Hey guys hope you are all well coming up to Christmas. We have been having issues with Sophos popups on BigSur. i have followed all the steps Sophos recommend but we still get the pop ups i have attached out configs and the pop ups were getting
@fredrik.virding Would you mind sharing the script?
Sure,
#!/bin/sh
## Clearing out all Sophos Directories
sudo rm -R /Library/Sophos Anti-Virus/
sudo rm -R /Library/Application Support/Sophos/
sudo rm -R /Library/Preferences/com.sophos.*
sudo rm /Library/LaunchDaemons/com.sophos.*
sudo rm /Library/LaunchAgents/com.sophos.*
sudo rm -R /Library/Extensions/Sophos*
sudo rm -R /Library/Caches/com.sophos.*
echo "Sophos Libraries Removed"
##Unstalling Sophos
sudo /Applications/Sophos/Remove Sophos Endpoint.app/Contents/MacOS/tools/InstallationDeployer --force_remove
sudo /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --force_remove
echo "Sophos was removed."
I run that, performs the upgrade to Big Sur, and reinstalls via Self Service. However, more testing coming soon.
Hi Folks,
After some testing and several headaches. My current workflow, with alot of help from the Macadmins slack. I now have a way to go from Catalina to Big Sur without breaking Sophos.
At first, we make sure the Mac is running 10.15.7. I have created a button in Self Service doing to the following command, after some digging on the Apple forums and Slack.
#!/bin/bash
##
##
##
currentUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name
&& ! /loginwindow/ { print $3 }')
echo "$currentUser is logged in"
PATH=$PATH:/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS
# Run a fullscreen jamfHelper window and put it into the background
jamfHelper -windowType fs -fullScreenIcon "/System/Library/CoreServices/JavaLauncher.app/Contents/Resources/JavaLauncher.icns" -icon "/System/Library/CoreServices/JavaLauncher.app/Contents/Resources/JavaLauncher.icns" -heading "Preparing your Mac for Big Sur" -description "Please ensure the charger is connected and do not turn off your Mac" &
PID=$! # Get the pid of the jamfHelper command
#Remove software update restriction
sudo /usr/sbin/softwareupdate --reset-ignored
#Write to update plist
sudo /usr/bin/defaults write /Library/Preferences/com.apple.commerce.plist LastRecommendedMajorOSBundleIdentifier "com.apple.InstallAssistant.macOSBigSur"
sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist LastRecommendedMajorOSBundleIdentifier "com.apple.InstallAssistant.macOSBigSur"
#Creating receipt to get System Extensions and Network Proxy
sudo touch /Library/Application Support/JAMF/Receipts/bigsurrequested.pkg
#Final Recon to update Jamf
sudo /usr/local/jamf/bin/jamf recon
sleep 1m
#kill JamfHelper FS Window
kill $PID
echo "JamfHelper Killed"
Forcing the recon just to ensure it all checks in.
Once done, i have a Smart Group checking for the receipt, and starts to download the installer via softwareupdate --fetch-full-installer.
Once done, if the User is admin, the app can start and they can begin upgrading right away. If not admin, the installer App quits right away, and they go via Self Service instead.
@G_Zirrak did you ever get this to work? I'm having the same issue where ScanD is stopped on my M1 and I'm having issues even with creating the PPPC profile for all files for ScanD. I am going to wipe the M1 clean and try again tomorrow but just wondering if you had any success.
@sintichn I've been doing some more testing these past couple of days and unfortunately, have not succeeded... What I have done is un-installed clients current Sophos install using @fredrik.virding script above. Before installing a new version of Sophos I ensured that the computer had the proper System extensions (KEXT for Macs below Big Sur) and PPPC settings from Sophos's documentation. I had also created a separate PPPC for the ScanD setting using the PPPC Utility from Github. Next I installed the newest version of Sophos which I guess is 10.0.4... After a restart, I still get ScanD stopped error on both M1 and Intel macOS Big Sur Macs. So pretty much ScanD is the issue we are facing.
I have not tested out a wipe and reinstall (re-image - antiquated term) with an install of Sophos on a clean OS. Even if that method works, its not feasible to wipe and re-install OS for our users on the spot. Although we don't have very many users on Big Sur currently with a restriction. But still, we shouldn't have to wipe-erase/reinstall OS on users computer just to make Sophos function... That does not seem like a viable solution.
Other than that, I have no other updates on my end. I'm going to maybe try creating new Config profile, possibly on a clean image, and see what happens just like @sintichn . If that works then great, but what should we do with current M1/Big Sur users having issues with Sophos...?
I did some testing on machines who already were on Big Sur, i noticed that once you deploy all the PPPC's, system and network extension, the Users saw a new thing in System Preferences > Security & Privacy > General.
At the bottom, if they click "Advanced", there were 2 blank boxes, and if they checked those and restarted, it seemed to work. Try that.
I think I found my issue. We had depnotify installing an old sophos package upon setting up the M1. I wiped it and excluded it from the old sophos policy and just had it install the new one. It works with no issues as of yet!
Thanks,
Nick
Hi @fredrik.virding Totally understand with having users check marking the 2 boxes from within system preferences, security/privacy. The issue is our users don't have admin rights to unlock the settings in order to check mark the boxes... I want to be able to check mark those boxes through JAMF/MDM solution.
@sintichn I still haven't tried a wipe/erase, but will try that shortly and download the newest Sophos package from the Sophos Central dashboard. But do you still need to check mark the ScanD and the other feature from system preferences, security/privacy?
I know what you mean. Had the same issues on my end. I think the best move forward is to pre-load all System Extensions and such before allowing Users to upgrade.
I did so with a "Prepare my mac" policy, which basically added the System Extensions, Network Extensions and such, ran a recon, then allowed the Users to get the Big Sur downloader. So far, that has worked fine.
@SirSir Is this still the case?
According to Sophos, if you're upgrading from Catalina to Big Sur, Sophos will not operate properly. You have to uninstall Sophos, upgrade to Big Sur, and then re-install Sophos. And make sure that all of your PPPC/Extension/Kext profiles are on the machine BEFORE upgrading to Big Sur. I don't think this is intended behavior, but still very annoying.
Why do the Sophos instructions say "Please ensure that 'Allow users to approve kernel extensions' is unchecked."? If we check the box is it going to break things?
I know that the KEXTs are not required for M1 Macs but how about Intel Macs running Big Sur? Or are you only scoping the KEXTs to Catalina and older macOS versions?
@MrRoboto you sure you dont need the kext profiles for sophos on M1 machines? All the setup guides i saw still required them. They havent released the univeral app version of the client yet, So its just the intel version running under rossetta. The kext profiles install on big sur 11.2 and higher.
@SCCM I'm still testing so not certain at this point. So far Sophos installs okay and is not prompting or showing any errors. In my testing with other KEXTs on M1 Macs the profile would not install and give an error in Jamf. To successfully install I had to lower the security settings on the M1 Mac. Even so the KEXT profile would not install immediately after computer enrollment, but after a couple reboots it would. Related to PI-009052.
So, no basically it no longer gives those boxes as options since it's all included in the config profile that I made for it.
Could you share your settings with us, please?
We are still stuck at the point, where our users have to tick both of those boxes...
I have recently changed jobs and just finished battling with Sophos again. Thanks to the final trick listed here to whitelist scand it is looking ok on both Catalina and Big Sur for Intel.
Note: The above article suggests using com.sophos.endpoint.scan however more typically I would have thought you use the BundleID for the relevant 'app' which in this case in its info.plist says it is just com.sophos.scan and that worked for me.
Since yet again Sophos' own articles are clearly out of date as they do not list this entry I have lost all confidence over what their website says. Can I ask the community here to confirm what the latest situation is regarding Sophos and M1 Mac support?
Is it that the same Big Sur version 'just works' but is Intel code running via Rosetta2, or is the latest 10.0.4 Sophos a universal binary suitable for both Intel and M1 Macs?
Do people here regard it as fit to use on M1 Macs?
Finally is the Catalina to Big Sur upgrade issue still present if the Catalina Mac is running 10.0.4 of Sophos? Do we still have to jump through hoops to first uninstall it before reinstalling it?
Hi all, we have recently been dealing with other issues that Sophos has caused in our environment. Recently, it seems that Sophos is affecting our Cisco Jabber (soft phone) application. Affecting macOS versions Mojave, Catalina, Big Sur... Although this should be in another thread itself, but if anyone has Cisco Jabber and Sophos in their environments please let me know.
Sophos support has asked to test out a new (Early Access Program). We are in the process of getting internal approval to join the EAP. Once approved, I will be testing out all issues discussed in this thread and can share with all at a later point.
@G_Zirrak I was asked to join thje M1 EAP for another issue i have open. There is not much difference in the live version and EAP. I dont see how it would help you in a app issue. Did they actually look at th logs on the devices to see what was causing the issue? it sounds like you would need to apply some kind of policy fix?
@fredrik.virding your
I located the ScanD, or what im 99% sure it is:
It was in /Applications/Sophos/Sophos Scan.app/Contents/MacOS/SophosScanD.app
did the job for me. amazing stuff :-)
So i used the sophos article mention many times still getting the scand stopped. Used jamf's PPPC util to get the SophosScanD.app full disk access and deployed that and all worked on a clean build.
I also made sure the profiles were deployed well before sophos by making it the last install in a long chain.
Glad I don't work with sophos everyday!
I truly appreciate the clarity in this post. It’s rare to find such straightforward and helpful content. Keep it up!
This article provided exactly the information I was looking for. Super helpful! MyBalanceNow
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.