Note: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This article describes the steps to configure JAMF to allow configure permissions for Sophos Mac Endpoint on macOS 10.15+
Applies to the following Sophos products and versionsSophos Central Mac Endpoint 10.0.0 and above,Sophos Central Intercept X 10.0.0 and above,Sophos Central Device Encryption 1.5.2 and above,Sophos Anti-Virus for Mac OS X 9.9.7 and above
With macOS 10.13, Apple introduced a new security level that required each 3rd party vendor's kernel extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.
With macOS 10.15, Apple added a new default behavior that prevented applications from writing to the disk.
The information below covers both topics:
To alert and inform users, Sophos implement a notification popup. The endpoint will check after each reboot (and continuously every 30 minutes) if the system permissions are compatible.
Note: In Sophos for Mac 9.9.5, a notice is displayed if required permissions are not fully enabled. On October 31st, an issue was found where the notice is triggered if the permissions have been added via an MDM profile, as Apple records these in a different location. Sophos is actively working on updating the detection to correct this.
There are 2 steps required to configure compatibility for macOS 10.15.x (Catalina) and below.Note: One additional step is required if you want to apply the profile to a macOS 11 (Big Sur) device.
codesign --display -r - <app path from table above>
The same profile can be used, but the option "Approved Kernel Extensions" needs to be selected. If this is not configured yet, select the "open" button at the center to begin the configuration.
During configuration, 3 kernel extensions will need to be added, as well as the Sophos Team ID [2H5GFH3774]
Note: Please ensure that "Allow users to approve kernel extensions" is unchecked.
Referring to the screenshot above, add the following kernel extensions:
Make sure to save your changes.
The same profile configuration can be used.
Note: Sophos does not guarantee the security of third party applications and they should be used at your own risk.
There is a utility called PPPC Utility on Github which allows you to build a configuration profile for Privacy Preferences. It can be located here: https://github.com/jamf/PPPC-Utility. To use this, follow the guidance on the link, and drag and drop the Sophos items into it.
This profile can then be loaded into JAMF.
Special thanks to MichaelCurtis
How to Configure JAMF Privacy Preferences for 10.15 Compatibility
Sophos Approve Endpoint KEXT
How to make a Sophos Central macOS installation package in Jamf Pro
How to make an installation script for Sophos Central macOS endpoint deployment in Jamf Pro
How to deploy Sophos Central macOS endpoint via Jamf Remote
Special thanks to mscottblake for sharing this!
Within the same Configuration Profile, add a Content Filter payload (this requires Jamf Pro 10.26+) with the following keys and values configured:
Note that the Filter Name can be anything, but it is required.
Once the complete, the payload should look like this:
We're having the same issue. Another item on my list of reasons to move away from this blighted product.
I am sorry to hear that you are having issues with these actions. If the profiles aren't working and you still getting the popups - the first thing we need to check is that the permissions have been applied.
Verify full disk accesscommand: sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select client,auth_value from access" | grep -i sophos | sortexpected output:/Library/Sophos Managed Detection and Response/SophosMDR|2com.sophos.SDU4OSX|2com.sophos.SophosScanAgent|2com.sophos.autoupdate|2com.sophos.endpoint.scanextension|2com.sophos.endpoint.uiserver|2com.sophos.liveresponse|2com.sophos.macendpoint.CleanD|2com.sophos.macendpoint.SophosServiceManager|2
Verify status of system extensionscommand: systemextensionsctl list | grep -i sophosexpected output:* * 2H5GFH3774 com.sophos.endpoint.networkextension (1.0/2) networkextension [activated enabled]* * 2H5GFH3774 com.sophos.endpoint.scanextension (1.0/1.0) com.sophos.endpoint.scanextension [activated enabled]
The one thing that can't be easily checked is if the network proxy configuration has been allowed. Please check the section above: JAMF Pro keys for 10.0.2 EAP to pre-approve the proxy configuration for steps to allow it.
As a note, Apple requires Terminal to have full disk access to run these commands.
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
I have followed all instructions above and the Profiles have been applied successfully via JAMF, can you please explain why I am not receiving the correct output from the Terminal commands you have posted above?Terminal has Full Disk Access, Profiles have applied. I've attached screenshots of our profile in JAMF, in Sys Prefs and the Terminal output from your commands.
Sophos Support have not provided any solutions.
Could you post the result of this command as well:
defaults read /Library/SystemExtensions/db.plist
The result of the sqlite3 command show only policies that were user approved once (This does not include preapproved permissions.). Could you please check your list of included services. Maybe there are whitespaces at the start/end of the requirements
The policies (for system extension) are applied correctly. The only config that differs from my setup is the fact that your users are allowed to override this. Could you try turning this setting off and see how it behaves? In JAMF it is called 'Allow users to approve system extensions'.
I've unchecked this now.
Do I also need to uncheck these options?
No. Just try it