This knowledge base article provides information about support for macOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release. Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access however, for system-level access, no notification is presented by the OS. Several Sophos services require this system level of access to detect and clean threats. This means that Apple will not notify users if these issues are being experienced. All of our applications and installers are 64-bit, and will not be limited by Apple's 32-bit restriction. The following sections are covered:
Applies to the following Sophos products and versions Central Mac EndpointSophos Anti-Virus for Mac OS X
Operating systems macOS 10.15 Catalina
With the release of macOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. This results in several large impacting issues that must be corrected for full protection. Please see the Known issues section below for full details. It is not recommended upgrading to 10.15 until your organization has a transition plan in place.
To support macOS 10.15 Catalina, Sophos Endpoint 9.9.4 or later is required. Earlier versions will run if present during an upgrade but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 or earlier versions will not install on a 10.15 system, and Central clients 9.9.2 or earlier will fail to communicate with Central until they update.
Sophos released 9.9.4 to Central in September 2019. Version 9.9.4 is also a Preview subscription for Enterprise Console customers as of mid-September 2019.
For both Central and Enterprise Console, version 9.9.5 was released in mid-October 2019 (to Recommended and Preview for Enterprise Console) and includes permissions popup to make installations a bit easier.
Apple has locked down the following User Folders in macOS 10.15.
The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.
The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.
For a new installation of Sophos on a Mac, Sophos needs to be allowed in the General tab of the Security & Privacy window. If Sophos needs to be re-installed on the same Mac, the process of allowing Sophos no longer needs to be repeated since the same allow process will be retained by the operating system.
Note: It is a known issue that customers with only Central Device Encryption installed will get this popup, even with the permissions added. Adding the AV component will correct this. Alternatively, turning off Notifications (in System Preferences) for Sophos will also silence this. This will be corrected in version 10.0.
As of version 9.9.5, a popup will occur (if Notifications are enabled) every hour if the permissions are incorrect. Clicking on this notification will bring up a window that allows you to set permissions quickly.
The following can be performed on macOS 10.14, before upgrading to macOS 10.15, or after macOS 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on macOS 10.15.
Note: The tool sweep, which is /usr/local/bin/, cannot be added via this method as it is not a .app. It will prompt the user the first time the tool is run to be allowed. It will only be called if you are using it via command line.
Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. There are posts in the Community forum which detail settings that work for these platforms.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.