Disclaimer: This information is provided as-is and should be referenced at your own risk.
This article describes the steps to configure JAMF to allow configure permissions for Sophos Mac Endpoint on macOS 10.15+
Applies to the following Sophos products and versionsSophos Central Mac Endpoint 10.0.0 and above,Sophos Central Intercept X 10.0.0 and above,Sophos Central Device Encryption 1.5.2 and above,Sophos Anti-Virus for Mac OS X 9.9.7 and above
With macOS 10.13, Apple introduced a new security level that required each 3rd party vendor's kernel extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.
With macOS 10.15, Apple added a new default behavior that prevented applications from writing to the disk.
The information below covers both topics:
To alert and inform users, Sophos implement a notification popup. The endpoint will check after each reboot (and continuously every 30 minutes) if the system permissions are compatible.
Note: In Sophos for Mac 9.9.5, a notice is displayed if required permissions are not fully enabled. On October 31st, an issue was found where the notice is triggered if the permissions have been added via an MDM profile, as Apple records these in a different location. Sophos is actively working on updating the detection to correct this.
There are 2 steps required to configure compatibility for macOS 10.15.x (Catalina) and below.Note: One additional step is required if you want to apply the profile to a macOS 11 (Big Sur) device.
codesign --display -r - <app path from table above>
The same profile can be used, but the option "Approved Kernel Extensions" needs to be selected. If this is not configured yet, select the "open" button at the center to begin the configuration.
During configuration, 3 kernel extensions will need to be added, as well as the Sophos Team ID [2H5GFH3774]
Note: Please ensure that "Allow users to approve kernel extensions" is unchecked.
Referring to the screenshot above, add the following kernel extensions:
Make sure to save your changes.
The same profile configuration can be used.
Note: Sophos does not guarantee the security of third party applications and they should be used at your own risk.
There is a utility called PPPC Utility on Github which allows you to build a configuration profile for Privacy Preferences. It can be located here: https://github.com/jamf/PPPC-Utility. To use this, follow the guidance on the link, and drag and drop the Sophos items into it.
This profile can then be loaded into JAMF.
Special thanks to MichaelCurtis
How to Configure JAMF Privacy Preferences for 10.15 Compatibility
Sophos Approve Endpoint KEXT
How to make a Sophos Central macOS installation package in Jamf Pro
How to make an installation script for Sophos Central macOS endpoint deployment in Jamf Pro
How to deploy Sophos Central macOS endpoint via Jamf Remote
Done now. Please let us know if there is something missed / still not working.
This popped up again this week. All setting via KB article does not fix. Also created a Config Profile for JAMF using PPPC Utility. No joy! All of my Catalina users are experiencing the issue. Sophos Endpoint v10.0.1
I will provide the same reply in the support case, but here is what needs to be done:
In Sophos version 10.0.1 both the Live Response and MDR have to be approved, or you see the pop-up (even if you don't have the license).
Solution: The admins will have to add 2 more lines via Sophos MDM, Jamf or other MDM solutions:
This macOS 10.15+ Security Permissions Required KB will also show all the components required to be added to the Full Disk Access in MacOS.
Sophos KEXT files for Mac explanation: https://sophos.lightning.force.com/lightning/r/Knowledge__kav/ka03Z0000000FNGQA2/view
Terminal command to list all Sophos kext files: kextstat | grep Sophos
MacOS location and files required to be listed under MacOS System Preferences/ Security&Privacy/Full Disk Access: /Library/Sophos Anti-virus
SophosAutoUpdate (Enterprise Console managed only)
Sophos Endpoint UIServer (Central Managed only)
SophosLiveResponse (Central only)
SophosMDR (Central with MDR only, from /Library/Sophos Managed Detection and Response)
Sophos Diagnostic Utility (from /Library/Sophos Anti-virus/tools/)
Hope that helps!
The additional lines you suggest adding do not make sense, they are the same. I added one of them. No change.
been working on this issue since last week. I added the two bundle IDs and code requirement per Sophos to my Jamf PPPC payload config and still not working. BTW the code req for SophosMDR should be:
identifier "com.sophos.SophosMDR" and anchor apple generic and certificate 1[field.1.2.840.113622.214.171.124.6] /* exists */ and certificate leaf[field.1.2.840.1136126.96.36.199.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
But I tried already and still not working. Sophos thought there was a white space in their code requirement for SophosMDR prior to 11/13 afternoon in this KB but even the corrected code it still not working.
My thought is that 10.0.1 broke something that is now causing this re-trigger of Full Disk Access. Here their release notes for 10.0.1 essentially confirming such. I asked for when 10.0.2 will come out in the hopes they are aware and working on fix but no reply from them yet.
If anyone finds solution please post.
We have the same issue, which caused all our machine to flag to users that they need to make changes under 10.0.1 I raised this to support who just pointed me back to this page.
We're having the same issue. Another item on my list of reasons to move away from this blighted product.