Jamf Nation Community

Jamf Pro 10.9 addresses the race condition:

https://www.jamf.com/jamf-nation/discussions/30507/jamf-slays-the-dreaded-enrollment-race-condition-...

Thanks for the reply. I am running 10.9. The test machine has only been on 10.9. By that I mean it was built and enrolled in 10.9 and then had the Configuration Profile applied. It hasn’t been through any JAMF Pro updates.

Just a quick update. The KEXT is definitely approved. I opened up the Self Help in the Sophos Endpoint and watched the Kernel Extensions go from not loaded to load live in front of me. This is under the Services section. The allow button was still visible. The output from KextPolicy prior to the Configuration Policy being added was:

sudo sqlite3 -header -csv /var/db/SystemPolicyConfiguration/KextPolicy "select * from kext_policy"
team_id,bundle_id,allowed,developer_name,flags
2H5GFH3774,com.sophos.nke.swi,0,Sophos,4
2H5GFH3774,com.sophos.driver.devctrl,0,Sophos,4
2H5GFH3774,com.sophos.kext.oas,0,Sophos,4
2H5GFH3774,com.sophos.kext.sfm,0,Sophos,4

After the Configuration Profile was applied it is still the same. I believe the 0 should be a 1.

I have just clicked the Allow button and the Mac asked for a restart.

The output is now

2H5GFH3774,com.sophos.nke.swi,1,Sophos,1
2H5GFH3774,com.sophos.driver.devctrl,1,Sophos,1
2H5GFH3774,com.sophos.kext.oas,1,Sophos,1
2H5GFH3774,com.sophos.kext.sfm,1,Sophos,1

I don't know what the last 1 means. On my personal Mac the output is

2H5GFH3774,com.sophos.kext.sfm,1,Sophos,8
2H5GFH3774,com.sophos.kext.oas,1,Sophos,8
2H5GFH3774,com.sophos.driver.devctrl,1,Sophos,8
2H5GFH3774,com.sophos.nke.swi,1,Sophos,8

It would seem the Allow is their because the database says 0, but the KEXT is approved.

@bazcurtis The Sophos installation must happen after the approved kext list has been installed. It will otherwise fail )or certain components will fail.
Base the Sophos installation on a smart group based on the "Approved Kext" list exists (for example smartgroup criteria; Profile name has 'approved kext list name'.

@tjhall That is not what I am seeing. I installed the Sophos Central Endpoint. I rebooted a few times to check I was still prompted to allow the kext. I applied the Configuration Policy. The Endpoint was good and healthy. The issue is, the Security and Preference pane would lead you to believe the kext is not approved and so would the database, but the Endpoint is working.

Yes, I had the same issue before I changed my Sophos install method.
Sophos installed but either complains about the kexts needing approval or that it's not running properly.

After restart the kext will appear to be approved but the actual problem is that Sophos failed during installation and will need to be deleted and re-installed to work properly.

The only way I got it working properly is to base the Sophos installation on a smart group which checks that the kext list already exists. Once the approved list is present on the Mac first; the the Sophos installtion works properly.

Same here. It loads the kexts but it still shows up in the UI as needing to be allowed.

Any chance that computer was wiped, and before doing so it may have been manually approved?

Not sure you can whitelist something that was previously approved by a user. Just a thought.

@thall @tnielsen @donmontalvo That is very odd. The installation is working fine for me. I have never seen the Sophos installer fail. I am happy the kext loads. I am about to try it again with a fresh Mojave build to see what it does. I have checked that I have no previous kexts installed.

This is what I am seeing KEXT Approved

@bazcurtis That's the one I used to get too.
Sophos installs ok but due to the fact that the approved kext list isn't present it doesn't install correctly and Sophos reported errors.

Change it so the Sophos install is based on a "Sophos - Approve Kext" exists smartgroup and it works.

@tjhall I'm not sure how to message you privately on here. Could you DM me Twitter @bazcurtis?

Need to jump on a train in a bit so try this;

Create a new smart group called "Sophos - Approve Kext - Exists". The smartgroup criteria; "Profile name" has "Sophos - Approve Kext". You can also add; 'And "Application title" is not Sophos Endpoint.app

Find you existing Sophos installation policy; change the scope from what it's currently set to and change it to "Specific Computers", 'Computer Group' and select "Sophos - Approve Kext - Exists".

As mentioned, this only works for new installations, it won't fix what's already installed.
If it's already messed up it's better to remove Sophos first and let the policy do it's thing (It will automatically install on any Mac which has the approved kext list but hasn't got Sophos).

@donmezzetti Thanks for the reply. I have erased the boot drive and re-install 10.14.2. Then installed Sophos. Kext is not approved as the Endpoint shows red. I add the Configuration Profile the Endpoint goes healthy. It is the GUI that seems to be wrong, not the end result. I am going to try it with Fusion in my next test before I try Sophos again.

As I mentioned...
If you install Sophos first it will complain (kext needs to be pre-approved to be running).
If you then install the config it will appear to work (after restart).

But...I've seen multiple instances where Sophos does not run as intended and then requires a re-install (becuase the Sophos installation looks like it has installed but it hasn't installed correctly due to the kext not being pre-approved).

The only way to automate is to install the kext approval first, then Sophos.

@tjhall wrote:

The only way to automate is to install the kext approval first, then Sophos.

That's it in a nutshell, confirmed by both Apple and Jamf. :)

@tjhall and @donmezzetti thanks for the feedback. That is good information. I also assume that as the KEXT is pre-approved the Allow button never shows up. I believe pre macOS 10.14.1 there was a bug which would not load additional kexts from the same developer if one was already approved. But Apple has fixed this. I will install on Monday with the KEXT pre-approved. It does seem nicer to approve in advance. I will also test it with VMWare Fusion.

It will be interesting to see if my textpolicy returns a different result. Thanks again.

@bazcurtis Did you have any luck with this? I am a little sceptical about the pre-approving, mainly because I don't understand how you can approve something that doesn't exist, but that's probably just a gap in my knowledge.

@a.holley That's the whole point of pre-approved kexts. As an admin you define the presets of which applications can install kexts and pre-approve them.
Withtout doing you'll get security notifications every time applications with kext extensions are installed.

@tjhall So I finally got some time today to test this out on two machines - one with on-prem Sophos already installed, and a brand new DEP machine. I uninstalled on-prem and deployed the config profile, then installed Sophos Central. No approve box came up, so happy with that.

A colleague was then setting up a new machine through DEP, so I scoped the config profile to that one too, then installed on-prem Sophos and once again, no approve box and it's getting it's updates. So far so good.

I have deployed it to more machines and will keep an eye on it as they get redeployed or set up from scratch.

We use Symantec Endpoint Protection on our campus. We do not use DEP, so everything has to be "done manually"... Would I do basically the same with SEP as you all did with Sophos to get the kext to not need things to be approved?

@kwoodard I imagine it would be exactly the same. It's got nothing to do with whether or not you use DEP, it's just a config profile.

Need help regarding the same:
can anybody confirm if i am using the right KEXT (screenshot)
do i need to put kext before starting installation?
after installation is reboot must?

@Rohitds14 Yes, the kect config needs to be in place before the Sophos installation. We based our Sophos installation on a smartgroup which checks if the kext config policy exists. If if does then the Sophos installation goes ahead.

Yea, definitely race condition hell, especially when your entire fleet has software that uses KEXT and now all of a sudden you've got to manage it...

System Extensions appear to continue the same. For example, found this on the Symantec KB site:

Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization". If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.

Great ideas from Apple, but probably not vetted enough for real world enterprise.

¯_(ツ)_/¯