Sophos Endpoint and Apple macOS 11 Big Sur

I know software takes time to develop and for this type of software arguably greater testing needs to be done. However not only is it well known that Apple will release a new OS at roughly the same time each year, but Apple give advance access to betas to devs and ordinary users so that in theory developers like Sophos can be ready for the day it is officially released.

Yes Apple might make changes at the last minute but in theory you should still be more ready even if this happens and therefore have less additional work to do and incur less delay.

It is now nearly the end of January 2021 and little progress is visible since November 2020. Other anti-virus vendors have released official Big Sur compatible versions last year leaving Sophos looking very tardy in comparison.

Sophos should be well aware that brand new Macs will be shipping only with Big Sur installed and whilst in theory all but M1 equipped models can still be downgraded to Catalina the fact these may (are) be being direct shipped to end users for deployment via DEP means end users are not going to be able to downgrade them.

Enterprise customers therefore - like myself will have to start considering whether to stay with Sophos or abandon them for a provider who can be better relied on. Indeed not only is this already to us an issue for new starters, not only am I getting pressure from end-users over why cannot they be allowed to upgrade to Big Sur but I am also getting pressure from our Head of Security over the risks that Sophos' failure to deliver a solution is causing in that some machines are being left unprotected.

I am now having no choice but to enrol production Macs in to the EAP otherwise they would be completely unprotected.

Can we at least have an update from Sophos indicating an estimate for when a complete version for Intel and M1 Macs is likely. (I do appreciate and recognise that the known issues etc. articles have been updated recently.)

Note: macOS updates happen annually, it is now three months and counting since Big Sur was released. If hypothetically it takes Sophos six months to issue a compatible version this could mean that for half of every year Sophos is unable to protect Macs. Clearly this is unacceptable and will result in customers leaving.

Hello John,

We are of course aware that new Macs ship with Big Sur and also that our support is later than you (and indeed we) would have liked, we have just agreed to support M1 devices under Rosetta 2 until we get native support released (during CQ2) and will have GA support for Big Sur at the beginning of March.

This is the first time we have missed being ready for GA for over 10 years but we realize how accustomed Apple users are to upgrading on day 1 for any macOS update and we also strive for that support.

Apart from the visual and security improvements macOS 11 has radically changed the way 3rd party vendors such as Sophos interact with macOS. Specifically changing kernel-level access to API (system extensions) access meaning we have had to re-write much of our interfacing code to work with the new APIs.

We have diligently worked with Apple since the first build of Big Sur, logging issues and preparing our products to support Big Sur. Our products need to work on macOS 10.x (where kernel access is allowed), macOS 11.x (where kernel access is no longer allowed) and at the quality that our customers expect and since we have multiple features that use kernel extensions to function that means that we have had a lot to develop and test.

Changes to an OS of this nature are, fortunately, few and far between and so we ask for a little more patience whilst do our final work and complete testing before we release a GA supported version of our endpoint product.

Regards,

Darren.

JamesM-Sophos
Hey James, same issues on my side here. I've opened a separate thread here :community.sophos.com/.../big-sur---jamf---sophos-endpoint-missing-permissions

I am having the same issues as others have referenced here. I have followed the guide on getting Sophos set up with Jamf to the T, and I still am seeing that Sophos Scan Extension and Sophos Network Extension are not functioning. When running "sudo systemextensionsctl list" I see that both show a status of "activated waiting for user". 

The Activated Waiting for User status is caused by Apple, and should trigger a pop-up, and allow dialog in the security preferences in the control panel.  We have seen several times that this does not occur. Please look at the troubleshooting KB https://support.sophos.com/support/s/article/KB-000041261?language=en_US for how to re-trigger this.

I want to stress that this is Apple's mechanism, we are just posting some things we have found that can potentially get past this "approved" but not fully approved state.

When Apple added Kext approvals in 10.14, there were similar problems until a later macOS release, where approvals existed, but the OS did not properly recognize them initially. 

Unfortunately, the large majority of our users are not admins on their computers, so they would be unable to approve these system extensions in System Preferences. I understand this is a mechanism from Apple, and not from Sophos - but if there isn't a way for this to be pre-approved via Jamf, I am not sure how we (or any company with standard users) could possibly allow for system updates with Sophos installed. 

Hi Christian,

I agree, and the JAMF settings we have published are accurate as far as our testing goes.  However this comes back to JAMF is using the Apple MDM API, which then adds approvals into the OS.

As evidenced by the list, it is in a "activated waiting for user" state, which means that it was approved (otherwise it reports "Not Approved"), however it is still asking the user for something further, which should not occur.  

So it isn't as simple as "can we change the JAMF config", as this still relies on Apple's mechanism to recognize that it is approved, which is where the issue appears to be originating from.

Doing some googling led me to this thread about the same message (with a different product) on JAMF's message boards. https://www.jamf.com/jamf-nation/discussions/35965/system-extension-activated-waiting-for-user

Apparently, if the JAMF profile exists before the installation, it does not prompt the user or get in this state, however if the approval triggers (due to an attempt to load the extension) before the profile is set, it gets into this state where it is approved, but still wants the user approval. Sadly, this is an Apple-level change required.

Hey James, 

Thank you for your reply with this information. It seems like this may not then be an issue necessarily for Intel machines, but instead for current Apple Silicon machines during initial set up - since these require a reboot to approve system extensions being installed. 

Hi Darren,

Is there a way to look at that from the Central admin?  When looking at Windows machines it shows the version number of what's installed, but when looking at Mac's it doesn't show any version information.  Our machines are all over the place and won't be very convenient if we have to remote into each machine or talk to the customer and have them run that.

Hey Devin, if you use Jamf, you can use Sophos Endpoint patch management to see the versions that the computers have installed. 

Hey Christian,  Unfortunately we don't, just trying to figure out why Sophos show's it in the Central admin for all our Windows machines, but not for the Mac's.

Not right now I'm afraid, we're working on it, you can for Windows but Macs operate differently and don't have individual components.

Not right now I'm afraid, we're working on it, you can for Windows but Macs operate differently and don't have individual components.