To filter HTTPS traffic, Sophos Endpoint requires the user approval to add a new certificate to the System Keychain. When enabling the Modern Web filtering feature, Sophos Endpoint creates a new private key that is unique to each installation. This private key is used for encrypting network data after the Modern Web inspection. Next, it generates a matching public Certificate Authority certificate (that certificate is what needs to be stored in the System Keychain). This makes the CA certificate available for browsers to verify the integrity of the encrypted data from Modern Web.
As a security best practice, the Modern Web private key is unique to every installation. This requires the matching public CA certificate to also be unique to each installation. By doing this, the public CA certificate can be used to validate encrypted data from the local computer but can not be used on other computers within the same organization, as their private key will not match.
Because the Modern Web public CA certificate is unique to each installation, it isn’t practical to use an MDM product to distribute a CA certificate to every macOS computer. It would require maintaining a database of separate CA certificates for each managed macOS computer.
The first time the Modern Web filtering feature is enabled the user will be prompted to accept the installation of the new CA certificate into the System Keychain. If the user ignores this request for approval, the endpoint’s health is set to red: Sophos Endpoint cannot enforce the policy set by the Central administrator and, therefore, is deemed as not meeting all prerequisites. The user can resolve this issue by clicking on the “Fix” button in the Sophos Endpoint UI or by using the Self-Help Tool UI. The Modern Web filtering feature will continue to monitor the change of the root certificate or its status in the System Keychain. If the CA certificate is deleted, it will be immediately restored. If the trust status of the certificate is altered, a prompt will be triggered for the user to restore it.
