Sophos issues with BigSur

Do you have early access to v10.0.2? Any version prior to that is not compatible with macOS Big Sur. v10.0.2, I am hoping will become officially available early-mid January as we're having to hold back on deploying M1 based MacBooks.

See here for more information.

good luck, it still not approved as of last week. Suggest to move away from Sophos into any other vendor that truly cares.. Big Sur has been out since November 12, 2020. its now 1 day short of march and nothing...

v10.0.4 is the version that will support Big Sur, and I am told it is currently rolling out with the aim of being deployed to all customers by 4th March.

Hi all, So I went by the following article (https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how-to-configure-jamf-privacy-preferences-for-10-15-compatibility) pretty much the same process as @Jack.Turner and keep getting a failed status "In the payload (UUID: 818E57B3-AAB7-44DA-AD45-14BB4900FE12), the key 'CodeRequirement' has an invalid value."

Anyone else getting the same error message? Currently deploying this to intel - Big Sur, with Sophos Endpoint on 10.0.4. Also erroring out for the M1's as well...

@G_Zirrak Did you separate the Kext Approvals, Privacy Policies, and Approved System Extensions into different profiles? I've only tested on a Big Sur M1 mac so far and it seems to be working (without the Kext approval profile since that is not possible on M1.)

Edit: Cannot get 10.0.0.4 working on an Intel Mac running Big Sur.

Hi,

I get most of it working on Intel, however, noticed 1 Mac not getting ScanD to start, any ideas?

Hi,
Sophos 10.0.4 seems to work on both Intel x86_64 and M1, however it still requires users to Allow ScanD in System Preferences > Security & Privacy

Hello,

Thanks for the heads up @SirSir I went ahead and separated the Kext Approvals, Privacy Policies, and Approved System Extensions to 3 different config profiles. I've scoped out the KEXT approval to OS's below Catalina and scoped out the System extensions to Catalina and Big Sur smart groups. Seems to be working for the most part, although not sure if I had manually check marked the boxes within the security & privacy settings before shooting these config profiles out.

@fredrik.virding I also noticed the same issue with not getting ScanD to start on one MacBook Pro. I have not tested a re-install of Sophos yet... But if you happen to find any resolutions/work arounds please let me/us know. Not seeing much Sophos Endpoint for Mac customers on here or any other community platforms as much... It would be great if we can all continue to communicate issues/resolutions on this thread, specially with M1 + Sophos. I truly appreciate everyones time and efforts to assist.

Thanks,

Hi,

@jamfnc and @G_Zirrak ,

I located the ScanD, or what im 99% sure it is:
It was in /Applications/Sophos/Sophos Scan.app/Contents/MacOS/SophosScanD.app

I added it to my PPPC profile and gave it the correct access. From what i can tell from my 2 M1 Test Macs, they both show it Green and running.

just on the above the kext profile is installing on our m1 machines (11.2 and above) from the above error message just check the code requirements for all the stuff you copied and pasted to make sure there is no special characthers or spaces. i think when i copied them out the first time one of the boxes didnt copy the "i" in identifier and i got the same message.
iam seeing something slightly different. When i go to system preferences > network the sophos web network extention is showing as not running, but in the application itself the service is showing as running.

Sophos Endpoint is incredibly frustrating. I have followed their documentation to the letter, or as best one can given their screenshots and writing style. They took far too long to get it ready for Big Sur at all. Still no luck having it working on all Big Sur machines. Some work, some don't. Most ocmmon issue I have is services stopping or not starting at all, esp. scand and SophosEventMonitor

According to Sophos, if you're upgrading from Catalina to Big Sur, Sophos will not operate properly. You have to uninstall Sophos, upgrade to Big Sur, and then re-install Sophos. And make sure that all of your PPPC/Extension/Kext profiles are on the machine BEFORE upgrading to Big Sur. I don't think this is intended behavior, but still very annoying.

@SirSir that's mind-blowing that Sophos has no better recommendation. Most of our users are standard users, so they couldn't uninstall Sophos even if we asked them to.

@cradice I agree! And with the tamper password and removing of the system extensions that requires turning off SIP in recovery, its just not a possibility. We're staying on Catalina for another year until they can get this stuff figured out. Hopefully we can switch to another AV product in the next few years as Sophos continues to drop the ball.

Hi @fredrik.virding , would you be able to share a screenshot of the ScanD PPPC addition you created? I would greatly appreciate it.

It's far from ideal, but I am using a self-service policy that first uninstalls Sophos, and then updates to Big Sur. From there a separate policy that runs at user login (post-update) that triggers another policy, scoped to computers running Big Sur without Sophos installed, to re-install Sophos. In my limited testing, this worked for me. This allowed for the system extension profile for Sophos to exist before the Endpoint installation, which was originally creating the failures. Everything in pre-requisites showed green across the board afterward with this workflow, though.

Hi @cradice On my Intel + Big Sur test machine, which was previously upgraded from Catalina, I manually uninstalled Sophos using the Sophos uninstaller. From the Sophos Dashboard I got the uninstall password for the specific computer and disabled the tamper proof feature. After uninstallation, I did not delete any other sophos extension/files from any library or system folders. I just did a restart, made sure the computer had the correct PPPC and System extensions before re-installing (I did not scope out Kernal extension for Big Sur). After re-install I still get the ScanD service not working. Other then the Sophos Uninstaller, was another step I should've done for completely removing Sophos from the computer?

Hi @G_Zirrak ,

Something like this. This has worked for us on newly installed M1´s with Big Sur, and Intel Macs with Big Sur.

More info coming about Catalina > Big Sur.

Thanks @fredrik.virding for sharing that screenshot. I pretty much created the same config profile using the PPPC Utility through GitHub last week. So far didn't find much luck with the additional PPPC, I even uninstalled Sophos and re-installed after making sure that all of my PPPC profiles were present before the re-install. I will be doing some more troubleshooting/testing this week...

Hi @G_Zirrak ,

I did some uninstall / reinstall too. I can update later with my results.

@G_Zirrak my workflow looks like this:

Self Service policy to upgrade to Big Sur: First step: Script to uninstall Sophos

!/bin/bash

# Remove Tamper Protection
rm -R /Library/Sophos Anti-Virus/product-info.plist

# Remove and uninstall Sophos Endpoint 
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove

Second step: Script for macOSUpgrade.sh

Once the upgrade completes I have a policy that runs at login (which the user must do post install):

#!/bin/bash

## Jamf Recon
sudo jamf recon

## Take a break
sleep 10

## Trigger Sophos re-install policy
jamf policy -trigger reinstallSophos;

exit 0

This script runs a recon, which puts the computer in a smart group for computers on Big Sur, that don't have Sophos installed - and then calls on another policy to re-install Sophos to that is scoped to the aforementioned smart group. This last policy that re-installs Sophos performans an inventory update afterward as well to remove the computer from the group.

Configuration Profiles: System Extensions - The two System Extensions necessary for Sophos/Big Sur scoped to computers on Big Sur. These should apply as soon as that first recon runs, which should make sure they are applied before Sophos is re-installed.

Kernel Extensions - One configuration profile scoped to Catalina and earlier computers that has "allow standard users to approve kernel extensions" unchecked, and another scoped to Big Sur machines that has the checkbox enabled.

@SirSir

'According to Sophos, if you're upgrading from Catalina to Big Sur, Sophos will not operate properly. You have to uninstall Sophos, upgrade to Big Sur, and then re-install Sophos. And make sure that all of your PPPC/Extension/Kext profiles are on the machine BEFORE upgrading to Big Sur. I don't think this is intended behavior, but still very annoying.'

Is this documented anywhere? Been looking for it on the Sophos site but can't find it.

@agrant Wasn't documented, was in the comments of one of their documentation/forum posts from a Sophos employee.

For a new installation of Sophos on a Mac, Sophos needs to be allowed in the General tab of the Security & Privacy window. If Sophos needs to be re-installed on the same Mac, the process of allowing Sophos no longer needs to be repeated since the same allow process will be retained by the operating system.

My Card Statement

Hi folks.

Made some progress. As pointed out by many here, upgrading does seem to break the ScanD specifically. Everything else is green in our environment.

With some clever scripting, we uninstall Sophos via Self Service and also the device entry in Sophos Cloud. After that, we restart the Mac and reinstalls Sophos via Self Service.

This time, in System Preferences > Security & Privacy, there is an option to Approve 2 "nameless" items, most likely the SEXT's, once they are approved, the Mac is green again in Sophos. A very..annoying process, hopefully something that can be fixed by Sophos.