Skip to main content

I have been doing some testing with Sophos for potential usage with my company. I cannot get it the installer install properly on any Mac I have Jamf installed. This is with the installer from Sophos Central and I am not running it through Jamf, but through the command line and/or with their GUI.



I can however use the same installer on a Mac without Jamf installed. The software itself installs fine and I have the proper Team ID for the KEXTs. The problem is when the software tries to reach out and register itself with Sophos Central.



I am working with their support team, but their logs only indicate that there is an issue with something cutting off the network connection to their servers. Its definitely not a firewall setting as when you remove Jamf from the equation, things work as they should, and for this device, Jamf is not affecting the firewall settings.



I looked through my configuration profiles and cannot determine what would be possibly blocking Sophos at the networking level.



Has anyone had this happen to them or know where to look to get more answers in solving this? I've started to dig in the Sophos and system logs myself to see what I can unravel.



The system logs don't really show anything useful except that the boostrap_look_up returned (ipc/send) invalid destination port.



It looks like the bootstrapper is able to pull down some code, but I do see a few errors in relation to "the connection to the service named com.sophos.common.servicemanager was invalidated." which stemmed from an issue with the xpc clienthelper in that there were errors in the XPS connection Handle. I'm just not sure how Jamf or what I have configured is getting in the way here.

Are the successful installations working on a brand new OOB machine ?



Do they work on a system that previously had jamf installed and then removed?



Are these machines / builds on the same network? Try excluding the profiles one by one from the jamf'd client?

Not much help, but the support team from Sophos is laughable when it comes to Apple knowledge. We actually moved away from Sophos because it was so bad.

Successful workstation was a reimaged non-DEP(no Jamf) MBP. When it had Jamf on it originally, I could not manually install Sophos.
(And of course it works on Windows 10 flawlessly but that is irrelevant here.)



All machines are on the same network. The MBP's admittedly are different, one a 13 (no Jamf, success) and one a 15" (Jamf, fail).



I also last night after I posted this, went one by one and excluded the profiles until I was left with the barebones MDM Profile and PPPC profile I couldn't get rid of. That didn't help, but that doesn't matter because I just removed Jamf from the failed machine, rebooted it, and the manual install still fails to register with Sophos Central when I installed it again after reboot. (The software always downloads and "installs" fine.)



We were and are exploring other protection options, but it would be nice to get this to work for a full evaluation.



I'm currently digging into other options in our "Gear" Settings in case there is something we intrinsically set that supersedes any configuration profile stuff...

@DFree since you mentioned imaging, how does a clean net recovery behave? You shouldn't be able to install if /Library permissions are of, but maybe check just in case?



Unfortunately I concur with @mismith223 similar issues at my previous org.



see my post here

@DFree Do you have anything setup in Restricted Software that's blocking Sophos?

I am actually doing an internet recovery to the latest Mojave on it right now, but that's what I did on it before. This mac is in DEP, so I'm hoping to keep it from loading Jamf on it, but that might not be possible.



Checking out your post in a few. Thx for the feedback.

@sshort Nope...we haven't done anything there quite yet, but I just doubled checked just in case and it indeed says "No Restricted Software Records"

I took this DEP machine out of DEP-preenroll...no Jamf on this mac. I just reimaged it from the internet recovery and did a manual install with Sophos. It fully installed just fine.



Definitely something changes when Jamf is installed. I thought it could have been a file/folder permissions issue similar to the other post, but there was a Sophos KB and I inspected the permissions on the 3 folders in their KB and they were all okay...yea kinda perplexing.

Hi @DFree - Any luck with Sophos on a DEP-preenroll machine? I'm seeing this with Catalina. I've taken off everything by excluding the test machines from configuration profiles and policies that they would normally get. The only config profiles left are the ones that the Jamf Pro server installs when it enrolls - Management, Nofication and the Certificate. I've then wiped the machine and done Internet Recovery - then rejoined to the domain and installed Sophos manually. I copied the whole ESCOSX folder from the Sophos Enterprise Console when I did the installation and then ran the installer from the local directory. I've followed the guide here https://community.sophos.com/kb/en-us/134552 and allowed the 6 items to to have Full Disk Access as well as allowing the System software from developer "Sophos" (the Kernel Extensions) on the General tab of Security & Privacy. But whilst it installs fine, I don't get the Auto-Update and other Preference settings populated



If I do the exact same steps on a machine that is given an Internet Recovery type wipe and rebuild and all the other steps but it's not in DEP so it doesn't get managed at all, it installs and then all the Update settings get populated.



Regards,



David

Reply


Terms & ConditionsCookie settings