This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple Mac 802.1x wired Certificate registration failing - provider rejected new flow TCP

We're trying to let Mac Endoints retrieve their 802.1x machine certificate for wired connection from AD domain controllers.

Sophos EP is installed.

This is always failing. We're suspecting Sophos EP is not letting the mdm extension successfully connect to the DC.

[Extension com.sophos.endpoint.network]: provider rejected new flow TCP com.apple.mdmclient

default	10:58:55.062127+0100	com.sophos.endpoint.networkextension	[Extension com.sophos.endpoint.network]: Calling handleNewFlow with TCP com.apple.mdmclient[{length = 20, bytes = xxxxxxxxxxxxx}] remote: domaincontrollerIP:88 interface utun4
default	10:58:55.062391+0100	com.sophos.endpoint.networkextension	browser check : browser lists do not contain mdmclient(53931)
default	10:58:55.062505+0100	com.sophos.endpoint.networkextension	tproxy :           flow D89B5B5D-793C-4940-8A72-88BF02730A00 from:mdmclient(53931) webd:(pid:0 port:0) dst:domaincontrollerIP:88 isBrowser:false isSophos:false redirectionEnabled:false
default	10:58:55.062690+0100	com.sophos.endpoint.networkextension	[Extension com.sophos.endpoint.network]: provider rejected new flow TCP com.apple.mdmclient[{length = 20, bytes = xxxxxxxxxxxxx}] remote: domaincontrollerIP:88 interface utun4

Has someone successfully implemented 802.1x certificates on Apple devices in combination with Sophos installed?

Operating System Version 14.3.1 (Build 23D60)
Processor Architecture arm64
Agent Version 2024.1.0.49


This thread was automatically locked due to age.
  • Hi LHerzog,

    Thanks for reaching out. 

    Could you check if the results change when SSL./TLS decryption is turned off? If this allows things to work as expected, could you please try adding the IP address of the DC to the sites excluded from decryption?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • it turned out it was not the Sophos Endpoint. Removing it did not change anything.

    In the end the Mac admin changed values in the variables of the profile manager, then it worked and the machine could register a certificate at the DC and then retrieve it.

    The name for the CA must not be CN=NAME, it needs to be NAME only. The tooltip for valid values was just wrong.