Sophos do provide an official Uninstall/Remove tool for uninstalling Sophos EndPoint on a Mac.
This used to work fine on Macs but with macOS Big Sur (and Monterey) Apple have again moved the goal posts and this results in the System Extensions being left behind and still active.
For Big Sur and Monterey there are now three possible solutions.
- The 'Apple way' - the end user themselves is an admin and has total control over their laptop, they are geniuses and know exactly what to do which is to drag /Applications/Sophos/Sophos Network Extension.app to the bin, and to also drag /Applications/Sophos/Sophos Scan.app/Contents/MacOS/SophosScanD.app which is hidden inside the Sophos Scan.app also to the bin (This triggers an Apple dialog asking the user to confirm uninstalling the system extensions included in these two 'apps')
- Reboot to Recovery mode, turn off SIP, reboot, remove the system extensions using systemextensionsctl -uninstall reboot again turn SIP back on. (Note: If you have a Mac running macOS Catalina or earlier then it is not necessary to turn off SIP.)
- Use a new function Apple added to macOS Monterey and I believe Big Sur 11.6 which allows turning off the need to supply via a local user an admin authorisation as a result option 1 should no longer be necessary and it should be possible to automate the process
Clearly option 3 looks more suitable for an Enterprise environment.
Unfortunately, option 3 not only needs a very recent version of macOS but it also requires the developer of the system extensions - in this case obviously Sophos to write support for this new capability in to their own built-in uninstaller. I strongly suspect Sophos have not yet done this.
The following two articles provide excellent background to these issues - which I have seen discussed in the Big Sur EAP forum but to which I cannot post.
https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html
The second link above also has links to some of the official Apple developer documentation on how to implement this function in the developers uninstaller. Sophos therefore should look at those links as well.
It should be noted that apparently Microsoft have added this capability to their own Microsoft Defender uninstaller.
This thread was automatically locked due to age.