Approved Kernel Extensions still asking to be allowed

bazcurtis
New Contributor III

Hi,

I have written a Configuration Profile to allow the Sophos KEXT to be allowed. I am no longer asked to allow it manually after I reboot, but the allow button is still showing in Security and Privacy, is this correct? The user is verified in the Profiles section.

EICAR triggers, the Web Control is working. It would seem the KEXT has been allowed. I am confused by the allow button still being visible to the user.

Best wishes

Michael

25 REPLIES 25

Sims_
Contributor

I have had the same issue with Caldigit KEXT, but everything still works fine. I'm interested if anyone is having any functionality issues with this or if it's just a misfire or something from the GUI.

donmontalvo
Esteemed Contributor III

Jamf Pro 10.9 addresses the race condition:

https://www.jamf.com/jamf-nation/discussions/30507/jamf-slays-the-dreaded-enrollment-race-condition-...

--
https://donmontalvo.com

bazcurtis
New Contributor III

Thanks for the reply. I am running 10.9. The test machine has only been on 10.9. By that I mean it was built and enrolled in 10.9 and then had the Configuration Profile applied. It hasn’t been through any JAMF Pro updates.

bazcurtis
New Contributor III

Just a quick update. The KEXT is definitely approved. I opened up the Self Help in the Sophos Endpoint and watched the Kernel Extensions go from not loaded to load live in front of me. This is under the Services section. The allow button was still visible. The output from KextPolicy prior to the Configuration Policy being added was:

sudo sqlite3 -header -csv /var/db/SystemPolicyConfiguration/KextPolicy "select * from kext_policy"
team_id,bundle_id,allowed,developer_name,flags
2H5GFH3774,com.sophos.nke.swi,0,Sophos,4
2H5GFH3774,com.sophos.driver.devctrl,0,Sophos,4
2H5GFH3774,com.sophos.kext.oas,0,Sophos,4
2H5GFH3774,com.sophos.kext.sfm,0,Sophos,4

After the Configuration Profile was applied it is still the same. I believe the 0 should be a 1.

I have just clicked the Allow button and the Mac asked for a restart.

The output is now

2H5GFH3774,com.sophos.nke.swi,1,Sophos,1
2H5GFH3774,com.sophos.driver.devctrl,1,Sophos,1
2H5GFH3774,com.sophos.kext.oas,1,Sophos,1
2H5GFH3774,com.sophos.kext.sfm,1,Sophos,1

I don't know what the last 1 means. On my personal Mac the output is

2H5GFH3774,com.sophos.kext.sfm,1,Sophos,8
2H5GFH3774,com.sophos.kext.oas,1,Sophos,8
2H5GFH3774,com.sophos.driver.devctrl,1,Sophos,8
2H5GFH3774,com.sophos.nke.swi,1,Sophos,8

It would seem the Allow is their because the database says 0, but the KEXT is approved.

tjhall
Contributor III

@bazcurtis The Sophos installation must happen after the approved kext list has been installed. It will otherwise fail )or certain components will fail.
Base the Sophos installation on a smart group based on the "Approved Kext" list exists (for example smartgroup criteria; Profile name has 'approved kext list name'.

bazcurtis
New Contributor III

@tjhall That is not what I am seeing. I installed the Sophos Central Endpoint. I rebooted a few times to check I was still prompted to allow the kext. I applied the Configuration Policy. The Endpoint was good and healthy. The issue is, the Security and Preference pane would lead you to believe the kext is not approved and so would the database, but the Endpoint is working.

tjhall
Contributor III

Yes, I had the same issue before I changed my Sophos install method.
Sophos installed but either complains about the kexts needing approval or that it's not running properly.

After restart the kext will appear to be approved but the actual problem is that Sophos failed during installation and will need to be deleted and re-installed to work properly.

The only way I got it working properly is to base the Sophos installation on a smart group which checks that the kext list already exists. Once the approved list is present on the Mac first; the the Sophos installtion works properly.

tnielsen
Valued Contributor

Same here. It loads the kexts but it still shows up in the UI as needing to be allowed.

donmontalvo
Esteemed Contributor III

Any chance that computer was wiped, and before doing so it may have been manually approved?

Not sure you can whitelist something that was previously approved by a user. Just a thought.

--
https://donmontalvo.com

bazcurtis
New Contributor III

@thall @tnielsen @donmontalvo That is very odd. The installation is working fine for me. I have never seen the Sophos installer fail. I am happy the kext loads. I am about to try it again with a fresh Mojave build to see what it does. I have checked that I have no previous kexts installed.

This is what I am seeing KEXT Approved

tjhall
Contributor III

@bazcurtis That's the one I used to get too.
Sophos installs ok but due to the fact that the approved kext list isn't present it doesn't install correctly and Sophos reported errors.

Change it so the Sophos install is based on a "Sophos - Approve Kext" exists smartgroup and it works.

bazcurtis
New Contributor III

@tjhall I'm not sure how to message you privately on here. Could you DM me Twitter @bazcurtis?

tjhall
Contributor III

Need to jump on a train in a bit so try this;

Create a new smart group called "Sophos - Approve Kext - Exists". The smartgroup criteria; "Profile name" has "Sophos - Approve Kext". You can also add; 'And "Application title" is not Sophos Endpoint.app

Find you existing Sophos installation policy; change the scope from what it's currently set to and change it to "Specific Computers", 'Computer Group' and select "Sophos - Approve Kext - Exists".

As mentioned, this only works for new installations, it won't fix what's already installed.
If it's already messed up it's better to remove Sophos first and let the policy do it's thing (It will automatically install on any Mac which has the approved kext list but hasn't got Sophos).

bazcurtis
New Contributor III

@donmezzetti Thanks for the reply. I have erased the boot drive and re-install 10.14.2. Then installed Sophos. Kext is not approved as the Endpoint shows red. I add the Configuration Profile the Endpoint goes healthy. It is the GUI that seems to be wrong, not the end result. I am going to try it with Fusion in my next test before I try Sophos again.

tjhall
Contributor III

As I mentioned...
If you install Sophos first it will complain (kext needs to be pre-approved to be running).
If you then install the config it will appear to work (after restart).

But...I've seen multiple instances where Sophos does not run as intended and then requires a re-install (becuase the Sophos installation looks like it has installed but it hasn't installed correctly due to the kext not being pre-approved).

The only way to automate is to install the kext approval first, then Sophos.

donmontalvo
Esteemed Contributor III

@tjhall wrote:

The only way to automate is to install the kext approval first, then Sophos.

That's it in a nutshell, confirmed by both Apple and Jamf. :)

--
https://donmontalvo.com

bazcurtis
New Contributor III

@tjhall and @donmezzetti thanks for the feedback. That is good information. I also assume that as the KEXT is pre-approved the Allow button never shows up. I believe pre macOS 10.14.1 there was a bug which would not load additional kexts from the same developer if one was already approved. But Apple has fixed this. I will install on Monday with the KEXT pre-approved. It does seem nicer to approve in advance. I will also test it with VMWare Fusion.

It will be interesting to see if my textpolicy returns a different result. Thanks again.

a_holley
Contributor

@bazcurtis Did you have any luck with this? I am a little sceptical about the pre-approving, mainly because I don't understand how you can approve something that doesn't exist, but that's probably just a gap in my knowledge.

tjhall
Contributor III

@a.holley That's the whole point of pre-approved kexts. As an admin you define the presets of which applications can install kexts and pre-approve them.
Withtout doing you'll get security notifications every time applications with kext extensions are installed.

a_holley
Contributor

@tjhall So I finally got some time today to test this out on two machines - one with on-prem Sophos already installed, and a brand new DEP machine. I uninstalled on-prem and deployed the config profile, then installed Sophos Central. No approve box came up, so happy with that.

A colleague was then setting up a new machine through DEP, so I scoped the config profile to that one too, then installed on-prem Sophos and once again, no approve box and it's getting it's updates. So far so good.

I have deployed it to more machines and will keep an eye on it as they get redeployed or set up from scratch.

kwoodard
Contributor III

We use Symantec Endpoint Protection on our campus. We do not use DEP, so everything has to be "done manually"... Would I do basically the same with SEP as you all did with Sophos to get the kext to not need things to be approved?

a_holley
Contributor

@kwoodard I imagine it would be exactly the same. It's got nothing to do with whether or not you use DEP, it's just a config profile.

Rohitds14
New Contributor III

Need help regarding the same:
can anybody confirm if i am using the right KEXT (screenshot)
do i need to put kext before starting installation?
after installation is reboot must?
7f9f74772560493fbd075b19ab85990d

tjhall
Contributor III

@Rohitds14 Yes, the kect config needs to be in place before the Sophos installation. We based our Sophos installation on a smartgroup which checks if the kext config policy exists. If if does then the Sophos installation goes ahead.

donmontalvo
Esteemed Contributor III

Yea, definitely race condition hell, especially when your entire fleet has software that uses KEXT and now all of a sudden you've got to manage it...

System Extensions appear to continue the same. For example, found this on the Symantec KB site:

Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization". If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.

Great ideas from Apple, but probably not vetted enough for real world enterprise.

¯_(ツ)_/¯

--
https://donmontalvo.com