https://support.sophos.com/support/s/article/KB-000039014?language=en_US


Overview

Updated Nov 18 2020


Apple has progressively increased their OS Security over the past several versions. In OS 10.13 and 10.15, restrictions were added which are not possible for Sophos to automate. This has required us to use popups to notify the user, so as to add the appropriate permissions.  10.13 added Kext Approvals (https://developer.apple.com/library/archive/technotes/tn2459/_index.html) and 10.15 added additional privacy preferences (https://support.apple.com/en-za/guide/mac-help/mh32356/10.15/mac/10.15 ) which can only be set by a direct user or through an MDM provider such as JAMF.


Sophos will display a popup when our software requires security permissions which are not currently allowed. As Sophos adds features, this may re-appear if additional permissions are required. Sophos Central Endpoint 10.0.1 added a new feature and check, thus re-triggering this notice.  This check occurs every 30 minutes


 


The following sections are covered:

 

Applies to the following Sophos products and versions

Central Mac Endpoint,

Sophos Anti-Virus for Mac OS X


Operating systems

macOS 10.15 Catalina and above

 

How to add Security Permissions

For a new installation of Sophos on a Mac, Sophos needs to be allowed in the General tab of the Security & Privacy window. If Sophos needs to be re-installed on the same Mac, the process of allowing Sophos no longer needs to be repeated since the same allow process will be retained by the operating system. 

 

Adding permissions via Sophos pop-up (9.9.5 and later) 

A pop-up will occur (if Notifications are enabled) on install, and every 30 minutes if the permissions are detected as incorrect. Clicking on this notification will bring up a window that allows you to set permissions quickly.


Note: To trigger the check manually, use Activity Monitor, and End the Process "Sophos Service Manager". It will restart automatically, and run the check after 30 seconds, then every 30 minutes.


You will see a notification in the upper right of your screen, or a full popup. Click Details to see the full popup.



Full Disk Access Popup

 

  1. Click the link: Open "Security & Privacy" Preferences (See above image)
  2. Click the Privacy tab if it is not already selected

    Security and Privacy Preferences 
  3. Click the lock in the lower-left and authenticate to make changes.

    Unlock Security Settings 
  4. Select Full Disk Access on the left side (You will need to scroll down)

    Select Full Disk Access 
  5. Drag the Sophos Icon from the Message to Security and Privacy


     
  6. You will get a message ""Sophos Endpoint UIServer" will not have full disk access until it is quit." You can select Later or Quit Now. Either will work (Later will need a restart to give the UI full access. This does not impact protection).  Note: On Premise (OPM) Endpoint will not display this message

    UIServer Notice 
  7. Close Security and Privacy.

 

 

Using Apple Profile Manager or JAMF

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes.  There are posts in the Community forum which detail settings that work for these platforms.

 

 

Kext Approvals (macOS 10.x only)

Kext must still be approved on macOS versions prior to 11 (All the 10.x versions). If they have been approved once, they never need to be approved again. Apple presents a security dialog after the install to prompt to add this. To add it manually:

 

  1. Open System Preferences.
  2. Open Security & Privacy.
  3. There should be a prompt asking to approve the extensions.

If the above steps don’t work, please see the following KBA: Sophos Anti-Virus for Mac: Secure Kernel Extension loading troubleshooting

 

System Extension Approval (MacOS 11+)

Please see the following KB to approve System Extensions. macOS 11 Big Sur (previously known as 10.16)

Sophos will automatically request these permissions when it tries to load. Once approved, it does not need to be approved again.


If the approvals prompts do not appear, or after approving the endpoint indicates that they are not active, please see the article Mac Endpoint: System Extension Troubleshooting

How to check Security Permissions

Please see the following KB How to confirm Privacy Settings on macOS

 

Background Information

With the release of macOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. This results in several large impacting issues that must be corrected for full protection. 

Apple has locked down the following User Folders in macOS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy unless otherwise noted.

The following impacts occur if these permissions aren't added

 

Component Issue
SophosCleanD Unable to clean up threats in the above folders.
SophosScanAgent On-demand scans or scheduled scans won't detect threats in the above folders.
Sophos Finder Scan (through SophosScanAgent) Does not detect threats in the above folders.
SophosServiceManager Parent process for SophosScanAgent.
Sophos Diagnostic Utility (Standalone only) User prompted to allow access to the above folders. This is Files and Folders access.
sweep Command-line scanning tool. Only used manually and only needs to be added if command line scans are being run.
SDU4OSX / Sophos Diagnostic Utility Unable to access all logs.
SophosEndpointUIServer (Central only) User isn't notified of threat detection (no pop-up).
SophosCleanD (Central only) Unable to restore files (Cryptoguard) in the above folders.
Sophos Live Response (Central only) Unable to perform Live Response queries
Sophos Managed Detection and with Response (Central with MDR only) Unable to run Sophos Managed Detection and Response
Sophos Autoupdate (OPM only) Can't update from SMB shares