Hi Guys
Got an issue where Sophos is prompting for full disk access, we have created a profile and pushed it out to myself as a test user but I still get this pesky end result pop up.
See attached screenshots of a profile created based on KB from Sophos https://community.sophos.com/kb/en-us/134686
@jonathan.rudge Haven't run into issues with Sophos and PPPC on my Catalina test clients. Have you tried creating the profile using the PPPC Utility?
During the Catalina betas I didn't have any issues with Sophos, now I can't get it to update virus definitions. I have the PPPC whitelist profile and kext whitelist profile for Sophos install in a PreStage so it's in place before the Sophos pkg is installed. I'm not seeing the request for full disk access when it's run in that order, so I'm good on that front.
However -- I cannot get Sophos to update virus definitions, even following the article you link to. My org hasn't deployed Catalina yet, so I'm still testing and will probably open a ticket with Sophos if I can't get this resolved soon.
@jonathan.rudge We're getting the exact same issue with the pop-up. Sophos is allowing itself to update fine, and can perform scans, but it's like it's not recognising that the requirements of the pop-up message are satisfied. I guess it's good to know others are experiencing this, too, and not just us going crazy :)
I dont see an entry for com.sophos.SDU4OSX in your profile
That was a new one that came in with 9.9.5 that was not on the Sophos doc in the run up to Catalinas release.
I am in the same boat. I've followed the PPPC details on the Sophos KB article and the popup still appears. Has anyone had success suppressing the Sophos popup window? Anyone identified how to trigger it to appear? I may resort to calling their support or make my own profile using the PPPC Utility.
@maxmaxmaxmaxmax We also had that one missing, but have since added it, sadly to no effect. The pop-up still appears after around an hour.
@maxmaxmaxmaxmax Ill try it but I don't hold out much hope...
I honestly don't think the Sophos UI is picking up the config profile, scans, diagnostics and updates all work, so the tasks are allowed, but the message is still popping up. I've added every Sophos related app and still not been able to suppress this message. I think we need a fix from Sophos, as all I can think is that the SophosUIServer doesn't look at the config profile.
Same here, have all the settings they ask for here and still have the pop up
I can confirm I'm getting that prompt even after following the Sophos doc. Not sure why things appeared to initially work but hey-ho its there :(
not sure this will help but we had the same problem with Full disk scan for Apex one Trend micro and we run into the same problem having created a profile using PPPC Utility. One of my colleagues then changed the IDENTIFIER path in the Privacy Preferences Policy Control to the path of the iCoreService which Trend requires to /Library/Application Support/TrendMicro/TmccMac/iCoreService and that fixed the problem., So it might be worth changing the identifier to the PATH and see if that helps.
I tried to switch my profile to path as the identifier and had no luck. I have a case open with Sophos but they are asking me stupid questions via email vs. calling me. "Is your computer turned on?" "Are you on Catalina?" derp
Anyone else have any luck?
The pop up that comes up is not the most user-friendly and descriptive window. While some users are familiar with dragging a something into the Applications folder, this is not overtly obvious to drag the icon from that popup window into the Full Disk Access portion of the Security Preferences. The support page does go through that step but multiple users have been perplexed before I explained what needed to be done.
Hello (insert name here),
"Sophos is not recommended to be installed during machine OS upgrades to avoid any issues." OMG! are they really expecting that an enterprise environment remove AV before upgrading, then re-install after? Also in response to this I did a fresh install of Catalina, sent my configuration profile and installed the latest Sophos client. Pop-up still occurs. Looking in Security and Privacy I am not seeing any new items added to "Full Disk Access" so i must be fulfilling the requirements for the application yet the pop-up still occurs. I am now suspecting that Sophos is not checking the system properly and recognizing that the Security and Privacy settings are applied via MDM. I think we may be at the mercy of waiting for them to release an update to the client that can recognize MDM applied settings.
Sophos Support to the rescue! kinda
Article acknowledging the issue with resolution:
https://community.sophos.com/kb/en-us/134833
Depending on if you are on a "cloud" product or "on prem" product the release dates differ
If i recall correctly cloud customers will see this in December
On prem can adjust their update channel("Recommended" will see this update in January, "Preview" may see it around November 26th.)
https://community.sophos.com/kb/en-us/120189
https://community.sophos.com/kb/en-us/134833
Sophos article above is no longer valid. We are seeing this prompt also on Catalina. Has anyone seen a fix?
OK so I don’t have anything Sophos specific, BUT, I am playing the same game with Symantec Endpoint Protection in Catalina.
Strangely enough, with the help of another Jamf admin on here @NoahRJ he got it to deploy and dealt with the full disk access issues (not working despite a working PPPC profile).
Check out his script here...To give context we have kernel extensions and system extensions to contend with:
https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos
Check it out it’s obviously not sophos specific but given you are dealing with endpoint protection products, you may be encountering the same type of stuff...specifically the script he had to run after Symantec was installed was the magic that worked for me.
No matter how many changes I've made using articles from Sophos and from Jamf Nation, I still get the pop up that I need to allow Sophos in Security & Privacy. see below :(
@Veronica.Lozano That message is the Sophos Kext file. Have you put in an approved Kext configuration profile that is installed before Sophos installs? We use Sophos cloud here and it works fine as long as we have the Approved Kext configuration applied along with the PPPC configuration before Sophos installs.
We are under pressure to start upgrading to 10.15 soon, and I haven't yet had to build a PPPC config yet, so I'm jumping in the deep end with this one. Has anyone had any luck with this?
I've actually been trying to sort this out over the last week or so. I was able to follow some of the posted links and sort through what all is needed to get Sophos to install without prompting for the user to do anything.
I don't actually use JAMF, but wanted to post the relevant info for anyone still having this issue.
There are three things that are needed:
1. Whitelist the Kernel Extension
2. Whitelist the System Extensions
3. Create PPPC Profile
Whitelist The Kernel Extension
You should be able to create a new profile to add a Kernel Extension. I didn't end up doing just the extension, I whitelisted the Team ID for Sophos (Team ID: 2H5GFH3774)
Whitelist the System Extensions
You should be able to create a profile and list various extensions with the Team ID that you want to whitelist.
Sophos Team ID: 2H5GFH3774
com.sophos.SDU4OSX
com.sophos.autoupdate
com.sophos.macendpoint.CleanD
com.sophos.SophosScanAgent
com.sophos.macendpoint.SophosServiceManager
com.sophos.endpoint.uiserver
There wasn't an easy way to format this so I just put it in a Pastebin link. The link has the Identifier as well as the Bundle ID code.
https://pastebin.com/DhZH850u
Hopefully this actually manages to help someone else out.
Sophos released version 10.0.1 today and this has triggered a wave of issues with the Full Disk access required coming back and ignoring the settings in the profile pushed by JAMF with the PPPC which were working up to this point. If anyone has any ideas ? I have raised with Sophos but I am not going to hold my breath
Over on the Sophos MacAdmins slack channel, someone mentioned that Sophos has two new identifiers that need to be added to your PPPC profile com.sophos.liveresponse and SophosMDR.
Apparently this page has been updated even through it is dated from 2019:
Sophos
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.