Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 2097 views
  • Users 0 members are here
Options
Suggested

MacOS Sophos updates failing - you don’t have permission to access “CID”

LHerzog

We have an increasing number of devices that are outdating. While we cannot really see issues on the endpoints, and Central shows most of the Macs as nice and green,

deeper in the Central logs we see a bunch of strange update errors like:

Low,"2024-08-21T10:03:27+02:00","Download of MacEndpoint failed from server TreeVisitor failed: path does not exist: /Library/Caches/com.sophos.sau/CID."

"2024-08-21T09:26:19+02:00","Download of MacEndpoint failed from server “Sophos Installer” couldn’t be moved because you don’t have permission to access “CID”.."

Low,"2024-08-21T08:46:59+02:00","Download of MacEndpoint failed from server Could not verify any signatures: refusing to load unverified content."

Low,"2024-08-21T07:37:09+02:00","Failed to download updates."

Low,"2024-08-20T08:47:39+02:00","Download of MacEndpoint failed from server The operation couldn’t be completed. (com.sophos.macendpoint.sdds3 error 6001.)."

Low,"2024-08-19T13:36:47+02:00","Download of MacEndpoint failed from server sdds3.sophosupd.com/.../sdds3.ScheduledQueryPack.dat: 0."

The first time this error appeared was on July 19th on one device. Others followed. Now we have 6 devices with that status.

Low,"2024-07-19T06:02:26+02:00","Download of MacEndpoint failed from server “Sophos Installer” couldn’t be moved because you don’t have permission to access “CID”.."

What's going on here? What does CID mean? TreeVisitor??

What can we actually do?

One Mac as example:



Added tags
[edited by: GlennSen at 2:24 PM (GMT -7) on 3 Sep 2024]
Parents Reply
  • 0 in reply to Rutvik Chavda

    Thanks for the doc links you provided   

    I don't like the idea that these permissions may change at random - but in fact they do (we've had that in the past on many devices).

    Though I'd expect if the permissions are wrong, we'd have a red X at sophosscand on the status in Central and not all green.

    Like this:

    The computer I picked initially on my first poth has all green and displayed no issues, just the update failed logs were showing the problem.

    But we'll check that on the endpoints locally and report back.

Children
  • 0 in reply to LHerzog 

     sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep -i sophos
 
kTCCServiceSystemPolicyAllFiles|com.sophos.SophosScanAgent|0|2|4|1|��
                                                                     ||0|UNUSED||0|1654000571|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.macendpoint.CleanD|0|2|4|1|��
                                                                        ||0|UNUSED||0|1654000571|||UNUSED|0
kTCCServiceEndpointSecurityClient|com.sophos.macendpoint.SophosServiceManager|0|2|4|1|��
                                                                                        ||0|UNUSED||0|1654000571|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.liveresponse|0|2|4|1|��
                                                                  ||0|UNUSED||0|1654000571|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.uiserver|0|2|4|1|��
                                                                       ||0|UNUSED||0|1654000572|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.SDU4OSX|0|2|4|1|��
                                                             ||0|UNUSED||0|1654000572|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|/Library/Sophos Managed Detection and Response/SophosMDR|1|2|4|1|��
         ||0|UNUSED||0|1654000572|||UNUSED|0
kTCCServiceEndpointSecurityClient|com.sophos.endpoint.scanextension|0|2|4|1|��
                                                                              ||0|UNUSED||0|1654000572|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.livequery|0|0|5|1|��
                                                               |||UNUSED||0|1654025980|||UNUSED|0
kTCCServiceEndpointSecurityClient|com.sophos.scan|0|2|4|1|��
                                                            ||0|UNUSED||0|1654072710|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.enc.SophosEncryptionCentralAdapter|0|0|5|1|��
                                                                                        |||UNUSED||0|1666866485|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.enc.SophosEncryptionD|0|0|5|1|��
                                                                           |||UNUSED||0|1666866510|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.enc.preferences|0|0|5|1|��
                                                                     |||UNUSED||0|1691503011|||UNUSED|0
kTCCServiceSystemPolicyAllFiles|com.sophos.updater|0|0|5|1|��
                                                             |||UNUSED||0|1699170796|||UNUSED|0

    /Library/Application Support/com.apple.TCC/MDMOverrides.plist: No such file or directory

  • 0 in reply to LHerzog

    I had the same problem and soved it. Please check your permissions for hard disk usage, see screenshot. Mine was de-activated after the last macOS update. With activating this my updates are working now.

  • 0 in reply to Michael Heider

    Hi  and thanks for your answer. I'll ask one of the users to check that.

    I wonder what  says to the permissions report I posted above.

    I'ts unclear to me what the results mean.

    From your screenshot I translate this would be the line from the report:

    kTCCServiceSystemPolicyAllFiles|com.sophos.updater|0|0|5|1

    but, what is 0 0 5 1 ?

Unfiltered HTML