This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

As of August 8th 2023, SSL/TLS Decryption is enabled in the EAP program for macOS devices.

Sophos,


Considering the impact that this new feature contains, it could have been better handled to send notification of this new feature at least a day before it happens, as opposed to sending the notification on the same day this new feature is enabled!

MacOS Endpoint EAP - August 2023 Update 

(https://community.sophos.com/intercept-x-endpoint/macos-endpoint-eap/b/announcements/posts/macos-endpoint-eap--august-2023-update)

From a macOS deployment perspective, the following challenges exist:

  1. A reboot is needed (minor challenge)
  2. End user must allow a Sophos Trusted Certificate (bigger challenge).
  3. End user must navigate within Sophos Endpoint application, click a button, and enter their password to authorize the certificate (bigger challenge).
  4. The Sophos KB is vague whether “enter password” is for end-user’s password or needing administrative credentials, though since the password is needed to “authorize the certificate”, it is reasonable to assume the latter (so, even bigger challenge).
  5. Steps 2-4 are all manual; Sophos does not provide any method whether these steps can be done using MDM or other automatic means (biggest challenge)


This thread was automatically locked due to age.
  • Agree with all the points above. There needs to be an MDM method to alleviate all of these deployment steps. Also, we don't have SSL inspection turned on in our environment, yet the clients were still asked to do the steps above. If SSL inspection isn't turned on in the console, then we shouldn't be required to make any changes.

  • As this is an EAP, the control in Central that enables SSL decryption is located under Settings, in the HTTPS/SSL decryption global settings section. There is a check mark there for enabling it for EAP systems (or not). This also applies for Windows.

    Regarding the certificate approvals, it is under investigation for getting it added to the MDM profile we provide in our product, however as this is in the early access stage at this time, it has not been updated yet.

  • Has anyone go this working on Mac? My undertaking is that this will now 'warn' on SSL sites that are set to from web control. Can see in the logs its doing the same as previous as logs 'user has allowed warning'. SSL inspection is something we have been waiting for for a long time on Mac.

  • The text in that control is specific to Windows only.
    If you check in Overview > End[pomt Protection Dashboard > Global Settings > SSL/TLS decryption of HTTPS websites, the text is specific to Windows. There is no mention of macOS computers or that the text is inclusive of all computers.

  • I like the idea of this capabilitiy.

    I do not like not being able to deploy it via MDM, so that the configuration is dependent upon the end-user to configure it correctly.
    It would also help to have information on reporting on these settings (queries or extended attributes).
    Granted, I know this is EAP and early yet, but, currently, what is required to deploy this software is greater than the benefits, especially when you have 5000+ devices in an enterprise, spread out all over everywhere.

  • Yep, the MDM deployment is key here. Im testing in a very small lab. have confirmed with Sophos tech that there is a problem with the SSL/TLS EAP. Seems that the inspection is not working as expected. no sites are being flagged 'warned; and the tool just bypasses straight to the site. hopefully can get a resolution soon.thanks for your help. 

  • Hi  ! Thank you for your feedback.

    Below is inline response for your feedback 
    From a macOS deployment perspective, the following challenges exist:

    • A reboot is needed (minor challenge)

      • A reboot is needed to ensure that all network sessions are intercepted by our new process i.e SophosModernWebIntelligence. Simply starting the new process would result in only new browser traffic being intercepted leading to potentially confusing behaviour. We will explore if this is something we can eliminate for GA.

    • End user must allow a Sophos Trusted Certificate (bigger challenge).

      • We understand that this is a bigger challenge, the Modern Web public CA certificate is unique to each installation, it isn’t practical to use an MDM product to distribute a CA certificate to every macOS computer. More information can be found here:  How HTTPS traffic is secured when using Modern Web 
    • End user must navigate within Sophos Endpoint application, click a button, and enter their password to authorize the certificate (bigger challenge).
      • If user has notifications allowed for Sophos, end-user will see a prompt to authorize the certificate. Clicking on the prompt will bring up the authorization window. Navigating within the Sophos Endpoint application is an additional option we included if prompt is missed or disabled on the endpoint.
        The MDM profiles we deploy with our installer enables notifications for Sophos processes. Here's more information about our MDM profiles and how to deploy them: https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-endpoint-Mac-JAMF-Pro

    • The Sophos KB is vague whether “enter password” is for end-user’s password or needing administrative credentials, though since the password is needed to “authorize the certificate”, it is reasonable to assume the latter (so, even bigger challenge).
      •  Administrative credentials are required to authorize the certificate. There is no workaround for this currently since inserting a certificate into the System Keychain requires root privileges. We have updated the original post to be more clear.
    • Steps 2-4 are all manual; Sophos does not provide any method whether these steps can be done using MDM or other automatic means (biggest challenge)

      • We take user interactions into consideration and currently there is no viable solution available to utilize MDM to authorize our root CA certificate. We continue to pay attention to any new MDM payloads we can potentially add to improve deployment experience of our product.

    Please let me know if you have any more feedback regarding Modern Web feature on macOS.

    Thank you,

    Sejal Singh
    Team Lead, macOS Software Development

  • Hi Lee Stanford!

    Thank you for your feedback.

    1. Regarding MDM method to alleviate the above deployment steps, there is currently no viable solution available to authorize our root CA certificate. More details regarding our CA certificate required for filtering HTTPS traffic can be found here: How HTTPS traffic is secured when using Modern Web 
    2. Regarding deployment steps for SSL inspection, we will look into improving the workflow for this for GA.

    Please let me know if you have any more feedback regarding Modern Web feature on macOS.

    Thank you,
    Sejal Singh
    Team Lead, macOS Software Development

  • Hi  ,

    Could you please share the case number for the issue you confirmed with Sophos tech. The development team would like to confirm if this is a known issue or something new.

    Thank you,
    Sejal Singh
    Team Lead, macOS Software Development