This news item reflects details contained within this KBA:
Overview
As of version 2024.4 (10.9.5), as part of our ongoing updates to avoid future updating issues, if the Full Disk Access rights for Sophos Updater are not present via MDM or manually, the Sophos Updater service health will be marked as bad, triggering a red health state even if there is no updating issue at the current time.
This change has been made due to multiple issues with updating due to changing Apple security requirements. Adding this permission will avoid future updating issues. For the recent instance, see Advisory: Sophos Endpoint for macOS - Sophos Update failures.
If you are already using the Sophos MDM profile version 3 or later or have manually added the Sophos Updater FDA rights, this is already done and will not trigger bad health.
Note: Updating will continue to work normally. This is a condition change to alert customers to update the permissions.
Product and Environment
Sophos Endpoint for macOS 2024.4 and later
Information
For customers using an MDM solution such as JAMF, InTune, and so on, please update to the latest profiles (v3.0 as of Jan 2025) found here: Sophos Central Admin: Installing Endpoint Protection using JAMF pro.
For customers who are not using MDM:
- Open the local Sophos Endpoint Agent.
- Click About.
- Click Open Endpoint Self Help Tool.
- Click Prerequisites.
- Click the "Fix" button.
- Follow the instructions to drag and drop the permissions.
Note: The manual steps to find Sophos Updater in the Full Disk Access permissions dialog will not work, as it will not be listed if the OS has not blocked it. The above drag-and-drop steps must be used.
Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.
