Note: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
We have made this process significantly easier. Our installer download now includes an MDM profile for permissions and a script for use to deploy the endpoint via MDM. Here are our instructions for how to use these. It is written for JAMF Pro, however the MDM profile and script should work in other MDM solutions.
This article describes the steps to configure JAMF to allow configure permissions for Sophos Mac Endpoint on macOS 10.15+
Applies to the following Sophos products and versionsSophos Central Mac Endpoint 10.0.0 and above,Sophos Central Intercept X 10.0.0 and above,Sophos Central Device Encryption 1.5.2 and above,Sophos Anti-Virus for Mac OS X 9.9.7 and above
With macOS 10.13, Apple introduced a new security level that required each 3rd party vendor's kernel extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.
With macOS 10.15, Apple added a new default behavior that prevented applications from writing to the disk.
The information below covers both topics:
To alert and inform users, Sophos implement a notification popup. The endpoint will check after each reboot (and continuously every 30 minutes) if the system permissions are compatible.
Note: In Sophos for Mac 9.9.5, a notice is displayed if required permissions are not fully enabled. On October 31st, an issue was found where the notice is triggered if the permissions have been added via an MDM profile, as Apple records these in a different location. Sophos is actively working on updating the detection to correct this.
There are 2 steps required to configure compatibility for macOS 10.15.x (Catalina) and below.Note: One additional step is required if you want to apply the profile to a macOS 11 (Big Sur) device.
identifier SophosMDR and anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] /* exists */ and certificate leaf[field.1.2.840.113622.214.171.124.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
codesign --display -r - <app path from table above>
The same profile can be used, but the option "Approved Kernel Extensions" needs to be selected. If this is not configured yet, select the "open" button at the center to begin the configuration.
During configuration, 3 kernel extensions will need to be added, as well as the Sophos Team ID [2H5GFH3774]
Note: Please ensure that "Allow users to approve kernel extensions" is unchecked.
Referring to the screenshot above, add the following kernel extensions:
Make sure to save your changes.
Note: Apple has added a new, optional, method of setting authorization of applications for Privacy in Big Sur with MDM. This new method replaces an existing true/false option with a string value option instead. Here is the Apple article on it: https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services/identity Allowed is the normal method of setting permissions, however as of Big Sur, Apple allows you to instead use Authorization. Our detection for permissions has been configured for the “Required” property (which isn’t actually required if you have Authorization instead). If you can set your MDM provider to use the Allowed True/False (Boolean) setting, it should work without any issues. To check if this applies to you, open the .mobileconfig file in a text editor and search for Sophos. Check if you see - <key>Allowed</key><True/>, or <key>Authorization</key><String>Allow</string>. If it is Authorization, this applies to you. We do recognize that there is a move to this alternate form, and as such, we have made an improvement, coming out in our 10.1.3 release in July, to detect both versions. Until this releases, we recommend using the Allowed True/False style privacy permission setting for Sophos processes.
The same profile configuration can be used.
Note: Sophos does not guarantee the security of third party applications and they should be used at your own risk.
There is a utility called PPPC Utility on Github which allows you to build a configuration profile for Privacy Preferences. It can be located here: https://github.com/jamf/PPPC-Utility. To use this, follow the guidance on the link, and drag and drop the Sophos items into it.
This profile can then be loaded into JAMF.
Special thanks to MichaelCurtis
Sophos Central MDM Configuration
How to Configure JAMF Privacy Preferences for 10.15 Compatibility
Special thanks to mscottblake for sharing this!
Within the same Configuration Profile, add a Content Filter payload (this requires Jamf Pro 10.26+) with the following keys and values configured:
Note that the Filter Name can be anything, but it is required.
Once the complete, the payload should look like this:
I am still at a loss. Nothing has worked thus far. I do not have access to any new versions, if they are available.
Hi Matthew,the current version of Sophos Central Endpoint Protection for macOS would be 10.0.1. If you join the Early Access Program (EAP) to get the first version for macOS 11 (Big Sur) - you will get version 10.0.2.For more details about this version - please see the following article. https://community.sophos.com/intercept-x-endpoint/big-sur-eap/b/announcements/posts/welcome-to-the-big-sur-eap
We still need a solution for Catalina, as nothing up to this point has worked.
We was working again and add now the information about - what version introduce which new feature. As well we added few more screenshots to show how it should locks like within JAMF.
I re-configured my MDM Configuration Profile based on the revised article. The configuration requires user interaction and admin rights so this is NOT a viable solution.
Note: Please ensure that "Allow users to approve kernel extensions" is unchecked. - I've had this checked and on the youtube video it's uncheck. Does it matter? I'm seeing failurs on the machines as "The operation couldn’t be completed. (SPErrorDomain error 10.)"
My issue with checking that is that acceptance requires admin rights. My users do not have admin rights.
We configured a profile in Jamf that is identical to the one described in this article and it does NOT work as of 12/04/20. Users are still prompted to allow access in System Preferences and also allow Full Disk Access. We make a concerted effort to come back to this article every few days and make the suggested changes but it seems pointless now. The article even gets updated with incorrect information at times and then later corrected. Overall we are VERY disappointed in the way Sophos runs on macOS.
Still an issue on macOS 11 (Big Sur) on the EAP version 10.0.2., this config profile just doesn't work for any macOS version
The update on 2 Dec 2020 that included "For the display name, specify the following entries: com.sophos.endpoint.networkextension, com.sophos.endpoint.scanextension" did not include an accompanying screenshot.