Note: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This article describes the steps to configure JAMF to allow configure permissions for Sophos Mac Endpoint on macOS 10.15+
Applies to the following Sophos products and versionsSophos Central Mac Endpoint 10.0.0 and above,Sophos Central Intercept X 10.0.0 and above,Sophos Central Device Encryption 1.5.2 and above,Sophos Anti-Virus for Mac OS X 9.9.7 and above
With macOS 10.13, Apple introduced a new security level that required each 3rd party vendor's kernel extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.
With macOS 10.15, Apple added a new default behavior that prevented applications from writing to the disk.
The information below covers both topics:
To alert and inform users, Sophos implement a notification popup. The endpoint will check after each reboot (and continuously every 30 minutes) if the system permissions are compatible.
Note: In Sophos for Mac 9.9.5, a notice is displayed if required permissions are not fully enabled. On October 31st, an issue was found where the notice is triggered if the permissions have been added via an MDM profile, as Apple records these in a different location. Sophos is actively working on updating the detection to correct this.
There are 2 steps required to configure compatibility for macOS 10.15.x (Catalina) and below.Note: One additional step is required if you want to apply the profile to a macOS 11 (Big Sur) device.
identifier SophosMDR and anchor apple generic and certificate 1[field.1.2.840.1136220.127.116.11.6] /* exists */ and certificate leaf[field.1.2.840.113618.104.22.168.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
codesign --display -r - <app path from table above>
The same profile can be used, but the option "Approved Kernel Extensions" needs to be selected. If this is not configured yet, select the "open" button at the center to begin the configuration.
During configuration, 3 kernel extensions will need to be added, as well as the Sophos Team ID [2H5GFH3774]
Note: Please ensure that "Allow users to approve kernel extensions" is unchecked.
Referring to the screenshot above, add the following kernel extensions:
Make sure to save your changes.
Note: Apple has added a new, optional, method of setting authorization of applications for Privacy in Big Sur with MDM. This new method replaces an existing true/false option with a string value option instead. Here is the Apple article on it: https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services/identity Allowed is the normal method of setting permissions, however as of Big Sur, Apple allows you to instead use Authorization. Our detection for permissions has been configured for the “Required” property (which isn’t actually required if you have Authorization instead). If you can set your MDM provider to use the Allowed True/False (Boolean) setting, it should work without any issues. To check if this applies to you, open the .mobileconfig file in a text editor and search for Sophos. Check if you see - <key>Allowed</key><True/>, or <key>Authorization</key><String>Allow</string>. If it is Authorization, this applies to you. We do recognize that there is a move to this alternate form, and as such, we have made an improvement, coming out in our 10.1.3 release in July, to detect both versions. Until this releases, we recommend using the Allowed True/False style privacy permission setting for Sophos processes.
The same profile configuration can be used.
Note: Sophos does not guarantee the security of third party applications and they should be used at your own risk.
There is a utility called PPPC Utility on Github which allows you to build a configuration profile for Privacy Preferences. It can be located here: https://github.com/jamf/PPPC-Utility. To use this, follow the guidance on the link, and drag and drop the Sophos items into it.
This profile can then be loaded into JAMF.
Special thanks to MichaelCurtis
Sophos Central MDM Configuration
How to Configure JAMF Privacy Preferences for 10.15 Compatibility
Special thanks to mscottblake for sharing this!
Within the same Configuration Profile, add a Content Filter payload (this requires Jamf Pro 10.26+) with the following keys and values configured:
Note that the Filter Name can be anything, but it is required.
Once the complete, the payload should look like this:
I have followed the instructions on this article. However, in Big Sur I am still getting the prompts to allow the System Extensions for SophosScanD and SophosWebNetworkExtension. I have a configuration…
Anyone have the Monterey updated version of this?
I have submitted a request to Sophos Support for an OFFICIAL - SOPHOS RECOMMENDED .mobileconfig profile that anyone can sign and deploy with their MDM of choice. This is something ANY MDM can deploy such that a Vendor's product can be deployed autonomously within an ORGs environment.I have also submitted a request for an official Systems Administrator Guide and/or KB for MacOS which would include the exact requirements per Operating System in regards to System Extensions, Network Extensions, PPPCs, etc.I encountered many others with the same sentiments in MacAdmins #sophos. This is truly a lack of support matter. Sophos continues to neglect macOS. Tere is no zero-day macOS support, their Silicon offering is still being TRANSLATED via Rosetta2, and you don't know if you're estate is going to get the latest 10.3.3 offering or the GA 10.3.1 because EAP 10.3.2 was never formally released...
I have a profile, happy to share with you, I also posted it MacAdmins #sophos(that's tested and up to date). We have a script that installs Rosetta by default until there is a UB release for Sophos.
I'd like to try and help clarify some of the points of concern you raised.
The changes originally implemented in EAP version 10.3.2 were rolled into the GA release 10.3.3. As of March 8th the latest version is available to all customers.
With version 10.3.3, the only components that require Rosetta 2 are the installer and Sophos Live Query. The next version of Live Query looks to be very close to completion now. Once Live Query is done, changes can be made so that Rosetta 2 is no longer required.
Wow! Wouldn't it be WONDERFUL if there were release notes to read with this info! No mention of that here? docs.sophos.com/.../index.html
Every time we have engaged Support they didn't even know there was a 10.3.2 in EA and that 10.3.3 was coming out. It would be amazing if Sophos could speed things up with a fully native version since it's been years at this point since ARM was released by Apple!
I understand your frustrations Cali, I will relay your feedback to our product teams.
In the meantime if you do find that some information is lacking or if you're looking for clarification, you are welcome to reach out to us here on the Community Forums.
Thanks but my requests and support tickets to Sophos fall on deaf ears. Repeatedly referred to this article. I find a persistent lack of formal documentation or release notes very disturbing. I'd rather spend my time researching Endpoint Security alternatives that specialize in macOS than continue troubleshooting a flawed product like Sophos
Thanks but I have tested the pinned profiles there extensively to no resolution. It's a vendor support matter in my book...
I feel you Cali, I spent literally years asking about why our Macs don't report back to our Enterprise console, all I ever got from Sophos Support was links to this article, "sorry we don't have access to Mac test devices" or links to article relating to Windows devices. We moved to Cortex XDR and it's LEAGUES better than Sophos, proper support, comprehensive MDM deployment documentation, etc. Make the switch