Apple MAC active directory users not registering on XGS firewall

A customer has a major number of Apple MAC OS computers.
The Devices are Active Directory joined, all have Sophos Endpoint Protection installed, the users log onte the computers with active directory credentials.

All the customer's locations have Sophos XGS firewalls with full Sophos Central connection activated.

All the Windows Clients/Users are beeing correctly registered as active users on the firewalls.

From the Apple MAC OS computers/users we cannot even see any log-on process on the firewalls logs.

The customer wants to implement user-based firewall rules
We need therfore to have the Apple MAC OS users register consistently on the firewall as active users.

How can we do this?



Added TAGs
[edited by: emmosophos at 5:10 PM (GMT -7) on 15 Oct 2021]
  • Hi ,

    Thank you for reaching out to Sophos Community.

    Do you see health status events in heartbeat.log for endpoint installed on MAC OS? This event indicated that the endpoint has sent health status to XG.

    Example log snippet:

    a 2019-10-23T18:39:41.780Z [4616:5628] - Sending login status.

    a 2019-10-23T18:39:51.211Z [4616:5628] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Good morning, I cannot find a "heartbeat.log" file under "/log" on the firewall(s).

    There is only a "heartbeatd.log" file there.

    There I can see as an example the following entry for a MAC OS client:

    [2021-10-14 10:06:47.939] INFO HBSession.cpp[8756]:502 logNewSession - New Session: [10.13.8.90]:46569 connected
    [2021-10-14 10:06:47.978] INFO EndpointStorage.cpp[8756]:114 endpoint_connectivity_cb - Connectivity changed for <14e242a0-0e3c-4f14-a84d-a854274bc262>: <5> -> <1>
    [2021-10-14 10:06:47.978] INFO ModuleSacFirst.cpp[8756]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=10.13.8.90)
    [2021-10-14 10:06:47.978] INFO ModuleStatus.cpp[8756]:138 processMessageStatus - Status request received from endpoint: 14e242a0-0e3c-4f14-a84d-a854274bc262 (10.13.8.90) health: 1

    Is it what you were looking for?

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • I've also checked on the customer's firewall.
    There's a MAC OS client there, whose IP I know and that is registered and active in Sophos Central.
    But I cannot find its IP adress in the "heartbeatd.log" file on the corresponding firewall.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • On another firewall of the same customer I could find the following entries.

    On one it seems to be working:
    [2021-10-18 11:37:59.671] INFO HBSession.cpp[12953]:502 logNewSession - New Session: [10.40.0.203]:33779 connected
    [2021-10-18 11:37:59.693] INFO ModuleSacFirst.cpp[12953]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=10.40.0.203)
    [2021-10-18 11:37:59.693] INFO ModuleStatus.cpp[12953]:138 processMessageStatus - Status request received from endpoint: cd3afd3b-0b2e-419e-ba53-0f223e672db2 (10.40.0.203) health: 1

    On the other I can see a failure to connect:
    [2021-10-18 12:03:30.871] WARN HBSession.cpp[12651]:341 bufferDisconnectEvent - Incoming connection from 10.30.0.107 failed. SSL error: SSL routines:ssl3_read_bytes sslv3 alert certificate expired

    Also I checked on the firewall for the former posting.
    The user has installed the "authentication client" on his MAC OS computer and it is registering the user on the firewall.
    Is it possible, that using the "authentication client" stops the device from registering the hearthbeat on the firewall?

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner