Sophos Mac Endpoint: How to Configure JAMF Privacy Preferences for 10.15+ Compatibility

Note: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes the steps to configure JAMF to allow configure permissions for Sophos Mac Endpoint on macOS 10.15+

Applies to the following Sophos products and versions
Sophos Central Mac Endpoint 10.0.0 and above,
Sophos Central Intercept X 10.0.0 and above,
Sophos Central Device Encryption 1.5.2 and above,
Sophos Anti-Virus for Mac OS X 9.9.7 and above

Technical Context

With macOS 10.13, Apple introduced a new security level that required each 3rd party vendor's kernel extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.

With macOS 10.15, Apple added a new default behavior that prevented applications from writing to the disk.

The information below covers both topics:

  1. Allowing the Sophos Team ID (2H5GFH3774)
  2. Granting the disk access for each required process

To alert and inform users, Sophos implement a notification popup. The endpoint will check after each reboot (and continuously every 30 minutes) if the system permissions are compatible.

  • This following steps can also be applied to machines running macOS 10.14.x. You may want to prepare your devices to be ready for an upgrade to macOS 10.15+. The instructions below can be followed to prepare device profiles for a future macOS 10.15+ upgrade.

Note: In Sophos for Mac 9.9.5, a notice is displayed if required permissions are not fully enabled. On October 31st, an issue was found where the notice is triggered if the permissions have been added via an MDM profile, as Apple records these in a different location. Sophos is actively working on updating the detection to correct this.

What to do

There are 2 steps required to configure compatibility for macOS 10.15.x (Catalina) and below.
Note: One additional step is required if you want to apply the profile to a macOS 11 (Big Sur) device.

  • Grant full disk access for Sophos components
  • Allow the Sophos kernel extensions
  • (Big Sur - macOS 11) Configure the system extension at the last step. 

Grant full disk access for Sophos components

  1. Open JAMF and log in.
  2. Go to Computers > Configuration Profiles
  3. Create a new Configuration Profile, or select an existing one
  4. Select Privacy Preferences Policy Control (near the bottom of the list)
  5. Click the + beside App Access



  6. In Identifier and Code Requirement put in all the entries listed below, and for Identifier type, select BundleID.
    Note: Sophos does not recommend using the path based format

    Identifier Code Requirement Valid Since Product
    com.sophos.endpoint.scanextension identifier "com.sophos.endpoint.scanextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.2 All
    com.sophos.liveresponse identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.1 Central only
    /Library/Sophos Managed Detection and Response/SophosMDR

    identifier SophosMDR and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"

    v10.0.1 Central with MDR only
    com.sophos.autoupdate identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 OPM only
    com.sophos.macendpoint.CleanD identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.sophos.SophosScanAgent identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.sophos.macendpoint.SophosServiceManager identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.sophos.endpoint.uiserver identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 Central only
    com.sophos.SDU4OSX identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.sophos.endpoint.SophosAgent identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.sophos.SophosAntivirus identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
    com.Sophos.macendpoint.SophosSXLD identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774" v10.0.0 All
  7. In Code Requirement, this can also be self-generated. Run the following on a Mac with version 10.0.0 (Sophos Central) and above:
     
    codesign --display -r - <app path from table above>
  8. Once it has been added, permissions can be selected accordingly. Each one should be given "All Files" / "SystemPolicyAllFiles" as the access.
  9. Save and deploy the configuration as needed.

Allow the Sophos Kernel Extensions

The same profile can be used, but the option "Approved Kernel Extensions" needs to be selected. If this is not configured yet, select the "open" button at the center to begin the configuration.

During configuration, 3 kernel extensions will need to be added, as well as the Sophos Team ID [2H5GFH3774]

Note: Please ensure that "Allow users to approve kernel extensions" is unchecked.

Referring to the screenshot above, add the following kernel extensions:

  • com.sophos.nke.swi
  • com.sophos.kext.sfm
  • com.sophos.kext.oas

Make sure to save your changes.

(Big Sur - macOS 11) Configure the system extension

NoteApple has added a new, optional, method of setting authorization of applications for Privacy in Big Sur with MDM. This new method replaces an existing true/false option with a string value option instead. Here is the Apple article on it: https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services/identity  Allowed is the normal method of setting permissions, however as of Big Sur, Apple allows you to instead use Authorization. Our detection for permissions has been configured for the “Required” property (which isn’t actually required if you have Authorization instead). If you can set your MDM provider to use the Allowed True/False (Boolean) setting, it should work without any issues. To check if this applies to you, open the .mobileconfig file in a text editor and search for Sophos. Check if you see - <key>Allowed</key><True/>, or <key>Authorization</key><String>Allow</string>. If it is Authorization, this applies to you. We do recognize that there is a move to this alternate form, and as such, we have made an improvement, coming out in our 10.1.3 release in July, to detect both versions. Until this releases, we recommend using the Allowed True/False style privacy permission setting for Sophos processes.

The same profile configuration can be used.

  1. From the Options, select “System Extensions”.
    1. This step is similar to the ones above, but for the new system extensions
  2. The following empty template will be displayed
  3. For the display name, specify the following entries
    1. com.sophos.endpoint.networkextension
    2. com.sophos.endpoint.scanextension
  4. Add 1 entry for each. Make sure that the System Extension Types are set to “Allowed System Extensions
    1. The picture displays a complete profile example. For the Team Identifier, specify the Sophos Team ID [ 2H5GFH3774 ]
  5. Reference the following screenshot for an example of the Options overview
  6. Don't forget to save your changes

Alternate method

Note: Sophos does not guarantee the security of third party applications and they should be used at your own risk.

There is a utility called PPPC Utility on Github which allows you to build a configuration profile for Privacy Preferences. It can be located here: https://github.com/jamf/PPPC-Utility.  To use this, follow the guidance on the link, and drag and drop the Sophos items into it.

This profile can then be loaded into JAMF.

Related videos

Special thanks to  

Sophos Central MDM Configuration

How to Configure JAMF Privacy Preferences for 10.15 Compatibility

  •  

Related information


JAMF Pro keys for 10.0.2 EAP to pre-approve the proxy configuration

Special thanks to   for sharing this!

Within the same Configuration Profile, add a Content Filter payload (this requires Jamf Pro 10.26+) with the following keys and values configured:

Filter Name SophosWebNetworkExtension
Identifier com.sophos.endpoint.network
Network Filter Bundle Identifier com.sophos.endpoint.networkextension
Network Filter Designated Requirement identifier "com.sophos.endpoint.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"

Note that the Filter Name can be anything, but it is required.

Once the complete, the payload should look like this:

Content Filter payload




Updated SophosMDR
[edited by: Qoosh at 10:48 PM (GMT -8) on 7 Dec 2021]
Parents
  • This popped up again this week. All setting via KB article does not fix. Also created a Config Profile for JAMF using PPPC Utility. No joy! All of my Catalina users are experiencing the issue. Sophos Endpoint v10.0.1

  • We are getting the same thing.  Previously, this was not alerting.  We have all the necessary components whitelisted with a PPPC config profile in jamf .In the notes for the latest release, the say The notification "Full disk access required" that asks the user to grant Sophos processes full disk access may be re-triggered but offer no solution for getting rid of it.

    http://downloads.sophos.com/readmes/savmosx_10_cld_rneng.html

  • Created a support ticket with SOPHOS, which was of little help. They did not fully read my case and suggested the very thing I had already implemented. Annoying as ##@$%@

  • Just received something from SOPHOS. But, its not something I can do because I am not a SOPHOS Admin.

    We can only review 1-2 machines per case to see what exactly is still needed. Please run SDU log gathering tool directly from Central on one of the machines  using steps in the article:  https://support.sophos.com/support/s/article/KB-000038603?language=en_US

     

    1. Log in to Sophos Central Admin.
    2. Under Devices, click your target computer or server.
    3. In the SUMMARY page, click More actions followed by Diagnose.
    4. Click Run on the popup Diagnose window.
    5. At the Sophos Diagnostic Utility Status section, take note and provide the Log file name.

     

    After I receive the logs and send you back the confirmation of receipt email, based on the technical severity and complexity of the case, please expect an update within 1 business day.

     

    At any point you can call on the support line 1 (888) 767-4679  and we will start helping you right away over a remote session.

     

     Please also confirm that the Central dashboard remote assistance is enabled:

    1. From your Sophos Central Admin Dashboard click the username from the upper right corner of the screen then select Account Details.
    2. Under Account Details, click Sophos Support tab and enable Remote Assistance. - Save
    3. Please provide the Sophos Central unique account ID from the bottom of the same page (Account settings-> Sophos support). It will appear as something like this: xyzf6cfc-ba4e-5473-cb20-d0524fee076b.
Reply
  • Just received something from SOPHOS. But, its not something I can do because I am not a SOPHOS Admin.

    We can only review 1-2 machines per case to see what exactly is still needed. Please run SDU log gathering tool directly from Central on one of the machines  using steps in the article:  https://support.sophos.com/support/s/article/KB-000038603?language=en_US

     

    1. Log in to Sophos Central Admin.
    2. Under Devices, click your target computer or server.
    3. In the SUMMARY page, click More actions followed by Diagnose.
    4. Click Run on the popup Diagnose window.
    5. At the Sophos Diagnostic Utility Status section, take note and provide the Log file name.

     

    After I receive the logs and send you back the confirmation of receipt email, based on the technical severity and complexity of the case, please expect an update within 1 business day.

     

    At any point you can call on the support line 1 (888) 767-4679  and we will start helping you right away over a remote session.

     

     Please also confirm that the Central dashboard remote assistance is enabled:

    1. From your Sophos Central Admin Dashboard click the username from the upper right corner of the screen then select Account Details.
    2. Under Account Details, click Sophos Support tab and enable Remote Assistance. - Save
    3. Please provide the Sophos Central unique account ID from the bottom of the same page (Account settings-> Sophos support). It will appear as something like this: xyzf6cfc-ba4e-5473-cb20-d0524fee076b.
Children
No Data