Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All third party vendors are impacted by this change, and it is not possible to work around this requirement.
This knowledge base article contains the steps on how to allow the Sophos Kernel Extensions, and how to manually authorize the kext if in case it is not loading.
The following sections are covered:
Applies to the following Sophos products and versions Central Mac EndpointSophos Anti-Virus for Mac OS X
Due to an Apple security restriction, this cannot be done via a remote desktop connection. The Allow button will show, but be grayed out if it is accessed via remote desktop. There must be a locally logged on user.
Once authorized, all future Sophos kernel extensions will now be allowed, even after the uninstall. The above steps are no longer needed on a reinstall.
If the kexts do not load after the above steps, or the prompt to allow the kext does not show, here are the steps to authorize the kext manually.
/usr/sbin/spctl kext-consent add 2H5GFH3774
There are some customers who we have seen run into this issue even after these steps. Apple has acknowledged that there is a bug in 10.13 and 10.14.0 that can cause an issue. It is fixed in 10.14.1, which was released 30 October 2018.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.