Real time protection disabled on Mac OS endpoint

Question

2 of our Mac OS endpoints are showing the same high severity alert. Both of these were installed by the end-user using an installer and instructions that we provided for them. I'm wondering if they failed to give Sophos the correct security permissions at the end of the install process. Unfortunately is has been hard to get a hold of them. I sent them this link https://support.sophos.com/support/s/article/KB-000039014?language=en_US but never heard back. I have 2 main questions: 
 1. These alerts are marked as having occurred 8 days or more in the past and everything but the "legacy" services are showing as running.. Does that mean that they are ongoing or that they have been resolved and I should simply acknowledge them? The alert shows up in the device's Status page ( screenshot below ) and the customer's "Alerts" section in Sophos Central Admin. 
 2. If this is an ongoing issue what is the best way to resolve it? There is a "Reinstall Endpoint Protection" option available but I'm thinking maybe connecting to the machines via remote control and using the instructions in the link above would be more reliable.

PavSupport · Answer

Hello Owen, 
 The alerts are simply to notify you of the issue and regardless of the machine status, you would need to acknowledge them yourself. Based on your screenshot, the issue is still happening - the user needs to follow the steps from the article that you already sent - specifically: 
 
 Open System Preferences . 
 Open Security & Privacy . 
 There should be a prompt asking to approve Sophos extensions. 
 
 If that fails, the next step would be to do what GlennSen suggested with Recovery mode command. 
 Fixing that will get the services into a green state. You can acknowledge the alert when all services are green, or acknowledge the alert now, as it will not affect the machine status - it really depends what you are using to keep an eye on current issues - machines health status (orange\red\green) or alerts. Some of our customers keep the alert open until the issue is completely resolved and some create a ticket with their own internal IT, then acknowledge the alert. 
 Hope that helps! Please let me know if you have any further questions! 
 If a post solves your question please use the 'Verify Answer' link.

RichardP · Answer

you can enroll the devices into the EAP if you join it. You can then have the users re-apply the permissions - the EAP forum has the steps attached to it.

Real time protection disabled on Mac OS endpoint

Top Replies