Posted on 12-31-2018 03:05 AM
I have written a Configuration Profile to allow the Sophos KEXT to be allowed. I am no longer asked to allow it manually after I reboot, but the allow button is still showing in Security and Privacy, is this correct? The user is verified in the Profiles section.
EICAR triggers, the Web Control is working. It would seem the KEXT has been allowed. I am confused by the allow button still being visible to the user.
Posted on 12-31-2018 12:36 PM
I have had the same issue with Caldigit KEXT, but everything still works fine. I'm interested if anyone is having any functionality issues with this or if it's just a misfire or something from the GUI.
Posted on 12-31-2018 12:48 PM
Jamf Pro 10.9 addresses the race condition:
Posted on 01-01-2019 11:59 AM
Thanks for the reply. I am running 10.9. The test machine has only been on 10.9. By that I mean it was built and enrolled in 10.9 and then had the Configuration Profile applied. It hasn’t been through any JAMF Pro updates.
Posted on 01-02-2019 05:57 AM
Just a quick update. The KEXT is definitely approved. I opened up the Self Help in the Sophos Endpoint and watched the Kernel Extensions go from not loaded to load live in front of me. This is under the Services section. The allow button was still visible. The output from KextPolicy prior to the Configuration Policy being added was:
sudo sqlite3 -header -csv /var/db/SystemPolicyConfiguration/KextPolicy "select * from kext_policy"
After the Configuration Profile was applied it is still the same. I believe the 0 should be a 1.
I have just clicked the Allow button and the Mac asked for a restart.
The output is now
I don't know what the last 1 means. On my personal Mac the output is
It would seem the Allow is their because the database says 0, but the KEXT is approved.
Posted on 01-02-2019 06:37 AM
@bazcurtis The Sophos installation must happen after the approved kext list has been installed. It will otherwise fail )or certain components will fail.
Base the Sophos installation on a smart group based on the "Approved Kext" list exists (for example smartgroup criteria; Profile name has 'approved kext list name'.
Posted on 01-02-2019 06:56 AM
@tjhall That is not what I am seeing. I installed the Sophos Central Endpoint. I rebooted a few times to check I was still prompted to allow the kext. I applied the Configuration Policy. The Endpoint was good and healthy. The issue is, the Security and Preference pane would lead you to believe the kext is not approved and so would the database, but the Endpoint is working.
Posted on 01-02-2019 07:11 AM
Yes, I had the same issue before I changed my Sophos install method.
Sophos installed but either complains about the kexts needing approval or that it's not running properly.
After restart the kext will appear to be approved but the actual problem is that Sophos failed during installation and will need to be deleted and re-installed to work properly.
The only way I got it working properly is to base the Sophos installation on a smart group which checks that the kext list already exists. Once the approved list is present on the Mac first; the the Sophos installtion works properly.
Posted on 01-02-2019 07:14 AM
Same here. It loads the kexts but it still shows up in the UI as needing to be allowed.
Posted on 01-02-2019 07:24 AM
Any chance that computer was wiped, and before doing so it may have been manually approved?
Not sure you can whitelist something that was previously approved by a user. Just a thought.
Posted on 01-02-2019 07:41 AM
@thall @tnielsen @donmontalvo That is very odd. The installation is working fine for me. I have never seen the Sophos installer fail. I am happy the kext loads. I am about to try it again with a fresh Mojave build to see what it does. I have checked that I have no previous kexts installed.
This is what I am seeing KEXT Approved
Posted on 01-02-2019 07:45 AM
@bazcurtis That's the one I used to get too.
Sophos installs ok but due to the fact that the approved kext list isn't present it doesn't install correctly and Sophos reported errors.
Change it so the Sophos install is based on a "Sophos - Approve Kext" exists smartgroup and it works.
Posted on 01-02-2019 07:52 AM
Posted on 01-02-2019 08:07 AM
Need to jump on a train in a bit so try this;
Create a new smart group called "Sophos - Approve Kext - Exists". The smartgroup criteria; "Profile name" has "Sophos - Approve Kext". You can also add; 'And "Application title" is not Sophos Endpoint.app
Find you existing Sophos installation policy; change the scope from what it's currently set to and change it to "Specific Computers", 'Computer Group' and select "Sophos - Approve Kext - Exists".
As mentioned, this only works for new installations, it won't fix what's already installed.
If it's already messed up it's better to remove Sophos first and let the policy do it's thing (It will automatically install on any Mac which has the approved kext list but hasn't got Sophos).
Posted on 01-02-2019 08:58 AM
@donmezzetti Thanks for the reply. I have erased the boot drive and re-install 10.14.2. Then installed Sophos. Kext is not approved as the Endpoint shows red. I add the Configuration Profile the Endpoint goes healthy. It is the GUI that seems to be wrong, not the end result. I am going to try it with Fusion in my next test before I try Sophos again.
Posted on 01-03-2019 04:48 AM
As I mentioned...
If you install Sophos first it will complain (kext needs to be pre-approved to be running).
If you then install the config it will appear to work (after restart).
But...I've seen multiple instances where Sophos does not run as intended and then requires a re-install (becuase the Sophos installation looks like it has installed but it hasn't installed correctly due to the kext not being pre-approved).
The only way to automate is to install the kext approval first, then Sophos.
Posted on 01-03-2019 05:53 AM
The only way to automate is to install the kext approval first, then Sophos.
That's it in a nutshell, confirmed by both Apple and Jamf. :)
Posted on 01-03-2019 12:13 PM
@tjhall and @donmezzetti thanks for the feedback. That is good information. I also assume that as the KEXT is pre-approved the Allow button never shows up. I believe pre macOS 10.14.1 there was a bug which would not load additional kexts from the same developer if one was already approved. But Apple has fixed this. I will install on Monday with the KEXT pre-approved. It does seem nicer to approve in advance. I will also test it with VMWare Fusion.
It will be interesting to see if my textpolicy returns a different result. Thanks again.
Posted on 08-07-2019 10:56 PM
@bazcurtis Did you have any luck with this? I am a little sceptical about the pre-approving, mainly because I don't understand how you can approve something that doesn't exist, but that's probably just a gap in my knowledge.
Posted on 08-08-2019 04:12 AM
@a.holley That's the whole point of pre-approved kexts. As an admin you define the presets of which applications can install kexts and pre-approve them.
Withtout doing you'll get security notifications every time applications with kext extensions are installed.
Posted on 08-21-2019 09:52 PM
@tjhall So I finally got some time today to test this out on two machines - one with on-prem Sophos already installed, and a brand new DEP machine. I uninstalled on-prem and deployed the config profile, then installed Sophos Central. No approve box came up, so happy with that.
A colleague was then setting up a new machine through DEP, so I scoped the config profile to that one too, then installed on-prem Sophos and once again, no approve box and it's getting it's updates. So far so good.
I have deployed it to more machines and will keep an eye on it as they get redeployed or set up from scratch.
Posted on 08-28-2019 05:14 PM
We use Symantec Endpoint Protection on our campus. We do not use DEP, so everything has to be "done manually"... Would I do basically the same with SEP as you all did with Sophos to get the kext to not need things to be approved?
Posted on 08-28-2019 06:17 PM
@kwoodard I imagine it would be exactly the same. It's got nothing to do with whether or not you use DEP, it's just a config profile.
Posted on 04-28-2020 08:27 AM
Need help regarding the same:
can anybody confirm if i am using the right KEXT (screenshot)
do i need to put kext before starting installation?
after installation is reboot must?
Posted on 04-29-2020 03:42 AM
@Rohitds14 Yes, the kect config needs to be in place before the Sophos installation. We based our Sophos installation on a smartgroup which checks if the kext config policy exists. If if does then the Sophos installation goes ahead.
Posted on 04-29-2020 04:21 AM
Yea, definitely race condition hell, especially when your entire fleet has software that uses KEXT and now all of a sudden you've got to manage it...
System Extensions appear to continue the same. For example, found this on the Symantec KB site:
Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15
If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization". If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.
Great ideas from Apple, but probably not vetted enough for real world enterprise.