Help

Sophos Endpoint Blocking updates

tycollins
New Contributor

‎07-31-2023 08:51 AM - edited ‎07-31-2023 08:52 AM

4544464f-efac-4ee2-8377-12345eab15b7.png

Posting on here since Sophos has been less then helpful, We installed Sophos endpoint wither their Ventura Config profile and it looks like it works and is functional. However when I go to do an update on the computer while logged in as the local admin no password is accepted. Also when I go to More info and then install through that window it locks SophosEndpoint as the user name and no password I try works there. I've attached a screenshot of the weird login window I haven't seen before

image.png

Labels:
0 Kudos
10 REPLIES 10

AJPinto
Honored Contributor II

Posted on ‎07-31-2023 08:56 AM

Looks like its performing permissions management over the softwareupdate binary. You will need to work with the vendor on this, even if they dont want to work with you. The application should be auto promoting this binary, and not prompting for anything so a rule is likely configured wrong.

 

We do not use Sophos but have a similar tool that handles point of time permissions management, and all kinds of rules have to be setup or it will break all kinds of stuff you dont want to break.

0 Kudos

SCCM
Contributor III

Posted on ‎08-01-2023 01:35 AM

How are you triggering the prompt? Ive not seen that before

0 Kudos

s-mcc
New Contributor

Posted on ‎08-07-2023 12:00 PM

Just ran into this same issue on one of our endpoints. 

 

We're looking into two possibilities right now: 

  1. As pointed out, the fact the softwareupdate process is calling a Group of "SophosEndpoint" that contained the primary user of our device (but deactivated) suggests it's doing something it 'aught not to be. 
  2. Can't see a single thing on the Config Profile from v1.1 to v1.2 that could contribute to that behavior, as a code issue being run by the auto-updater seems far more likely, but we're updating the affected machines to rule it out. 

I'll update this is we come up with an answer (or to rule these out). 

0 Kudos

DCHGIT
New Contributor

Posted on ‎10-11-2023 10:10 AM

@tycollins @s-mcc  anyone find a solution to this? I periodically receive the same error on Ventura.

@SCCM Initiating an OS upgrade from Settings will cause it:

DCHGIT_0-1697044207478.png

 

0 Kudos

tonyalvaro
New Contributor

Posted on ‎10-16-2023 06:43 AM

Currently experiencing the same issue. Sophos doesn't have any solution. I even tried uninstalling Sophos and I still get the prompt with SophosEndpoint as the username.

0 Kudos

AJPinto
Honored Contributor II
In response to tonyalvaro

Posted on ‎10-23-2023 10:41 AM

We use CyberArk EPM, and last month I noticed if it installs before any user logs it EPM force generates macOS's Secure Token. Of course, EPM has no way to pass that secure token to a user. The vendor was as useless as you would expect. We wound up delaying the install of EPM until after Disk Encryption is enabled, that way the end user would have already logged in and they get a Secure Token and Volume Ownership before EPM can go and mess things up. I'd wager Sophos is doing the same thing.

0 Kudos

s-mcc
New Contributor

Posted on ‎10-23-2023 09:44 AM

I have a pending solution update to this:

We confirmed that all of these errors were related to the lack of volume ownership on the part of our affected users. 

Working with Sophos support, they became dead set on the cause being "Installation of Sophos before user login". 

Using the kb as reference (Use secure token, bootstrap token, and volume ownership in deployments - Apple Support) we created an extension attribute to hunt through our machines and report back any machines that had tokens assigned to the "_sophos" account. That list lined up with the machine errors we were seeing, (and some machines we had not yet).

We've broken out in to two phases for remediation:

  1. Even though the logistics of how Sophos installed post-enrollment but pre-login are not clear, we have added a delay into our Sophos installation polices. It was one of the few apps allowed to install outside of a dep-notify/swiftDialog initial configurations during setup (check-in trigger), and we added it to an "enrollment complete" delayed smart group to ensure even pausing at the Setup Assistant would not allow a background action. Since this change no more affected machines have appeared.
  2. Using the admin account created via our Pre-stage Enrollment, we're repairing the token issues for the affected users. So far that seems to be working, but I'm still waiting on full confirmation from my in-field team.

 

0 Kudos

DCHGIT
New Contributor
In response to s-mcc

Posted on ‎02-27-2024 09:26 AM

@s-mcc Can you provide the remediation steps for repairing the token?

0 Kudos

jonathanchen
New Contributor
In response to s-mcc

Posted on ‎03-05-2024 10:18 AM

can you provide instructions on how to repair the token issues for affected users?

0 Kudos

s-mcc
New Contributor

Posted on ‎04-18-2024 09:24 AM

I wanted to add an end tag to this discussion to say: Don't attempt it. 

The remediation attempts got so convoluted, that we abandoned them. Since ensuring that Sophos installation is either handled automatically after a delay from enrollment or white gloved by installation teams post login, this issue has disappeared from our management space. 

We opted to start over (wipe and ADE) with all affected machines in the name of reliability and brevity. The answer from both vendor and Apple support has amounted to "that shouldn't happen" so I would not hold my breath on a solution.

0 Kudos