I have written a Configuration Profile to allow the Sophos KEXT to be allowed. I am no longer asked to allow it manually after I reboot, but the allow button is still showing in Security and Privacy, is this correct? The user is verified in the Profiles section.
EICAR triggers, the Web Control is working. It would seem the KEXT has been allowed. I am confused by the allow button still being visible to the user.
I have had the same issue with Caldigit KEXT, but everything still works fine. I'm interested if anyone is having any functionality issues with this or if it's just a misfire or something from the GUI.
Thanks for the reply. I am running 10.9. The test machine has only been on 10.9. By that I mean it was built and enrolled in 10.9 and then had the Configuration Profile applied. It hasn’t been through any JAMF Pro updates.
Just a quick update. The KEXT is definitely approved. I opened up the Self Help in the Sophos Endpoint and watched the Kernel Extensions go from not loaded to load live in front of me. This is under the Services section. The allow button was still visible. The output from KextPolicy prior to the Configuration Policy being added was:
sudo sqlite3 -header -csv /var/db/SystemPolicyConfiguration/KextPolicy "select * from kext_policy"
After the Configuration Profile was applied it is still the same. I believe the 0 should be a 1.
I have just clicked the Allow button and the Mac asked for a restart.
The output is now
I don't know what the last 1 means. On my personal Mac the output is
It would seem the Allow is their because the database says 0, but the KEXT is approved.
@bazcurtis The Sophos installation must happen after the approved kext list has been installed. It will otherwise fail )or certain components will fail.
Base the Sophos installation on a smart group based on the "Approved Kext" list exists (for example smartgroup criteria; Profile name has 'approved kext list name'.
@tjhall That is not what I am seeing. I installed the Sophos Central Endpoint. I rebooted a few times to check I was still prompted to allow the kext. I applied the Configuration Policy. The Endpoint was good and healthy. The issue is, the Security and Preference pane would lead you to believe the kext is not approved and so would the database, but the Endpoint is working.
Yes, I had the same issue before I changed my Sophos install method.
Sophos installed but either complains about the kexts needing approval or that it's not running properly.
After restart the kext will appear to be approved but the actual problem is that Sophos failed during installation and will need to be deleted and re-installed to work properly.
The only way I got it working properly is to base the Sophos installation on a smart group which checks that the kext list already exists. Once the approved list is present on the Mac first; the the Sophos installtion works properly.
Any chance that computer was wiped, and before doing so it may have been manually approved?
Not sure you can whitelist something that was previously approved by a user. Just a thought.
@thall @tnielsen @donmontalvo That is very odd. The installation is working fine for me. I have never seen the Sophos installer fail. I am happy the kext loads. I am about to try it again with a fresh Mojave build to see what it does. I have checked that I have no previous kexts installed.
This is what I am seeing KEXT Approved
Need to jump on a train in a bit so try this;
Create a new smart group called "Sophos - Approve Kext - Exists". The smartgroup criteria; "Profile name" has "Sophos - Approve Kext". You can also add; 'And "Application title" is not Sophos Endpoint.app
Find you existing Sophos installation policy; change the scope from what it's currently set to and change it to "Specific Computers", 'Computer Group' and select "Sophos - Approve Kext - Exists".
As mentioned, this only works for new installations, it won't fix what's already installed.
If it's already messed up it's better to remove Sophos first and let the policy do it's thing (It will automatically install on any Mac which has the approved kext list but hasn't got Sophos).
@donmezzetti Thanks for the reply. I have erased the boot drive and re-install 10.14.2. Then installed Sophos. Kext is not approved as the Endpoint shows red. I add the Configuration Profile the Endpoint goes healthy. It is the GUI that seems to be wrong, not the end result. I am going to try it with Fusion in my next test before I try Sophos again.
As I mentioned...
If you install Sophos first it will complain (kext needs to be pre-approved to be running).
If you then install the config it will appear to work (after restart).
But...I've seen multiple instances where Sophos does not run as intended and then requires a re-install (becuase the Sophos installation looks like it has installed but it hasn't installed correctly due to the kext not being pre-approved).
The only way to automate is to install the kext approval first, then Sophos.
@tjhall and @donmezzetti thanks for the feedback. That is good information. I also assume that as the KEXT is pre-approved the Allow button never shows up. I believe pre macOS 10.14.1 there was a bug which would not load additional kexts from the same developer if one was already approved. But Apple has fixed this. I will install on Monday with the KEXT pre-approved. It does seem nicer to approve in advance. I will also test it with VMWare Fusion.
It will be interesting to see if my textpolicy returns a different result. Thanks again.
@tjhall So I finally got some time today to test this out on two machines - one with on-prem Sophos already installed, and a brand new DEP machine. I uninstalled on-prem and deployed the config profile, then installed Sophos Central. No approve box came up, so happy with that.
A colleague was then setting up a new machine through DEP, so I scoped the config profile to that one too, then installed on-prem Sophos and once again, no approve box and it's getting it's updates. So far so good.
I have deployed it to more machines and will keep an eye on it as they get redeployed or set up from scratch.
We use Symantec Endpoint Protection on our campus. We do not use DEP, so everything has to be "done manually"... Would I do basically the same with SEP as you all did with Sophos to get the kext to not need things to be approved?
Yea, definitely race condition hell, especially when your entire fleet has software that uses KEXT and now all of a sudden you've got to manage it...
System Extensions appear to continue the same. For example, found this on the Symantec KB site:
If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization". If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.
Great ideas from Apple, but probably not vetted enough for real world enterprise.