Sophos Endpoint Protection Issues on first boot after upgrading to macOS 11.3

Overview

Apple released the macOS Big Sur update 11.3 on April 28, 2021. If Sophos is installed on an M1 (ARM) based system prior to the update, the first time the system boots after the update, protection will be compromised.  Restarting the system again resolves this issue.

This affected both On Premise and Central based Sophos endpoint protection, and Sophos Central Device Encryption.

This also applies to the 10.1.0 M1 (ARM) Optimized EAP.

The issue can be observed when the following conditions are met:

  • macOS 11 prior to 11.3 with Sophos installed
  • Upgrading to macOS 11.3
  • M1 chip (ARM) based hardware only (Intel hardware is not impacted)


The issue does not occur if any of the below mentioned conditions applies:

  • Intel chip macs
  • New installs on macOS 11.3  
  • macOS 10.15.7 Catalina and below (M1 chips are not supported on these versions)


Background

The first boot after upgrade to macOS 11.3, Rosetta2, the emulation of applications made for Intel chips, does not start immediately. When Sophos attempts to start, it has not launched yet. The OS rejects all non-native applications at this time, and prevents future attempts to start them until restarted. 

All boots after the initial one, Rosetta2 launches early in the boot process, and no longer triggers this issue.

    Impact

    • Endpoint AV Protection
      • Endpoint protection is compromised until restarted
      • Communication with Central does not function
      • Client health state may be red
    • Central Device Encryption
      • Machines remain Encrypted
      • Recovery key can still be retrieved from Central and decryption possible.
      • If recovery key has been used, a new recovery key will not be generated until connection with Central is functional


    Resolution

    When you experience one of the issues described in the impact section restart the client once again after upgrading to macOS 11.3