macOS 12 Monterey freezing with Sophos installed

kevin_v
Contributor

We have been deploying Sophos via Jamf Pro for years now. Recently, we've had an uptick in customers reporting their Intel Monterey systems are unusable for about 30-45 min, then they function normally. Reboots do not help, but Safe Mode does.

We have narrowed the issue down to Sophos, as when we uninstall in Safe mode, the issue is resolved. We also have had to exclude new Monterey systems from our Sophos policy, as it was causing freezing right after policy completion. Big Sur builds are fine.

 

I wanted to post here to see - has anyone experienced and/or mitigated this issue?


We have been deploying a config profile for some time now with the System Extensions + PPPC requirements based on this article:

https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how...

We reviewed the config profile and ensured it has the boolean values required (as someone outside of Sophos discovered in the comments).

Sophos support indicates the permissions need to be Allowed manually and they don't support deployment with Jamf Pro.
When I look at Privacy Prefs - I see a blank check box on the Sophos System Extension under Full Disk Access, but checking this box manually does not seem to prevent the freezing so far.

Could use some advice as Sophos refuses to help aside from pointing me at their stale community article or their Early Access Program, which requires manual deployment from our Sophos Cloud estate.

12 REPLIES 12

scottb
Honored Contributor

Nothing more fun on a Mac than AV...not.

An obvious question is: is the version you're using certified for Monterey?

kevin_v
Contributor

Sophos 10.3.1 is being installed. 10.2.2 was the first version with Monterey compatibility:
https://docs.sophos.com/releasenotes/index.html?productGroupID=esg&productID=savmosx&versionID=Centr...

scottb
Honored Contributor

So, does installing locally with your package work?  Or is it just in Jamf that it's having issues?

mickl089
Contributor III

We had the same problems with the release of Monterey - please try to remove all additional config profiles from the devices and set the permissions manually on the device.

- Uninstall Sophos Client
- Remove Config Profiles
- Restart computer
- Manually install Sophos 10.3.1 and grant / check all permissions.

This should work with that. Unfortunately only a workaround, but that's all I can offer at the moment, sorry.

Are you recommending to uninstall all config profiles, or just config profiles related to Sophos?

We have are having this same problem and have found:

* Uninstalling Sophos resolves the problem.
* Similarly, uninstalling Cisco AnyConnect 4.9 or 4.10 resolves the problem - this may be notable as this Cisco VPN client uses a network system extension, as does Sophos.
* Starting the machine without any network connection (i.e., wifi off, no ethernet connection) prevents the lockup on boot.

Of course only the config profiles of Sophos. If you are using Cisco VPN: this was also a problem for us, with uninstalling the Cisco VPN we could see progress.

Matt_Roy93
Contributor

We have seen similar issues with the combo of Zscaler, AnyConnect, and ATP Defender, its just a mess trying to run all these security products on Mac OS.  Try disabling one service at a time until you find the culprit. 

Nina_semeteys
New Contributor
New Contributor

Hi, 

 

We have exactly the same issue with your Mac. Do you have any feedback from Sophos ? 

Sophos support suggested a manual uninstall/reinstall and ensuring all PPPC + Extensions are allowed manually.

They don't support Jamf Pro and referred me to the same 2 yr old Sophos Community article on the subject.

They suggested testing the Early Access Program (EAP) on Macs with the issue.

They also suggested confirming privacy settings via their tool here

I requested they release an official article with all PPPC + Extension requirements clearly documented. I also requested they put out their own "recommended" mobileconfig file that can be signed and deployed via MDM.

user-KYHwoMOMfC
New Contributor

Have you got any further with this?  We're having the same issue

Yes, we have an incident ticket with sophos

bazcurtis
New Contributor III

I made this video showing what I use to setup Sophos.

Video 

I used this on an Intel Monterey VM this afternoon with no issues. I can install Sophos without any of these profiles pushed out, open the Endpoint Self Help tool, push out the profiles and watch the Endpoint go complaint. I have found to control the Notifications these have to push AFTER the software is installed.

I understand you would push this profiles out in advanced, but it is interesting watching them work post installation