Sophos Endpoint and Apple macOS 11 Big Sur

Our Endpoint Protection does not yet support macOS 11 (Big Sur). Please do not upgrade until we announce that we support it. We plan to have an Early Access Program (EAP) available soon so that you can test it on your own machines.
Apple will release macOS 11 on the 12th November, we plan to create an EAP in Central to test this release soon, but do not support it yet.

Central Device Encryption (CDE) for Mac version 1.5.3 does support macOS 11, this was rolled out recently but bear in mind that if you use both Endpoint and CDE you will still need to wait before upgrading to macOS 11.

On-premise customers will also get a version of endpoint protection that is supported on macOS 11 but will not have access to an EAP or Preview ahead of full support.

ARM-based CPUs are not currently supported. They require macOS 11 and additional testing and requirements. Sophos will support ARM-based CPUs, however, the details of that support will be provided at a later date.


Please check this KBA for up to date information: https://support.sophos.com/support/s/article/KB-000039501?language=en_US


Link to the Big Sur EAP on the Sophos Community



included info for Big Sur EAP
[edited by: FloSupport at 9:50 PM (GMT -8) on 2 Dec 2020]
Parents
  • I know software takes time to develop and for this type of software arguably greater testing needs to be done. However not only is it well known that Apple will release a new OS at roughly the same time each year, but Apple give advance access to betas to devs and ordinary users so that in theory developers like Sophos can be ready for the day it is officially released.

    Yes Apple might make changes at the last minute but in theory you should still be more ready even if this happens and therefore have less additional work to do and incur less delay.

    It is now nearly the end of January 2021 and little progress is visible since November 2020. Other anti-virus vendors have released official Big Sur compatible versions last year leaving Sophos looking very tardy in comparison.

    Sophos should be well aware that brand new Macs will be shipping only with Big Sur installed and whilst in theory all but M1 equipped models can still be downgraded to Catalina the fact these may (are) be being direct shipped to end users for deployment via DEP means end users are not going to be able to downgrade them.

    Enterprise customers therefore - like myself will have to start considering whether to stay with Sophos or abandon them for a provider who can be better relied on. Indeed not only is this already to us an issue for new starters, not only am I getting pressure from end-users over why cannot they be allowed to upgrade to Big Sur but I am also getting pressure from our Head of Security over the risks that Sophos' failure to deliver a solution is causing in that some machines are being left unprotected.

    I am now having no choice but to enrol production Macs in to the EAP otherwise they would be completely unprotected.

    Can we at least have an update from Sophos indicating an estimate for when a complete version for Intel and M1 Macs is likely. (I do appreciate and recognise that the known issues etc. articles have been updated recently.)

    Note: macOS updates happen annually, it is now three months and counting since Big Sur was released. If hypothetically it takes Sophos six months to issue a compatible version this could mean that for half of every year Sophos is unable to protect Macs. Clearly this is unacceptable and will result in customers leaving.

  • Hello John,

    We are of course aware that new Macs ship with Big Sur and also that our support is later than you (and indeed we) would have liked, we have just agreed to support M1 devices under Rosetta 2 until we get native support released (during CQ2) and will have GA support for Big Sur at the beginning of March.

    This is the first time we have missed being ready for GA for over 10 years but we realize how accustomed Apple users are to upgrading on day 1 for any macOS update and we also strive for that support.

    Apart from the visual and security improvements macOS 11 has radically changed the way 3rd party vendors such as Sophos interact with macOS. Specifically changing kernel-level access to API (system extensions) access meaning we have had to re-write much of our interfacing code to work with the new APIs.

    We have diligently worked with Apple since the first build of Big Sur, logging issues and preparing our products to support Big Sur. Our products need to work on macOS 10.x (where kernel access is allowed), macOS 11.x (where kernel access is no longer allowed) and at the quality that our customers expect and since we have multiple features that use kernel extensions to function that means that we have had a lot to develop and test.

    Changes to an OS of this nature are, fortunately, few and far between and so we ask for a little more patience whilst do our final work and complete testing before we release a GA supported version of our endpoint product.

    Regards,

    Darren.

  • Yes, the rollout should be complete by Friday, look for version 10.0.4 to confirm you are on the GA release

  • Is there a way to check if the endpoint is running fine with 10.0.4 and all exceptions which are set by Jamf Pro? Just to be sure that all settings are correct and the protection is enabled.

  • If you open the endpoint UI, click "About" then "Run Diagnostic Tool" you will see a "Prerequisites" tab on the left, if you open this there should be no red! 

    If this is the case you should be fully working.

  • Is it possible to download version 10.0.4? Thks

  • Yes please I would like to download the latest version so I can start patching Big Sur machines

  • I would like to download the latest version so I can start patching Big Sur machines

  • The installer does not change, we will complete the rollout to recommended by close of business (UK) today so you should then have 10.0.4 on all devices (this is what is already in the EAP).

  • If I download the installer from Sophos Central, it can not be installed. We need new installer packages. I am Admin on machine, and I do not have permission to install. 

    BR

  • Matjaz,

    The installer is the same regardless of whether you are running 10.14/15/16/11

    We have not completed the rollout yet, if you try again tomorrow you should find 10.0.4 is the version installed, this supports Big Sur.

    Darren.

Reply Children