This article covers how to troubleshoot Sophos Home issues on macOS 11 - Big Sur. TROUBLESHOOTING Post installation (or upgrade) issues on Big Sur. Sophos Home requires 4 steps in order to run on Big Sur (macOS 11) 1 - Enabling System Extensions 2 - Allowing Notifications. 3 - Granting Full Disk Access to components 4 - Rebooting the Mac. Please do not upgrade to macOS 11 (Big Sur) unless you are running a Sophos Endpoint which is designed for it. Sophos Central version 10.0.4 includes full support for Big Sur, and support for M1 processors via emulation (Rosetta 2). Articles in this section. Support for macOS 11- Big Sur; Additional steps for Sophos Home installations on macOS 10.15 Catalina; Upgrading Sophos Antivirus Classic Home Edition for Mac to Sophos Home. Applies to: Sophos Home Mac 10.0.2 on macOS 11 and above When you install (or update to) Sophos Home 10.0.2 on macOS 11 (Big Sur) or above, you will be prompted to allow the SophosWebNetworkExtension system extension to add proxy configurations. This should be allowed to provide the functionality of Sophos Homes' Web Protection features.
Android
Knox container can’t be created on Android 5.0 devices
You can only create Knox containers on devices with Android 5.0.1 or later. Existing containers on Android 5.0 devices aren’t affected. This is a restriction of the Samsung Knox SDK version Sophos Mobile 9.6 uses.
Some Samsung Knox devices must be restarted to turn on Kiosk Mode
You must restart Samsung devices with Knox Standard (formerly called SAFE) SDK version earlier than 5.4 after installing a Kiosk Mode profile. If you don’t, the user could stop all running apps in the task manager and switch to the default launcher home screen.
Preventing additional device administrators on Samsung Knox devices
The Knox premium restriction Prevent installation of another administrator app on a device is ignored if there’s already another device administrator activated. Make sure Sophos Mobile Control is the only device administrator before you assign the restriction.
Android 6 power-saving features might impact Baidu push notifications
The App doze and Stand-by-mode power saving features introduced with Android 6 can impact the receiving of Baidu push notifications.
On Sony devices, it’s not possible to protect or control so-called small apps (with an app protection or app control profile)
Small apps are Sony specific apps on Sony devices that overlay existing apps. These apps can’t be controlled or protected by the Sophos Mobile Control app or by App Protection.
Password reset removed for “Device administrator” devices with Android 7 and later
You can’t reset the password for devices running Android 7 or later. This applies to devices where Sophos Mobile is the device administrator. This is because Google removed the “Password reset” command from the device administrator API. Android Enterprise devices aren’t affected.
Email accounts can't be removed from the Android work profile (only if you remove the complete profile)
If an Exchange email account is transferred to an Android work profile, the account stays with the profile even if the policy is removed. You can send a policy containing another Email configuration to the device. The latest Email configuration is always used. However, it’s not possible to remove the configuration from the work profile. If the configured account is removed, you must remove the whole Android work profile from the device.
No compliance violation “Installation from unknown sources” on Android 8
Starting with Android 8, the installation of apps from unknown sources isn’t a device setting. It’s a permission setting for apps that are able to install other apps. For example a file manager app. It isn’t possible for Sophos Mobile to check if any third-party app has this permission. The Apps from unknown sources compliance rule is ignored for devices running Android 8.
Android Enterprise: Chrome app enabled in work profiles by default
There’s a known Android issue related to the work profile. Starting with Android 8, the Android internal WebView app isn’t enabled by default. As a result, apps in the work profile that rely on the WebView app may stop working. Google resolved this issue by enabling the Chrome app, which enables the internal WebView app. However, you might not want to allow a browser app in the work profile.
As a workaround, use the App Control configuration of your Sophos Mobile Android Enterprise policy to block the Chrome app.
For more information regarding this issue, see the Google article https://support.google.com/work/android/answer/7506908.
On some Android Enterprise devices, Factory Reset Protection (FRP) can’t be turned on
On some devices capable of Factory Reset Protection (FRP), we’ve noticed an FRP is not supported error when FRP is turned on using Sophos Mobile. This issue isn’t caused by Sophos Mobile.
Enrolling unencrypted Android Enterprise fully managed devices sometimes fails
Normally when you enroll an Android Enterprise fully managed device that is unencrypted, the device is initially encrypted and then enrolled. On some devices (including Samsung devices using Android 6.x or earlier) the process stops after the encryption and the device remains unenrolled.
As a workaround, restart the enrollment after the device was encrypted.
Enrolling Android Enterprise through the Sophos NFC Provisioning app sometimes fails for Chinese
Tvhits vijay tv. Some devices (e.g. seen on a Samsung Galaxy A3) fail to enroll as an Android Enterprise fully managed device if the language of the Sophos NFC Provisioning app is set to Chinese.
As a workaround, use a different language.
SMC Android app version 9.0 or later required for Samsung devices with Android 10+
Due to changes in the Samsung KNOX SDK, Samsung devices with Android 10.0 or later require Sophos Mobile Control 9.0 or later. Earlier versions of the Sophos Mobile Control app aren’t supported on these devices and might fail.
App Protection and App Control can only control direct interaction through the user interface
Due to technical limitations of the Android platform, the App Protection and App Control features can only prevent direct interaction with an app through its user interface. Users might still be able to interact with a protected app through other apps like Google Assistant or through Android system functionality.
Also note that App Protection can’t stop interaction with an app that runs in multi-window mode, for example split-screen, floating windows, or tiny windows.
For details, see knowledge base article 135017.
The latest operating system from Apple, macOS11 Big Sur, has arrived and it brings with it a few significant architecture modifications. Ads ready blogger templates. In this article, we will take a look at these changes, as well as some of the things you might consider doing to automate much of the deployment of Intercept X on macOS.
These changes started to appear with macOS Catalina (10.15) – Apple is beginning to deprecate the use of system wide kernel extensions in favour of user space system extension APIs. This allows software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access.
An interesting third party review of some of the most significant changes in the last decade Apple have recently introduced can be found here.
Unfortunately, we didn’t have a GA version of Intercept X for Mac available on the first day of release. The good news is that we now have an Early Access Program (EAP) available in Central, whereby customers can nroll devices running macOS11 in order to receive a pre-release version of Sophos Endpoint v10.0.2.
TIP: As you can appreciate, we don’t typically recommend using EAP (pre-release) software on a production system. If you would like to prevent users from upgrading to BigSur AND if you or your customer are using Sophos Endpoint, then it’s worth noting that the SophosLabs have added an Application Control detection for the Big Sur installer. This means that you can control its rollout by blocking the application – the installer is classified as a “System Tool”.
Most of you are probably aware of the process on how to join an EAP and then enroll devices, however if you would like some info on this process click here. Typically, we don’t make EAPs available to Sophos Central MSP accounts, however given that some customers may be purchasing new Apple hardware that comes pre-shipped running Big Sur, we have extended the EAP to MSP customers too. Stick empires medusa.
About new hardware, the following Macintosh models (at the time of writing) use the new Apple M1 ARM-based system chipset:
- MacBook Air (M1, 2020)
- Mac mini (M1, 2020)
- MacBook Pro (13-inch, M1, 2020)
Sophos Intercept X for Mac does not natively support this new chipset; however, it can be made to work using a piece of backwards compatibility software called Rosetta 2. This software needs to be installed on the Mac before joining it to the EAP and it updating to 10.0.2. More info on this process is also covered in the EAP community post above.
On testing the deployment of Intercept X on a brand new macOS11 device, I found the installation routine quite user intensive with several prompts required to allow permissions etc. before a complete protected state could be achieved.
There are several things that can be done to reduce these prompts, specifically using an MDM provider (such as Sophos Mobile or JAMF) to essentially pre-trust extensions using the Sophos ‘Teams ID’ of 2H5GFH3774. This is a trusted ID that is used in the development of Sophos code, to automatically whitelist our software:
I found that this configuration made the deployment of Intercept X for Mac on macOS Catalina and older, virtually ‘silent’. There were still some prompts that required user interaction when deploying on Big Sur, however this will still down on the amount of interaction required without any applied MDM settings.
Our wonderful professional services team have also created a number of scripts to use with JAMF to automate deployment on Macs. Info on this can be found here.
Sophos Mac Os 11 Download
Expect to see some more information in the new year, once a GA version of 10.0.2 for Mac is available, on how to automate the deployment further.