Hi Guys
Got an issue where Sophos is prompting for full disk access, we have created a profile and pushed it out to myself as a test user but I still get this pesky end result pop up.
See attached screenshots of a profile created based on KB from Sophos https://community.sophos.com/kb/en-us/134686
Yes, our area was experiencing Sophos "full disk access" notifications every 15 minutes recently as well. I did update/add to our PPPC profile last week, and that seems to be the resolution, for now...
Sophos support do seem to have dropped the ball here. They don't understand the issue, they don't know the fix and the fix as mentioned by @RBlount and @G_Zirrak is actually in their article it is however made effectively invisible by the fact that they did not change their articles modification date. Their support engineer was recommending every one of our users manually re-add Sophos to Privacy & Security, apart from this being a terrible solution it is not possible for users who do not have admin access.
We're testing our new configuration profile with the liveresponse bundle added now. We'd been deployed with everything from autoupdate to SDU40SX in the profile, then yesterday started to see the issue with prompts to allow full disk on 10.15.7 clients. SMH.
Edited to add: have tested with the liveresponse bundle added: no dice. Added SystemPolicySysAdminFiles as suggested on the comments to the Sophos KBase article: no dice. About to add the MDR line, which we don't use, but at this point I'm throwing the kitchen sink at it before it triggers too many tickets.
And further update: Nothing has worked, even adding the bundles discovered by replicating the user action of allowing the Sophos Endpoint and Scan apps.
I tried adding the 2 new components mentioned above: com.sophos.liveresponse and SophosMDR.
However, I was still getting the popups.
Then I tried adding the 3 remaining apps from /Library/Sophos Anti-Virus, and that seems to have worked: com.sophos.endpoint.SophosAgent, com.sophos.SophosAntiVirus, and com.Sophos.macendpoint.SophosSXLD
(That capital āSā in that last bundle ID is not a typo. I got that directly from the App bundle plist. I'm not sure if bundle IDs are case sensitive.)
I got the idea when I saw on a Sophos community page instructions to add ALL apps when using Profile Manager. https://community.sophos.com/on-premise-endpoint/f/recommended-reads/116400/sophos-mac-endpoint-how-to-configure-apple-profile-manager-to-allow-sophos-to-work-with-macos-10-15
Same problem with a pop-up.
Everyone thats using Sophos Endpoint Protection please note/read this article, as Sophos is not supported in macOS Big Sur just yet!
https://support.sophos.com/support/s/article/KB-000039501?language=en_US&c__displayLanguage=en_US
Update: adding the three additional apps per thadmin's post appears to have worked for my test machine. Here's the resulting set of bundle IDs and code verification, all with SystemPolicyAllFiles=Allow:
com.sophos.autoupdate
identifier "com.sophos.autoupdate" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.macendpoint.CleanD
identifier "com.sophos.macendpoint.CleanD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SophosScanAgent
identifier "com.sophos.SophosScanAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.macendpoint.SophosServiceManager
identifier "com.sophos.macendpoint.SophosServiceManager" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.endpoint.uiserver
identifier "com.sophos.endpoint.uiserver" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SDU4OSX
identifier "com.sophos.SDU4OSX" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.liveresponse
identifier "com.sophos.liveresponse" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
### Additional ones not included in Sophos KBase ###
com.sophos.endpoint.SophosAgent
identifier "com.sophos.endpoint.SophosAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.sophos.SophosAntiVirus
identifier "com.sophos.SophosAntiVirus" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"
com.Sophos.macendpoint.SophosSXLD
identifier "com.Sophos.macendpoint.SophosSXLD" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2H5GFH3774"I'm waiting on a response from an affected enduser.
Important to note: we're a cloud customer, not using MDR.
In their last message to me, Sophos support indicated they'd received a lot of tickets about this issue and were updating the KBase article on deploying the PPPC profile with Jamf to list all the applications from the /Library/Sophos Anti-Virus directory.
Hello All.
I have been trying to add a Sophos PPPC to a config profile following the steps outlined here and keep getting an error on the test system i am scoping it to. The OS on the system is Catalina. I have tried the 2H5GFH3774 part with and without quotes, same result. Can someone see any errors in the syntax? And we have added Sophos kext extensions in another config profile and it is installed on the test system.
I'm working as a Sophos employee and I can confirm that we are aware that obviously some changes we did with version 10.0.1 for Sophos Central Endpoint can show the user the notification about the required fulldiskaccess again. We are currently working with high pressure to update our related KBA and we ant to publish them asap. You have my apologies for this inconvenience.
@RPA Hi Rainer, has your team run into any issues with getting all of the steps in the following article [https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how-to-configure-jamf-privacy-preferences-for-10-15-compatibility] deployed to Intel - macOS Big Sur - W/Sophos Endpoint version 10.0.4? Keep getting config profile failed error. Was wondering if you have any solutions or work arounds. Also, any updates for M1 support? is version 10.0.4 an official version that is compatible with M1 processors?
@RPA
Have you found a fix for the full disk access message?
I have been speaking to Sophos support about this but not getting anywhere.
thanks
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.