Sophos On Big Sur
This article covers how to troubleshoot Sophos Home issues on macOS 11 - Big Sur. TROUBLESHOOTING Post installation (or upgrade) issues on Big Sur. Sophos Home requires 4 steps in order to run on Big Sur (macOS 11) 1 - Enabling System Extensions 2 - Allowing Notifications. 3 - Granting Full Disk Access to components 4 - Rebooting the Mac. Sophos Endpoint and Apple macOS 11 Big Sur DarrenTeagles 5 months ago Our Endpoint Protection does not yet support macOS 11 (Big Sur). Please do not upgrade until we announce that we support it. Apple has released the new M1 Chip (ARM) equipped computers, which bring significant architecture changes (known as Apple Silicon). Among them, these devices will run (at minimum) macOS11 Big Sur, and handle tasks differently than previous Apple systems. Incoming SSH connections will fail if running Sophos Home v10.0.1a1 + MacOS 11 Big Sur We have identified a possible root cause for this issue. Expected fix to come out on 2021. Expected fix to come out on 2021.
The latest operating system from Apple, macOS11 Big Sur, has arrived and it brings with it a few significant architecture modifications. In this article, we will take a look at these changes, as well as some of the things you might consider doing to automate much of the deployment of Intercept X on macOS.
These changes started to appear with macOS Catalina (10.15) – Apple is beginning to deprecate the use of system wide kernel extensions in favour of user space system extension APIs. This allows software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access.
An interesting third party review of some of the most significant changes in the last decade Apple have recently introduced can be found here.
Unfortunately, we didn’t have a GA version of Intercept X for Mac available on the first day of release. The good news is that we now have an Early Access Program (EAP) available in Central, whereby customers can nroll devices running macOS11 in order to receive a pre-release version of Sophos Endpoint v10.0.2.
TIP: As you can appreciate, we don’t typically recommend using EAP (pre-release) software on a production system. If you would like to prevent users from upgrading to BigSur AND if you or your customer are using Sophos Endpoint, then it’s worth noting that the SophosLabs have added an Application Control detection for the Big Sur installer. This means that you can control its rollout by blocking the application – the installer is classified as a “System Tool”.
Most of you are probably aware of the process on how to join an EAP and then enroll devices, however if you would like some info on this process click here. Typically, we don’t make EAPs available to Sophos Central MSP accounts, however given that some customers may be purchasing new Apple hardware that comes pre-shipped running Big Sur, we have extended the EAP to MSP customers too.
About new hardware, the following Macintosh models (at the time of writing) use the new Apple M1 ARM-based system chipset:
- MacBook Air (M1, 2020)
- Mac mini (M1, 2020)
- MacBook Pro (13-inch, M1, 2020)
Sophos Intercept X for Mac does not natively support this new chipset; however, it can be made to work using a piece of backwards compatibility software called Rosetta 2. This software needs to be installed on the Mac before joining it to the EAP and it updating to 10.0.2. More info on this process is also covered in the EAP community post above.
On testing the deployment of Intercept X on a brand new macOS11 device, I found the installation routine quite user intensive with several prompts required to allow permissions etc. before a complete protected state could be achieved.
There are several things that can be done to reduce these prompts, specifically using an MDM provider (such as Sophos Mobile or JAMF) to essentially pre-trust extensions using the Sophos ‘Teams ID’ of 2H5GFH3774. This is a trusted ID that is used in the development of Sophos code, to automatically whitelist our software:
I found that this configuration made the deployment of Intercept X for Mac on macOS Catalina and older, virtually ‘silent’. There were still some prompts that required user interaction when deploying on Big Sur, however this will still down on the amount of interaction required without any applied MDM settings.
Our wonderful professional services team have also created a number of scripts to use with JAMF to automate deployment on Macs. Info on this can be found here.
Expect to see some more information in the new year, once a GA version of 10.0.2 for Mac is available, on how to automate the deployment further.
Version 10.0.1
Important
You must review the information in knowledge base article KB-000039014 as it contains important information about this release.
Notes
Bartender mac free download. The notification 'Full disk access required' that asks the user to grant Sophos processes full disk access may be re-triggered.
The threat detection engine version is 3.79.0.
Resolved issues
| Issue ID | Description |
|---|---|
| MACEP-5389 | Resolved an issue with tabs opening slowly in Google Chrome. |
Version 10.0.0
New Features
This release supports the EDR 3 capabilities in Sophos Central (to be rolled out for Macs by September). Live Discover allows admins to use osquery to search the device data across their estate to answer almost any question they can think of. Live Response allows admins to start an interactive session to a remote device.
This version supports macOS 10.13 and later.
Updated Components
The threat detection engine version is 3.79.0.
Resolved issues
| Issue ID | Description |
|---|---|
| MACEP-4232 | Improved battery life when performing on-demand scans. |
| MACEP-5178 | Resolved an issue when connecting devices lacking vendor, product or serial information. |
Version 9.9.8
Resolved issues
| Issue ID | Description |
|---|---|
| MACEP-4973 | Resolved blank captive portal. |
Version 9.9.6
This release contains performance improvements.
Resolved issues
| Issue ID | Description |
|---|---|
| MACEP-4600 | Improved memory usage when Threat Case creation is enabled. |
| MACEP-4602 | Resolved an issue with modified permissions on the man8 directory when using disk encryption. |
| MACEP-4493 | Resolved an intermittent failure where web pages may fail to load. |
| MACEP-4606 | Improved support for macOS 10.15 Catalina when using MDM profiles. |
Version 9.9.5
New features
- This release contains improved support for macOS 10.15 Catalina.
- This release contains stability improvements.
Resolved issues
| Issue ID | Description |
|---|---|
| MACEP-4456 | Users can now copy paths from the Events panel. |
Version 9.9.4
Sophos Big Sur Jamf
New features
- This release contains support for macOS 10.15 Catalina.
- This release contains security and performance improvements.
Updated components
The threat detection engine version is 3.77.1.
Sophos Big Sur Support
Resolved issues
Sophos On Big Sur Map
| Issue ID | Description |
|---|---|
| MACEP-4414 | Resolved an intermittent issue on macOS 10.14 Mojave where the Captive Network Assistant page could fail to load. |
| MACEP-4410 | Addressed CVE-2020-10947. |