Sophos Endpoint and Apple macOS 11 Big Sur

Our Endpoint Protection does not yet support macOS 11 (Big Sur). Please do not upgrade until we announce that we support it. We plan to have an Early Access Program (EAP) available soon so that you can test it on your own machines.
Apple will release macOS 11 on the 12th November, we plan to create an EAP in Central to test this release soon, but do not support it yet.

Central Device Encryption (CDE) for Mac version 1.5.3 does support macOS 11, this was rolled out recently but bear in mind that if you use both Endpoint and CDE you will still need to wait before upgrading to macOS 11.

On-premise customers will also get a version of endpoint protection that is supported on macOS 11 but will not have access to an EAP or Preview ahead of full support.

ARM-based CPUs are not currently supported. They require macOS 11 and additional testing and requirements. Sophos will support ARM-based CPUs, however, the details of that support will be provided at a later date.


Please check this KBA for up to date information: https://support.sophos.com/support/s/article/KB-000039501?language=en_US


Link to the Big Sur EAP on the Sophos Community



included info for Big Sur EAP
[edited by: FloSupport at 9:50 PM (GMT -8) on 2 Dec 2020]
Parents
  • I know software takes time to develop and for this type of software arguably greater testing needs to be done. However not only is it well known that Apple will release a new OS at roughly the same time each year, but Apple give advance access to betas to devs and ordinary users so that in theory developers like Sophos can be ready for the day it is officially released.

    Yes Apple might make changes at the last minute but in theory you should still be more ready even if this happens and therefore have less additional work to do and incur less delay.

    It is now nearly the end of January 2021 and little progress is visible since November 2020. Other anti-virus vendors have released official Big Sur compatible versions last year leaving Sophos looking very tardy in comparison.

    Sophos should be well aware that brand new Macs will be shipping only with Big Sur installed and whilst in theory all but M1 equipped models can still be downgraded to Catalina the fact these may (are) be being direct shipped to end users for deployment via DEP means end users are not going to be able to downgrade them.

    Enterprise customers therefore - like myself will have to start considering whether to stay with Sophos or abandon them for a provider who can be better relied on. Indeed not only is this already to us an issue for new starters, not only am I getting pressure from end-users over why cannot they be allowed to upgrade to Big Sur but I am also getting pressure from our Head of Security over the risks that Sophos' failure to deliver a solution is causing in that some machines are being left unprotected.

    I am now having no choice but to enrol production Macs in to the EAP otherwise they would be completely unprotected.

    Can we at least have an update from Sophos indicating an estimate for when a complete version for Intel and M1 Macs is likely. (I do appreciate and recognise that the known issues etc. articles have been updated recently.)

    Note: macOS updates happen annually, it is now three months and counting since Big Sur was released. If hypothetically it takes Sophos six months to issue a compatible version this could mean that for half of every year Sophos is unable to protect Macs. Clearly this is unacceptable and will result in customers leaving.

  • Hello John,

    We are of course aware that new Macs ship with Big Sur and also that our support is later than you (and indeed we) would have liked, we have just agreed to support M1 devices under Rosetta 2 until we get native support released (during CQ2) and will have GA support for Big Sur at the beginning of March.

    This is the first time we have missed being ready for GA for over 10 years but we realize how accustomed Apple users are to upgrading on day 1 for any macOS update and we also strive for that support.

    Apart from the visual and security improvements macOS 11 has radically changed the way 3rd party vendors such as Sophos interact with macOS. Specifically changing kernel-level access to API (system extensions) access meaning we have had to re-write much of our interfacing code to work with the new APIs.

    We have diligently worked with Apple since the first build of Big Sur, logging issues and preparing our products to support Big Sur. Our products need to work on macOS 10.x (where kernel access is allowed), macOS 11.x (where kernel access is no longer allowed) and at the quality that our customers expect and since we have multiple features that use kernel extensions to function that means that we have had a lot to develop and test.

    Changes to an OS of this nature are, fortunately, few and far between and so we ask for a little more patience whilst do our final work and complete testing before we release a GA supported version of our endpoint product.

    Regards,

    Darren.

  • Hi James,

    I have added all those PPPC in the link https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how-to-configure-jamf-privacy-preferences-for-10-15-compatibility in Jamf Configuration Profile but i could not find SophosScanD.app in the /Applications and /Library/Sophos  Anti-Virus folder. I am running Big Sur. 

    If manually going thru, Click About.. Diagnose.. Prerequisites then click on SophosScanD then it will work

    Thanks for your help

  • SophosScanD does not need to be added. It relies on other things, but it does not need to be added.

    In Prerequisites what item is listed as incorrect, as SophosScanD is not an entry. Sophos Scan Agent is, and the Sophos Scan Extension.

    If we know what item is showing as red in the pre-requisites, we can give you more specific steps.

  • Hi James,

    The Sophos Scan Agent, the Sophos Scan Extension and others are added Jamf PPPC and com.sophos.endpoint.networkextension and com.sophos.endpoint.scanextension are in Jamf System Configuration

    But still seeing in Prequisites > Sophos Scan Extension is red and requires enabled via System Preferences > Security & Privacy > General > “System software from application “SophosScanD” was blocked from loading. > click Allow 

    Is there way to white list "sophosScanD" in Jamf?

  • I see what you are asking now. So SophosScanD does not need to be added. macOS is telling you that SophosScanD was trying to load the system extension.

    Please see the KB for troubleshooting system extension issues, and in the JAMF article, see the section about System Extensions. 

    https://support.sophos.com/support/s/article/KB-000041261?language=en_US

  • I am having the same issues as others have referenced here. I have followed the guide on getting Sophos set up with Jamf to the T, and I still am seeing that Sophos Scan Extension and Sophos Network Extension are not functioning. When running "sudo systemextensionsctl list" I see that both show a status of "activated waiting for user". 

  • The Activated Waiting for User status is caused by Apple, and should trigger a pop-up, and allow dialog in the security preferences in the control panel.  We have seen several times that this does not occur. Please look at the troubleshooting KB https://support.sophos.com/support/s/article/KB-000041261?language=en_US for how to re-trigger this.

    I want to stress that this is Apple's mechanism, we are just posting some things we have found that can potentially get past this "approved" but not fully approved state.

    When Apple added Kext approvals in 10.14, there were similar problems until a later macOS release, where approvals existed, but the OS did not properly recognize them initially. 

  • Unfortunately, the large majority of our users are not admins on their computers, so they would be unable to approve these system extensions in System Preferences. I understand this is a mechanism from Apple, and not from Sophos - but if there isn't a way for this to be pre-approved via Jamf, I am not sure how we (or any company with standard users) could possibly allow for system updates with Sophos installed. 

  • Hi Christian,

    I agree, and the JAMF settings we have published are accurate as far as our testing goes.  However this comes back to JAMF is using the Apple MDM API, which then adds approvals into the OS.

    As evidenced by the list, it is in a "activated waiting for user" state, which means that it was approved (otherwise it reports "Not Approved"), however it is still asking the user for something further, which should not occur.  

    So it isn't as simple as "can we change the JAMF config", as this still relies on Apple's mechanism to recognize that it is approved, which is where the issue appears to be originating from.

    Doing some googling led me to this thread about the same message (with a different product) on JAMF's message boards. https://www.jamf.com/jamf-nation/discussions/35965/system-extension-activated-waiting-for-user

    Apparently, if the JAMF profile exists before the installation, it does not prompt the user or get in this state, however if the approval triggers (due to an attempt to load the extension) before the profile is set, it gets into this state where it is approved, but still wants the user approval. Sadly, this is an Apple-level change required.

  • Hey James, 

    Thank you for your reply with this information. It seems like this may not then be an issue necessarily for Intel machines, but instead for current Apple Silicon machines during initial set up - since these require a reboot to approve system extensions being installed. 

Reply Children
No Data