This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uninstalling Sophos Endpoint

Sophos do provide an official Uninstall/Remove tool for uninstalling Sophos EndPoint on a Mac.

This used to work fine on Macs but with macOS Big Sur (and Monterey) Apple have again moved the goal posts and this results in the System Extensions being left behind and still active. 

For Big Sur and Monterey there are now three possible solutions.

  1. The 'Apple way' - the end user themselves is an admin and has total control over their laptop, they are geniuses and know exactly what to do which is to drag /Applications/Sophos/Sophos Network Extension.app to the bin, and to also drag /Applications/Sophos/Sophos Scan.app/Contents/MacOS/SophosScanD.app which is hidden inside the Sophos Scan.app also to the bin (This triggers an Apple dialog asking the user to confirm uninstalling the system extensions included in these two 'apps')
  2. Reboot to Recovery mode, turn off SIP, reboot, remove the system extensions using systemextensionsctl -uninstall reboot again turn SIP back on. (Note: If you have a Mac running macOS Catalina or earlier then it is not necessary to turn off SIP.)
  3. Use a new function Apple added to macOS Monterey and I believe Big Sur 11.6 which allows turning off the need to supply via a local user an admin authorisation as a result option 1 should no longer be necessary and it should be possible to automate the process

Clearly option 3 looks more suitable for an Enterprise environment.

Unfortunately, option 3 not only needs a very recent version of macOS but it also requires the developer of the system extensions - in this case obviously Sophos to write support for this new capability in to their own built-in uninstaller. I strongly suspect Sophos have not yet done this.

The following two articles provide excellent background to these issues - which I have seen discussed in the Big Sur EAP forum but to which I cannot post.

https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html

https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monterey-and-earlier/?unapproved=65452&moderation-hash=1a29c0df9667f4dce173d7736088417f#comment-65452 

The second link above also has links to some of the official Apple developer documentation on how to implement this function in the developers uninstaller. Sophos therefore should look at those links as well.

It should be noted that apparently Microsoft have added this capability to their own Microsoft Defender uninstaller.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Kushal, thanks for your previous interaction. 
    Is there any update on this? The product just doesn't uninstall and I can't recommend the product to my company anymore until it's fixed.

  • Here is what we found and currently do.

    1. A normal Mac following the normal process as per Sophos' own article of dragging app bundles to the Bin successfully uninstalls one of the two System Extensions but not the other. My suspicion is that macOS is 'confused' by the second one being embedded in an app which is itself embedded inside another app. All the proper macOS messages are shown but this one does not properly uninstall.

    2. I did try writing a shell script which used AppleScript to tell the Finder to 'drag' the apps to the Bin. This works on a Mac that is not enrolled in Jamf Pro but fails on Macs enrolled in to Jamf Pro even though I have correctly told Jamf Pro PPPC to allow this. Jamf say this is a bug in both macOS Big Sur and Monterey.

    3. Sophos do not yet support the new Apple API to fully automate uninstalling System Extensions. The impression I got from their response was that until I brought this to their attention they were not aware of this at all.

    4. We currently successfully do the uninstall including System Extensions by a) turning SIP off, b) removing the first app and hence extension, c) rebooting, then d) removing the second one and e) rebooting and then running the Sophos uninstaller, then f) turning SIP back on. We have to get users to manually turn SIP off and on but the rest we have automated via two Jamf Self Service 'apps'.

  • A section was recently added to our KBA for removing Sophos from MacOS. Let me know if the steps described under "MacOS12.1" of the following article allows the full removal to be completed. 
    - Sophos Anti-Virus for Mac: Removal tool

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • The issue is that your Removal tools do not remove the system extensions because you do not yet use and support the new Apple API for removing system extensions via such an automated uninstall process. (The drag to bin process is a manual process and as mentioned we found that only 'half' worked even under macOS Big Sur.)

    In my organisations case we are all running macOS Big Sur so the referral to macOS12.1 is not applicable.

    Your KBA says you have to turn off SIP to remove the system extensions and this process works and is what we are having to use but clearly is extremely enterprise and user unfriendly and requires each user to be talked through doing this. 

  • The most recent release notes mention that this will be corrected as of version 10.3.3. 

    Let me know if you continue to experience this issue once Sophos is updated on your devices.

    Edit: This update will be available to all customers as of March 8th.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids