Sophos Mac Endpoint: How to configure Apple Profile Manager to allow Sophos to work with macOS 10.15+

Disclaimer: This information is provided as-is and should be referenced at your own risk.


Overview

This article describes the steps to configure Apple Profile Manager to create an MDM profile that allows Sophos Endpoint to run on macOS 10.15+ without local changes (if using Profile Manager MDM).

Note: As of Sophos Central version 10.0.1, these instructions will not prevent the Security popup from occurring. We released a feature in 10.0.0 that is incompatible with macOS Server (including Apple Profile Manager (APM)) 5.10. APM only accepts .app files for permissions, which version 10.0.0 and 10.0.1 do not conform to for all features requiring security permissions. We are aware of this, and are working on adjusting our software to allow this to function again.

This article is being left up for On Premise customers, and will be updated when we have updated to allow for Apple Profile Manager to add our security permissions.

Applies to the following Sophos products and versions
Central Mac Endpoint 9.9.4+
Sophos Anti-Virus for Mac OS X 9.9.4+


Central Mac Endpoint

What to do

  1. Select an existing device profile, or create a new one
  2. Open Settings
  3. Select Security & Privacy on the left, then click the Privacy tab.
  4. Select Full Disk Access in the middle column.
  5. Press the "+" button and navigate to the following path /Library/Sophos Anti-Virus/
  6. Press and hold the following keys (Shift + cmd + G) and add the following applications:
    • SophosAutoupdate.app (OPM only)
    • SophosCleanD.app
    • SophosScanAgent.app
    • SophosServicemanager.app
    • Sophos Endpoint UIServer.app (Central Only)
    • Tools/Sophos Diagnostic Utility.app
  7. Save the profile and assign it to your systems.
  8. More details on how to work with Profile Manager can be found here: https://support.apple.com/en-ca/guide/server/apd0e2214c6/mac

Related information


Sophos Anti-Virus for MacOS

What to do

  1. On the MacOS system with Profile Manager installed and Sophos 9.9.4+ installed, perform the following steps
    • Open Finder to /Library/Sophos Anti-virus/ (using Go > Go to Folder…)
    • Open another Finder window to Applications (Go > Applications)
    • Copy the following files from Sophos Anti-virus to Applications
      • SophosAutoupdate.app (OPM only)
      • SophosCleanD.app
      • SophosScanAgent.app
      • SophosServicemanager.app
      • Sophos Endpoint UIServer.app (Central Only)
      • Tools/Sophos Diagnostic Utility.app
      • SophosLiveResponse.bundle (Central only)
      • /Library/Sophos Managed Detection and Response/SophosMDR (Central with MDR only)
    • Note: This is due to Apple only indexing .app files from “Applications”, and not allowing browse to the files.

  2. Select an existing device profile, or create a new one
  3. Open Settings
  4. Select Security & Privacy on the left, then click the Privacy tab.
  5. Select Full Disk Access in the middle column.
  6. Click +
  7. Navigate to /Library/Sophos Anti-virus/
  8. Select all the .app files and add them.
  9. Save the profile and assign it to your systems.
  10. More details on how to work with Profile Manager can be found here: https://support.apple.com/en-ca/guide/server/apd0e2214c6/mac

Related information



Combined Central and On-prem articles. Added note in Overview.
[edited by: FloSupport at 6:33 PM (GMT -8) on 19 Nov 2020]