Sophos Catalina Prompting for FULL DISK ACCESS

jonathan_rudge
New Contributor III

Hi Guys

Got an issue where Sophos is prompting for full disk access, we have created a profile and pushed it out to myself as a test user but I still get this pesky end result pop up.

See attached screenshots of a profile created based on KB from Sophos https://community.sophos.com/kb/en-us/134686
ccd58b80a3bd424787bcefd796bb244a

5dd6340b46544b50ad4542b96159a9ed

37 REPLIES 37

mainelysteve
Valued Contributor II

@jonathan.rudge Haven't run into issues with Sophos and PPPC on my Catalina test clients. Have you tried creating the profile using the PPPC Utility?

sshort
Valued Contributor

During the Catalina betas I didn't have any issues with Sophos, now I can't get it to update virus definitions. I have the PPPC whitelist profile and kext whitelist profile for Sophos install in a PreStage so it's in place before the Sophos pkg is installed. I'm not seeing the request for full disk access when it's run in that order, so I'm good on that front.

However -- I cannot get Sophos to update virus definitions, even following the article you link to. My org hasn't deployed Catalina yet, so I'm still testing and will probably open a ticket with Sophos if I can't get this resolved soon.

theguvnor
New Contributor III

@jonathan.rudge We're getting the exact same issue with the pop-up. Sophos is allowing itself to update fine, and can perform scans, but it's like it's not recognising that the requirements of the pop-up message are satisfied. I guess it's good to know others are experiencing this, too, and not just us going crazy :)

maxmaxmaxmaxmax
New Contributor II

I dont see an entry for com.sophos.SDU4OSX in your profile

That was a new one that came in with 9.9.5 that was not on the Sophos doc in the run up to Catalinas release.

AB4581
New Contributor II

I am in the same boat. I've followed the PPPC details on the Sophos KB article and the popup still appears. Has anyone had success suppressing the Sophos popup window? Anyone identified how to trigger it to appear? I may resort to calling their support or make my own profile using the PPPC Utility.

theguvnor
New Contributor III

@maxmaxmaxmaxmax We also had that one missing, but have since added it, sadly to no effect. The pop-up still appears after around an hour.

jonathan_rudge
New Contributor III

@maxmaxmaxmaxmax Ill try it but I don't hold out much hope...

dsavageED
Contributor III

I honestly don't think the Sophos UI is picking up the config profile, scans, diagnostics and updates all work, so the tasks are allowed, but the message is still popping up. I've added every Sophos related app and still not been able to suppress this message. I think we need a fix from Sophos, as all I can think is that the SophosUIServer doesn't look at the config profile.

b0d638c6e6af46cfa5cd2fd8421c4648

dnikles
New Contributor III

Same here, have all the settings they ask for here and still have the pop up

maxmaxmaxmaxmax
New Contributor II

I can confirm I'm getting that prompt even after following the Sophos doc. Not sure why things appeared to initially work but hey-ho its there :(

robertojok
Contributor

not sure this will help but we had the same problem with Full disk scan for Apex one Trend micro and we run into the same problem having created a profile using PPPC Utility. One of my colleagues then changed the IDENTIFIER path in the Privacy Preferences Policy Control to the path of the iCoreService which Trend requires to /Library/Application Support/TrendMicro/TmccMac/iCoreService and that fixed the problem., So it might be worth changing the identifier to the PATH and see if that helps.

AB4581
New Contributor II

I tried to switch my profile to path as the identifier and had no luck. I have a case open with Sophos but they are asking me stupid questions via email vs. calling me. "Is your computer turned on?" "Are you on Catalina?" derp
Anyone else have any luck?

rochoablue
New Contributor

The pop up that comes up is not the most user-friendly and descriptive window. While some users are familiar with dragging a something into the Applications folder, this is not overtly obvious to drag the icon from that popup window into the Full Disk Access portion of the Security Preferences. The support page does go through that step but multiple users have been perplexed before I explained what needed to be done.

AB4581
New Contributor II

Sophos support response:

Hello (insert name here),

As the profile settings more apply to Catalina than Mojave in my opinion, why not move to Catalina first, then apply the profile settings with the Sophos installation? Sophos is not recommended to be installed during machine OS upgrades to avoid any issues.

"Sophos is not recommended to be installed during machine OS upgrades to avoid any issues." OMG! are they really expecting that an enterprise environment remove AV before upgrading, then re-install after? Also in response to this I did a fresh install of Catalina, sent my configuration profile and installed the latest Sophos client. Pop-up still occurs. Looking in Security and Privacy I am not seeing any new items added to "Full Disk Access" so i must be fulfilling the requirements for the application yet the pop-up still occurs. I am now suspecting that Sophos is not checking the system properly and recognizing that the Security and Privacy settings are applied via MDM. I think we may be at the mercy of waiting for them to release an update to the client that can recognize MDM applied settings.

AB4581
New Contributor II

Sophos Support to the rescue! kinda

Article acknowledging the issue with resolution:
https://community.sophos.com/kb/en-us/134833

Depending on if you are on a "cloud" product or "on prem" product the release dates differ
If i recall correctly cloud customers will see this in December
On prem can adjust their update channel("Recommended" will see this update in January, "Preview" may see it around November 26th.)
https://community.sophos.com/kb/en-us/120189

dleong-li
New Contributor

https://community.sophos.com/kb/en-us/134833

DavidN
Contributor

Sophos article above is no longer valid. We are seeing this prompt also on Catalina. Has anyone seen a fix?

blackholemac
Valued Contributor III

OK so I don’t have anything Sophos specific, BUT, I am playing the same game with Symantec Endpoint Protection in Catalina.

Strangely enough, with the help of another Jamf admin on here @NoahRJ he got it to deploy and dealt with the full disk access issues (not working despite a working PPPC profile).

Check out his script here...To give context we have kernel extensions and system extensions to contend with:

https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos

Check it out it’s obviously not sophos specific but given you are dealing with endpoint protection products, you may be encountering the same type of stuff...specifically the script he had to run after Symantec was installed was the magic that worked for me.

Veronica_Kroner
New Contributor II

No matter how many changes I've made using articles from Sophos and from Jamf Nation, I still get the pop up that I need to allow Sophos in Security & Privacy. see below :(
2c12d00ffcc6440a9ba6c1a681119e20

Jookyseacap
New Contributor III

@Veronica.Lozano That message is the Sophos Kext file. Have you put in an approved Kext configuration profile that is installed before Sophos installs? We use Sophos cloud here and it works fine as long as we have the Approved Kext configuration applied along with the PPPC configuration before Sophos installs.

37d5743ad74844358dec38ae644a4b4e

a_holley
Contributor

We are under pressure to start upgrading to 10.15 soon, and I haven't yet had to build a PPPC config yet, so I'm jumping in the deep end with this one. Has anyone had any luck with this?

bkrathwohl
New Contributor

I've actually been trying to sort this out over the last week or so. I was able to follow some of the posted links and sort through what all is needed to get Sophos to install without prompting for the user to do anything.

I don't actually use JAMF, but wanted to post the relevant info for anyone still having this issue.

There are three things that are needed:
1. Whitelist the Kernel Extension
2. Whitelist the System Extensions
3. Create PPPC Profile

  • Whitelist The Kernel Extension
    You should be able to create a new profile to add a Kernel Extension. I didn't end up doing just the extension, I whitelisted the Team ID for Sophos (Team ID: 2H5GFH3774)

  • Whitelist the System Extensions
    You should be able to create a profile and list various extensions with the Team ID that you want to whitelist.

Sophos Team ID: 2H5GFH3774

com.sophos.SDU4OSX
com.sophos.autoupdate
com.sophos.macendpoint.CleanD
com.sophos.SophosScanAgent
com.sophos.macendpoint.SophosServiceManager
com.sophos.endpoint.uiserver

  • Create PPPC Profile Create a new PPPC profile. You will want to give the above extensions access to the file provider, or Full Disk Access (if that is an option for you). I ended up using the PPPC Manager from GitHub to generate the necessary information.

There wasn't an easy way to format this so I just put it in a Pastebin link. The link has the Identifier as well as the Bundle ID code.

https://pastebin.com/DhZH850u

Hopefully this actually manages to help someone else out.

djdavetrouble
Contributor III

johnfalkus
New Contributor

Sophos released version 10.0.1 today and this has triggered a wave of issues with the Full Disk access required coming back and ignoring the settings in the profile pushed by JAMF with the PPPC which were working up to this point. If anyone has any ideas ? I have raised with Sophos but I am not going to hold my breath

Tribruin
Valued Contributor II

Over on the Sophos MacAdmins slack channel, someone mentioned that Sophos has two new identifiers that need to be added to your PPPC profile com.sophos.liveresponse and SophosMDR.

Apparently this page has been updated even through it is dated from 2019:
Sophos

G_Zirrak
New Contributor III

Yes, our area was experiencing Sophos "full disk access" notifications every 15 minutes recently as well. I did update/add to our PPPC profile last week, and that seems to be the resolution, for now... 437ad07ec9e6471ebd6a080567b89bd0

John-Lockwood
New Contributor

Sophos support do seem to have dropped the ball here. They don't understand the issue, they don't know the fix and the fix as mentioned by @RBlount and @G_Zirrak is actually in their article it is however made effectively invisible by the fact that they did not change their articles modification date. Their support engineer was recommending every one of our users manually re-add Sophos to Privacy & Security, apart from this being a terrible solution it is not possible for users who do not have admin access.

bethjohnson
Contributor

We're testing our new configuration profile with the liveresponse bundle added now. We'd been deployed with everything from autoupdate to SDU40SX in the profile, then yesterday started to see the issue with prompts to allow full disk on 10.15.7 clients. SMH.

Edited to add: have tested with the liveresponse bundle added: no dice. Added SystemPolicySysAdminFiles as suggested on the comments to the Sophos KBase article: no dice. About to add the MDR line, which we don't use, but at this point I'm throwing the kitchen sink at it before it triggers too many tickets.

And further update: Nothing has worked, even adding the bundles discovered by replicating the user action of allowing the Sophos Endpoint and Scan apps.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You do not rise to the level of your goals; you fall to the level of your systems." James Clear

thadmin
New Contributor II

I tried adding the 2 new components mentioned above: com.sophos.liveresponse and SophosMDR.
However, I was still getting the popups.
Then I tried adding the 3 remaining apps from /Library/Sophos Anti-Virus, and that seems to have worked: com.sophos.endpoint.SophosAgent, com.sophos.SophosAntiVirus, and com.Sophos.macendpoint.SophosSXLD
(That capital “S” in that last bundle ID is not a typo. I got that directly from the App bundle plist. I'm not sure if bundle IDs are case sensitive.)

I got the idea when I saw on a Sophos community page instructions to add ALL apps when using Profile Manager. https://community.sophos.com/on-premise-endpoint/f/recommended-reads/116400/sophos-mac-endpoint-how-to-configure-apple-profile-manager-to-allow-sophos-to-work-with-macos-10-15

Duran
New Contributor II

Same problem with a pop-up.

G_Zirrak
New Contributor III

Everyone thats using Sophos Endpoint Protection please note/read this article, as Sophos is not supported in macOS Big Sur just yet!

https://support.sophos.com/support/s/article/KB-000039501?language=en_US&c__displayLanguage=en_US

bethjohnson
Contributor

Update: adding the three additional apps per thadmin's post appears to have worked for my test machine. Here's the resulting set of bundle IDs and code verification, all with SystemPolicyAllFiles=Allow:

com.sophos.autoupdate
identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.macendpoint.CleanD
identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SophosScanAgent
identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.macendpoint.SophosServiceManager
identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.endpoint.uiserver
identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SDU4OSX
identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.liveresponse
identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
### Additional ones not included in Sophos KBase ###
com.sophos.endpoint.SophosAgent
identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SophosAntiVirus
identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.Sophos.macendpoint.SophosSXLD
identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"

I'm waiting on a response from an affected enduser.

Important to note: we're a cloud customer, not using MDR.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You do not rise to the level of your goals; you fall to the level of your systems." James Clear

bethjohnson
Contributor

In their last message to me, Sophos support indicated they'd received a lot of tickets about this issue and were updating the KBase article on deploying the PPPC profile with Jamf to list all the applications from the /Library/Sophos Anti-Virus directory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You do not rise to the level of your goals; you fall to the level of your systems." James Clear

jwarming
New Contributor

ec353243570a41e2826065080ad64ab9

ac917b4ed5844085aa38d925a9ce1d8c
Hello All.
I have been trying to add a Sophos PPPC to a config profile following the steps outlined here and keep getting an error on the test system i am scoping it to. The OS on the system is Catalina. I have tried the 2H5GFH3774 part with and without quotes, same result. Can someone see any errors in the syntax? And we have added Sophos kext extensions in another config profile and it is installed on the test system.
7f932b8c517b4236abe9b08146f15515

RPA
New Contributor

I'm working as a Sophos employee and I can confirm that we are aware that obviously some changes we did with version 10.0.1 for Sophos Central Endpoint can show the user the notification about the required fulldiskaccess again. We are currently working with high pressure to update our related KBA and we ant to publish them asap. You have my apologies for this inconvenience.

G_Zirrak
New Contributor III

@RPA Hi Rainer, has your team run into any issues with getting all of the steps in the following article [https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how-to-configure-jamf-privacy-preferences-for-10-15-compatibility] deployed to Intel - macOS Big Sur - W/Sophos Endpoint version 10.0.4? Keep getting config profile failed error. Was wondering if you have any solutions or work arounds. Also, any updates for M1 support? is version 10.0.4 an official version that is compatible with M1 processors?
d13075538420467f823a6301233f9f9d

j_grafton
New Contributor III

@RPA Have you found a fix for the full disk access message?
I have been speaking to Sophos support about this but not getting anywhere.
thanks