the issue.

As a reminder, Apple has a System Settings app to manage system configuration which replaces the older System Preferences app. With this there is a Login Items panel that allows management of background applications or services that either start automatically at system boot or open automatically when users log in.

Local administrative users have the ability to turn off background applications and services and therefore could disable the Sophos Endpoint protection features as well as block communications with Sophos Central and software updates.

Management features are available via MDM solutions and using Configuration Profiles to prevent users from disabling critical services:

The latest Sophos Central Installer for macOS includes separate Configuration Profiles for each major macOS versions we currently support, namely:

  • Sophos Endpoint Monterey v2.1.mobileconfig

  • Sophos Endpoint Ventura v2.1.mobileconfig

  • Sophos Endpoint Sonoma v2.1 mobileconfig

Sophos Endpoint mobileconfig files contain the required settings needed to prevent local administrative users from disabling the Sophos Endpoint via the Login Items.  To acquire the new Configuration Profile files, download the latest installer from your Sophos Central account and look in the “Deployment Tools” folder to find the updated profile. When imported into your MDM solution you will see the new profile is labeled as “Sophos Endpoint OS v1.3” where OS is the operating system version for your installation.

You should deploy Configuration Profiles to all endpoints to keep the Sophos Endpoint protection services running. Once the updated Configuration Profile is applied, Sophos will still be visible under Login Items System Settings but users will not be able to disable it.

Sophos Endpoint Configuration Profiles supports the same features that were supported in the previous versions of the Configuration Profiles as well as features supported for each variant of macOS we support. We would suggest to deploy the relevant configuration profile to a given macOS version.

Please refer to the ReadMeFirst file located under the “Deployment Tools” folder for change log for each Configuration Profile. You can also refer to these detailed instructions on using Jamf Pro to deploy the Sophos Endpoint to your Mac devices.