As of August 8th 2023, SSL/TLS Decryption is enabled in the EAP program for macOS devices.

Question

Sophos, 
 Considering the impact that this new feature contains, it could have been better handled to send notification of this new feature at least a day before it happens, as opposed to sending the notification on the same day this new feature is enabled! 
 MacOS Endpoint EAP - August 2023 Update 
 ( https://community.sophos.com/intercept-x-endpoint/macos-endpoint-eap/b/announcements/posts/macos-endpoint-eap--august-2023-update ) 
 From a macOS deployment perspective, the following challenges exist: 
 
 A reboot is needed (minor challenge) 
 End user must allow a Sophos Trusted Certificate (bigger challenge). 
 End user must navigate within Sophos Endpoint application, click a button, and enter their password to authorize the certificate (bigger challenge). 
 The Sophos KB is vague whether &ldquo;enter password&rdquo; is for end-user&rsquo;s password or needing administrative credentials, though since the password is needed to &ldquo;authorize the certificate&rdquo;, it is reasonable to assume the latter (so, even bigger challenge). 
 Steps 2-4 are all manual; Sophos does not provide any method whether these steps can be done using MDM or other automatic means (biggest challenge)

Sejal Singh · Accepted Answer

Hi salexander ! Thank you for your feedback. Below is inline response for your feedback From a macOS deployment perspective, the following challenges exist:

A reboot is needed (minor challenge)

A reboot is needed to ensure that all network sessions are intercepted by our new process i.e SophosModernWebIntelligence. Simply starting the new process would result in only new browser traffic being intercepted leading to potentially confusing behaviour. We will explore if this is something we can eliminate for GA.

End user must allow a Sophos Trusted Certificate (bigger challenge). 
 
 We understand that this is a bigger challenge, the Modern Web public CA certificate is unique to each installation, it isn&rsquo;t practical to use an MDM product to distribute a CA certificate to every macOS computer. More information can be found here: How HTTPS traffic is secured when using Modern Web

End user must navigate within Sophos Endpoint application, click a button, and enter their password to authorize the certificate (bigger challenge).

If user has notifications allowed for Sophos, end-user will see a prompt to authorize the certificate. Clicking on the prompt will bring up the authorization window. Navigating within the Sophos Endpoint application is an additional option we included if prompt is missed or disabled on the endpoint. The MDM profiles we deploy with our installer enables notifications for Sophos processes. Here's more information about our MDM profiles and how to deploy them: https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-endpoint-Mac-JAMF-Pro

The Sophos KB is vague whether &ldquo;enter password&rdquo; is for end-user&rsquo;s password or needing administrative credentials, though since the password is needed to &ldquo;authorize the certificate&rdquo;, it is reasonable to assume the latter (so, even bigger challenge). 
 
 Administrative credentials are required to authorize the certificate. There is no workaround for this currently since inserting a certificate into the System Keychain requires root privileges. We have updated the original post to be more clear.

Steps 2-4 are all manual; Sophos does not provide any method whether these steps can be done using MDM or other automatic means (biggest challenge)

We take user interactions into consideration and currently there is no viable solution available to utilize MDM to authorize our root CA certificate. We continue to pay attention to any new MDM payloads we can potentially add to improve deployment experience of our product.

Please let me know if you have any more feedback regarding Modern Web feature on macOS. 
 Thank you, 
 Sejal Singh Team Lead, macOS Software Development

As of August 8th 2023, SSL/TLS Decryption is enabled in the EAP program for macOS devices.

Top Replies