Sophos Endpoint and Apple macOS 11 Big Sur

Our Endpoint Protection does not yet support macOS 11 (Big Sur). Please do not upgrade until we announce that we support it. We plan to have an Early Access Program (EAP) available soon so that you can test it on your own machines.
Apple will release macOS 11 on the 12th November, we plan to create an EAP in Central to test this release soon, but do not support it yet.

Central Device Encryption (CDE) for Mac version 1.5.3 does support macOS 11, this was rolled out recently but bear in mind that if you use both Endpoint and CDE you will still need to wait before upgrading to macOS 11.

On-premise customers will also get a version of endpoint protection that is supported on macOS 11 but will not have access to an EAP or Preview ahead of full support.

ARM-based CPUs are not currently supported. They require macOS 11 and additional testing and requirements. Sophos will support ARM-based CPUs, however, the details of that support will be provided at a later date.


Please check this KBA for up to date information: https://support.sophos.com/support/s/article/KB-000039501?language=en_US


Link to the Big Sur EAP on the Sophos Community



included info for Big Sur EAP
[edited by: FloSupport at 9:50 PM (GMT -8) on 2 Dec 2020]
Parents
  • Hi com.sophos.endpoint.scanextension is not removable, in Big Sur, even after uninstalling sophos via uninstall it is still there running 10% of CPU, the process can't be killed. I can't remove it even as a root. I need some steps please to remove this. it's more a malware behaviour rather than AV

  • I can confirm this issue. 

    Strangely I had no issues removing Sophos Endpoint (including the file you mention) from a new install on a newly installed M1 Mac. However I have the exact same issue with an Intel Mac (this one isn't a new install, with an OS that has been through several installments of MacOS). 

    After using the uninstall program (and entering the Tamper Protection code and all) it seems Sophos Endpoint is removed from the system. As a good measure I did a reboot. However there remained a process running called com.sophos.endpoint.scanextension. 

    Related, there is a file of similar name remaining on the drive (In Macintosh HD > Library > SystemExtensions > Directory-called-by-random-capitals-and-numbers > com.sophos.endpoint.networkextension.systemextension). This file and its directory can't be deleted. There is also a db.plist file and an empty directory called EndPointSecurity in that SystemExtensions directory that can't be deleted either. 

    The quick and dirty solution for me was to disable System Integrity Protection (SIP) in the Mac's recovery mode, log in and delete those SystemExtensions, log out and go into recovery mode again and re-enable SIP again and reboot.

    A quick check of system activity, searching for processes with "sophos" in their name, showed nothing.

  • I can confirm Harlock. I have Sophos Home Premium installed on several Macintosh computers. I tired uninstalling Sophos Home with its removal tool. Everything was successfully removed EXCEPT com.sophos.endpoint.networkextension.systemextension, db.plist file, and an empty directory called EndPointSecurity. And Activity Monitor shows that the com.sophos.endpoint.networkextension process was still running.

    Following Harlock's "quick and dirty solution", I then disabled System Integrity Protection (SIP), rebooted, changed the permissions on those files/folders, and deleted them. I rebooted again, enabled SIP, and rebooted one last time. And Activity Monitor  confirmed that the com.sophos.endpoint.networkextension process was not running.

  • Unfortunately, as things stand, extensions aren’t removable by Sophos, it’s a known issue (but having them persist is harmless).

    Apple is aware of this issue but has not yet provided any APIs that allow us to do remove them programmatically. The reason we cannot remove the extensions is that Apple copies the extensions when they are first run and then runs them from a location we cannot modify.

Reply
  • Unfortunately, as things stand, extensions aren’t removable by Sophos, it’s a known issue (but having them persist is harmless).

    Apple is aware of this issue but has not yet provided any APIs that allow us to do remove them programmatically. The reason we cannot remove the extensions is that Apple copies the extensions when they are first run and then runs them from a location we cannot modify.

Children
  • Thanks for the clarification Darren. I can see why it is a problem to remove those extensions. Not sure if there is a KB article that mentions this and possibly the crude solution I provided. The risk can be users that forget to re-enable SIP and related risk of mishaps that come with disabling SIP. 

    Still I would prefer the remnant process to be gone, as I think many admins would. And on my test install on a Big Sur M1 MacBook Air this issue didn't manifest itself. So I'm not sure if it is solved on Big Sur or not?

    Btw, personally I didn't see that extension taking up that much cpu as Dags K mentioned, but that's only my experience.