This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release.
Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access, however for system level access, no notification is presented by the OS. Several Sophos services require this system level of access in order to detect and clean threats. This means that Apple will not notify users if these issues are being experienced.
All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.
Applies to the following Sophos product(s) and version(s)ma
Central Mac Endpoint
Sophos Anti-Virus for Mac OS X
MacOS 10.15 Catalina
MacOS 10.15 Catalina – overview
With the release of MacOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended to upgrade to 10.15 until your organization has a transition plan in place.
All information presented in this KB is current as of 10.15 beta 7. It may change in the final release of 10.15. This article will be updated closer to the release and after release if any further changes are needed. It is recommended to check this article again at the time of 10.15’s release in late September 2019.
Required version – Sophos Endpoint 9.9.4 or above
In order to support MacOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 and below will not install on a 10.15 system, and Central clients 9.9.2 or below will fail to communicate with Central until they update.
Sophos is releasing 9.9.4 to Central by mid-September 2019. 9.9.4 will also be available in the Preview subscription for Enterprise Console customers in mid-September 2019, moving to Recommended in October 2019.
Apple has locked down the following User Folders in OS 10.15.
- Safari cache
The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.
The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.
- SophosCleanD – Unable to clean up threats in the above folders
- SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
- Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
- SophosServiceManager – Parent process for SophosScanAgent
- Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
- sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.
Sophos Central 9.9.4 and above
- SophosEndpointUIServer – User is not notified of threat detection (no popup)
- SophosCleanD – Unable to restore files (Cryptoguard) in the above folders
- Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)
Sophos Endpoint (Enterprise Console Managed) 9.9.4 and above
- For initial install, all install files must be copied from the CID share locally first before running the install.
- SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved
Older Endpoint versions
- Subject to the same limitations as above
- May have other issues not covered
- Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
- 9.9.2 and below will fail to communicate with MCS (Central)
How to correct issues:
The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.
- Open Mac Settings
- Open Security & Privacy
- Go to the Privacy tab
- Click the lock in the lower left and authenticate to make changes
- Select “Full Disk Access” on the left side
- Leave this window open.
- Open a Finder window
- Go, go to folder
- Enter: /Library/Sophos Anti-virus and click go.
- Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
- SophosAutoUpdate (Enterprise Console managed only)
- Sophos Endpoint UIServer (Central Managed only)
- (Optional) Click the + in the Security & Privacy section, select /usr/local/bin/sweep
- You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now are both valid.
Alternate Method of correction:
Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Instructions will be provided as we determine them.