How to Obtain the Process Name to Create a NetScaler Gateway EPA Policy for Mac OS

This article describes how to obtain the process name to create a NetScaler Gateway EPA policy for Mac OS.

Background

Mac OS policies are created the same way on the NetScaler Gateway as Windows policies. Mac OS policies only differ in the processes syntax. Since Mac OS is a BSD based Operating System, a scan will not detect regular .exe processes as it would in Windows (unless the user has Wine running to be able to execute these). Mac computers generally run .dmg or .app executable files.

Related:

Some Resource Groups (Azure) are not visible inside MCS wizard while catalog creation

When creating MCS catalog for Azure, master image need to be selected from its Resource Group.

While doing this, some Resource Groups are visible, and some others are not. All visible and non-visible Resource Groups were created manually and they all were working fine during initial deployment. But some of them are not visible on Studio anymore after some days.

The affected Resource Groups are neither visible in Studio nor in PoSh SDK (image.folder location in XDHyp: Posh drive). However, if we know the Resource Group name, can browse to them by typing the name manually in PoSh SDK. Subscription scope service principal is used for all Resource Groups, and we are also able to browse to them in PoSh SDK. So it is not an access related issue.

If we create new Resource Groups, they are all visible on Studio for master image selection.

Related:

  • No Related Posts

Crashing issue with MacOS 10.15.2 and SEP 14.2.5323 RU2

I need a solution

We are have a major problem with all our new Macs running 10.15.2 and the new SEP, once all software is installed everything runs fine, however as soon as a USB-C adaptor is connected and and ethernet cable is attached the mac stops responding, the fans cut-in and the mac shuts down, we have tried this on all our new macs with the same outcome, HELP 🙁

0

Related:

Full disk access required message displays on Catalina when using an MDM solution with the correct access

In Sophos Mac Endpoint 9.9.5, we introduced a notification for “Full disk access required” when the OS is MacOS 10.15 Catalina, and we detect that the full disk access rights detailed in knowledge base article 134552 are not in place.

We have found an issue where customers using an MDM solution (eg: JAMF or Profile Manager) to provide this access will still receive this notice, even with the correct rights in place.

This will be corrected in the 9.9.6 release to Central and On Premise customers near the end of November/beginning of December 2019. It does not prevent the software from working, and is only a visual notice.

Applies to the following Sophos product(s) and version(s)

Central Mac Endpoint 9.9.5

Sophos Anti-Virus for Mac OS X 9.9.5

Customers using an MDM solution to provide disk access rights to Sophos in MacOS 10.15 Catalina will receive a notice on the endpoints titled “Full disk access required” in error.

It does not prevent our software from working, and is a notice only. If rights are added via the dialog, or manually via Security & Privacy on the Endpoint, the message will not appear.

Development have identified the issue and created a fix. This is currently in testing and confirmed for release in 9.9.6 in late November/early December 2019.

It is safe to dismiss the message. It will reappear approximately every 4 hours.

To avoid the message completely, add Full Disk Access rights using the method described in the dialog.

Add Full Disk Access rights using the method described in the dialog or ignore the dialog.]

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-Virus for Mac: Support for Apple MacOS 10.14 Mojave

This knowledge base article provides information about the support for Apple MacOS 10.14 Mojave by the Sophos Anti-Virus.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

  • 9.6.5+
  • 9.7.1+
  • 9.8.0+

Dark Mode is not supported by Sophos Anti-Virus. It will maintain its existing colors when the OS switches to Dark Mode, but otherwise it is fully functional.

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load, and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.

Adding of the kexts is only applicable for Mac computers that are to be installed with SAV for the first time. Nothing is to be done on existing SAV on Mac that was installed prior to the release of the new security mechanism.

Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.

  1. After installing SAV, go to Security & Privacy in the Apple System Preferences window.
  2. At the bottom, the listed Sophos kexts will appear.
  3. Click Allow.

Once authorized, all future Sophos kernel extensions will now be allowed, even after the uninstall. This step is not needed again on a re-install.

If the above approval did not work, take a look at the KBA 132813 for troubleshooting steps .

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

Mac 10.15 Catalina Support and Known Issues

This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are many unavoidable issues in this OS release.

All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.

Applies to the following Sophos product(s) and version(s)

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

Operating systems

MacOS 10.15 Catalina

MacOS 10.15 Catalina – overview

With the release of MacOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended to upgrade to 10.15 until your organization has a transition plan in place.

Notice:

All information presented in this KB is current as of 10.15 beta 6. It may change in the final release of 10.15. This article will be updated closer to the release and after release if any further changes are needed. It is recommended to check this article again at the time of 10.15’s release in late September 2019.

Required version – Sophos Endpoint 9.9.4 or above

In order to support MacOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, and Central clients 9.9.2 or below will fail to communicate with Central until they update.

Sophos is releasing 9.9.4 to Central by mid-September 2019. 9.9.4 will also be available in the Preview subscription for Enterprise Console customers in mid-September 2019, moving to Recommended in October 2019.

Known Issues

Apple has locked down the following User Folders in OS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.

All Versions

  • SophosCleanD – Unable to clean up threats in the above folders
  • SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
  • Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
  • SophosServiceManager – Parent process for SophosScanAgent
  • Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
  • sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.

Sophos Central 9.9.4+

  • SophosEndpointUIServer – User is not notified of threat detection (no popup)
  • SophosCleanD – Unable to restore files (Cryoptoguard) in the above folders
  • Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)

Sophos Endpoint (Enterprise Console Managed) 9.9.4+

  • For initial install, all install files must be copied from the CID share locally first before running the install.
  • SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved

Older Endpoint versions

  • Subject to the same limitations as above
  • May have other issues not covered
  • Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
  • 9.9.2 and below will fail to communicate with MCS (Central)

How to correct issues:

The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.

  1. Open Mac Settings
  2. Open Security & Privacy
  3. Go to the Privacy tab
  4. Click the lock in the lower left and authenticate to make changes
  5. Select “Full Disk Access” on the left side
  6. Leave this window open.
  7. Open a Finder window
  8. Go, go to folder
  9. Enter: /Library/Sophos Anti-virus and click go.
  10. Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
    • SophosAutoUpdate (Enterprise Console managed only)
    • SophosCleanD
    • SophosScanD
    • SophosScanAgent
    • SophosServiceManager
    • Sophos Endpoint UIServer (Central Managed only)
  11. (Optional) Click the + in the Security & Privacy section, select /usr/local/bin/sweep
  12. You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now is not a problem.

Alternate Method of correction:

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Instructions will be provided as we determine them.

Related:

SEP 15 for Mac OS

I need a solution

Hi All,
does onprem SEP 14.2 and SEP 15 has same feature and funtionality,
using SEP 15 can we achive this on Mac OS. need your expert advise. for same.

1.       Policies are not showing on MAC Client.
2.       Application and Device Control configuration.
3.       MAC OS Hardening Configuration
4.       Unable to manage MAC client from SEPM cloud console

0

Related:

Some User Resource Names are being changed

I need a solution

In my environment I have a section of about 200 out of 2200 user resources that are showing up incorrectly. 

For example a user named John Smith with an employee id of 123456 would typical show up as a user resource smit3456. Recently some of the user resources have started showing up as adsmith, john. 

Most of the users we have seen get changed in our environment are using macs or have used a mac. I have looked at the target agent import settings for both mac and pc and everything is setup the same way between the two.

Has anyone else run into an issue like this?

Thanks

0

Related:

SEP on Mac OS showing license expired.

I need a solution

we have around 400+ Mac Machines, only 4 machines are showing license expired at client interface.

1. is there any way to see client license status on SEPM for particular client.

2. where is SEP.slf file location in Mac OS( High Siera).

0

Related: