macOS Catalina Grant Full Disk Access - Sophos Endpoint

mcgace
New Contributor III

Has anyone managed to get this working?

I used PPPC Utility to make the Profile as per the KBs below on Sophos website:

https://community.sophos.com/kb/en-us/134552
https://community.sophos.com/kb/en-us/134686

The policy successfully deploys to scoped machines but I still get the alert to grant Full Disk Access

Sophos is not automatically granted Full Disk Access in Security & Privacy

What am I doing wrong?

2f9a3dc61a2f4ce08a9f5f84e9fbeb63

5c5927d90c7f493890ed8b9637b19e4b

8c58515ecfe3419cbb2496af04502135

1 ACCEPTED SOLUTION

chrisbju
New Contributor III

Are you running SEC On-Prem? We had issues with this in version 9.9.5 and they admitted there was something wrong with the check for prompting full disk access, and pushed us to 9.9.6.

After 9.9.6 we dont see any Pop-ups. Talk to your Sophos Rep to get 9.9.6.

Here are our settings.
com.sophos.SophosScanAgent
identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.macendpoint.CleanD
identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.macendpoint.SophosServiceManager
identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.SDU4OSX
identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.autoupdate
identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

View solution in original post

11 REPLIES 11

chrisbju
New Contributor III

Are you running SEC On-Prem? We had issues with this in version 9.9.5 and they admitted there was something wrong with the check for prompting full disk access, and pushed us to 9.9.6.

After 9.9.6 we dont see any Pop-ups. Talk to your Sophos Rep to get 9.9.6.

Here are our settings.
com.sophos.SophosScanAgent
identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.macendpoint.CleanD
identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.macendpoint.SophosServiceManager
identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.SDU4OSX
identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

com.sophos.autoupdate
identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "2H5GFH3774"

SystemPolicyAllFiles - Allow

calvins
New Contributor III

This is a known issue apparently, we're seeing it too. See this: https://community.sophos.com/kb/en-us/134833

mcgace
New Contributor III

Thanks I am on 9.95. I'm going to get 9.9.6 and then I'll update this post.

GrahamJ
New Contributor II

Still seeing this in 9.9.6 on cloud.

GrahamJ
New Contributor II

https://community.sophos.com/kb/en-us/134686

this fixed it for me

DavidN
Contributor

Just installed 9.97. Still seeing this prompt even after following their instructions for PPPC profile. Neither of the KB articles above are valid any longer.

Veronica_Kroner
New Contributor II

301477b185a44ebca3e63338579ead49
I think I have tried every trick from Jamf Nation/Sophos, I still get that I need to "allow" in from Security & Privacy. Is there a way to allow this without user intervention?
Thanks!

wilesd
New Contributor III

@Veronica.Lozano - That looks like kext approval required - Which fortunately does seem to work at the moment, not that it helps if you get more prompts from PPPC

a_holley
Contributor

@Veronica.Lozano this is not a PPPC setting, it's the KEXT issue. See here: https://www.jamf.com/jamf-nation/discussions/30534/approved-kernel-extensions-still-asking-to-be-allowed

MichelTarantola
New Contributor

The solution posted by chrisbju works for me too:
From PPPc settings "Allow" SystemPolicyAllFiles for this:
SophosCleanD.app
SophosServiceManager.app
SophosDiagnosticUtility.app
SophosScanAgent.app
SophosEndpointUIServer.app

Take note: check "path" from ID setting. and not "bundle"

rcole
Contributor II

Hi @MichelTarantola thanks for this info. Would you mind sharing what path(s) are you using in the code requirement and what are you using as the identifier for each app (SophosCleanD.app
SophosServiceManager.app
SophosDiagnosticUtility.app
SophosScanAgent.app
SophosEndpointUIServer.app)

ea981f38cf314c4380b8d6e945a14f27
?