Receiving “Legacy System Extension” Dialog Box After Upgrading To macOS Catalina 10.15.4+

USB Generic redirection is the main component utilizing kernel extensions. Apple is deprecating the use of Kernel extensions in upcoming releases of macOS.

The warning is to inform us before moving forward with the deprecation.

In the event Apple deprecates it in the next release, only Generic USB redirection will be affected, and will not allow the use of said feature.


ShareConnect – Add or Create Files

ShareConnect’s iOS users can now upload media files and create Microsoft documents (Word, Excel and PowerPoint) from their iOS device to be saved on their remote host computer.

To begin uploading or adding documents to your host computer, you must navigate to any folder on your remote computer from the File Explorer app. Tapping the delimiter will open the Add and Create menu options on your iOS device.

Upload Media Files

Currently ShareConnect’s iOS users can only upload media files like photos or videos from their iOS device to their remote computer.

To upload files, you must:

1. Tap the Photos Backup button in the app bar on the bottom.

2. Tap the Upload Photos button to access your photos and select them for upload.

  1. a. If you select Take a Photo or Video, the camera feature on your iOS device will be made active. Tap on Use Photo to save the photo to your remote computer.
  2. b. If you select Photo Library, a list of albums present on your iOS device is opened. Select the photo you want to upload and tap Upload to save the photo on your remote computer.

3. Tap the Upload button to upload your photos.

User-added image

Create Microsoft Documents

Currently ShareConnect’s iOS users can create Microsoft Word, Excel, and PowerPoint documents from their iOS device to store in their remote computer.

To create new documents, you must:

1. Tap the New Filebutton in the app bar on the bottom.

2. Choose the type of file you wish to create.

3. Once you create the document and you save it, you will be asked to give it a name to begin uploading the document to your remote computer.

User-added image


ShareConnect Access Apps

XenMobile Server 10.10.0 Rolling Patch 4

Package name: xms_10.10.0.10403.bin

For: XenMobile Server 10.10.0

Deployment type: On-premises only

Replaces: xms_10.10.0.10305.bin, xms_10.10.0.10202.bin, and xms_10.10.0.10103.bin

Date: October, 2019

Languages supported: English (US)

Readme version: 1.00

Readme Revision History

Version Date Change Description
1.00 October, 2019 Initial release

Important Notes about This Update

As a best practice, Citrix recommends that you install this and other updates only if you are affected by the specific issues they resolve.

Where to Find Documentation

This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see XenMobile Server 10.10 on the Citrix Product Documentation site.

What’s new

Some Restrictions device policy settings available on supervised or unsupervised devices for previous iOS versions are available only on supervised devices for iOS 13+. The current XenMobile Server console tool tips don’t yet indicate that these settings are for supervised devices for iOS 13+ only.

  • Allow hardware controls:

    • FaceTime
    • Installing apps
  • Allow apps:

    • iTunes Store
    • Safari
    • Safari > Autofill
  • Network – Allow iCloud actions:

    • iCloud documents & data
  • Supervised only settings – Allow:

    • Game Center > Add friends
    • Game Center > Multiplayer gaming
  • Media content – Allow:

    – Explicit music, podcasts, and iTunes U material

These restrictions apply as follows:

  • If an iOS 12 (or lower) device already enrolled in XenMobile Server and then upgrades to iOS 13, there are no changes. The preceding settings apply to the device as before.
  • If an unsupervised iOS 13+ device enrolls in XenMobile Server, the preceding settings don’t apply to the device.
  • If a supervised iOS 13+ device enrolls in XenMobile Server, the preceding settings apply to the device.

[From xms_10.10.0.10403.bin][CXM-72730]

For information about XenMobile Server 10.10.0 Rolling Patch 3 release, see XenMobile Server 10.10.0 Rolling Patch 3.

For information about XenMobile Server 10.10.0 Rolling Patch 2 release, see XenMobile Server 10.10.0 Rolling Patch 2.

For information about XenMobile Server 10.10.0 Rolling Patch 1 release, see XenMobile Server 10.10.0 Rolling Patch 1.

Known Issue(s) in this Release

There are no known issues in this release.

New Fixes in This Update

  1. The XenMobile Server console responds slowly.

    [From xms_10.10.0.10403.bin][CXM-69018]

  2. Apple recently published a knowledge article that lists host names that must remain open to ensure proper operation of macOS, iOS, and iTunes. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, see

    [From xms_10.10.0.10403.bin][CXM-70934]

  3. After enrolling a new device or re-enrolling an old device, an error message intermittently displays on the Manage tab.

    [From xms_10.10.0.10403.bin][CXM-72308]

  4. MAM devices wipe apps and app data because of a failure to get user domain details causing the device to assume the user is deleted.

    [From xms_10.10.0.10403.bin][CXM-72316]

  5. When attempting to update a public iOS app using XenMobile Server, a configuration error appears.

    [From xms_10.10.0.10403.bin][CXM-72353]

  6. The RBAC role “Tier 2 techs” can’t create enrollment invitations to a user group with more than 2000 users. Only full admin users can create the invitations.

    [From xms_10.10.0.10403.bin][CXM-72354]

  7. After you deploy the App Access device policy, non-compliant devices don’t trigger the configured action.

    [From xms_10.10.0.10403.bin][CXM-72356]

  8. When you check the Tomcat server status, you may get the return value of 1 instead of 0 even though the server status is normal.

    [From xms_10.10.0.10403.bin][CXM-72357]

  9. Unable to get the VPP for app version B2B when the platform parameter is incorrectly set in MDM API contentMetadataLookup.

    [From xms_10.10.0.10403.bin][CXM-72767]

  10. On iOS devices, administrators may lose the ability to send an “unlock device” command to passcode protected devices after the device is upgraded to iOS 13.1.x. To resolve this issue, see

    [From xms_10.10.0.10403.bin][CXM-73150]

Fixes From Replaced Releases

  1. Newly imported CA certificates are not visible in the Public-Key Interface (PKI) entries.

    [From xms_10.10.0.10305.bin][CXM-67982]

  2. Secure Hub for iOS is timed out when StoreFront server is not reachable, and it does not enumerate any MDX apps.

    [From xms_10.10.0.10305.bin][CXM-68133]

  3. On the XenMobile Server console, the value of the client property has a character limit of 256.

    [From xms_10.10.0.10305.bin][CXM-68385]

  4. When you configure VPN policy using Citrix SSO VPN on the XenMobile Server iOS platform, and edit the Prompt for PIN when connecting, it is reverted to Off.

    [From xms_10.10.0.10305.bin][CXM-68466]

  5. On devices running Android, sometimes you are unable to update the enterprise app.

    [From xms_10.10.0.10305.bin][CXM-68640]

  6. The keystore table count keeps increasing, even if the related devices and enrollments are deleted, which might impact system performance.

    [From xms_10.10.0.10305.bin][CXM-69017]

  7. In Android Enterprise devices that are already enrolled, the new required apps to the AllUsers delivery group are not displayed in Google Play Store.

    [From xms_10.10.0.10305.bin][CXM-69070]

  8. When you update an Enterprise app to the latest version, which was previously updated via REST API, the version number is not updated.

    [From xms_10.10.0.10305.bin][CXM-69202]

  9. When adding a VPP account (Settings > iOS Settings), the following message appears if the token exceeds 350 characters: “The entered company token is not valid, please enter a new one.”

    [From xms_10.10.0.10202.bin][CXM-68114]

  10. The Secure Hub Apple Push Notification Service (APNs) certificate for XenMobile Server 10.10 will expire on August 2, 2019. As a result, the Agent Notification fails and the application push might be delayed on iOS devices.

    With this update, the Secure Hub APNs certificate will be renewed and will expire on July 12, 2020.

    [From xms_10.10.0.10202.bin][CXM-68353]

  11. Apple Volume Purchase Program (VPP) apps don’t import into XenMobile Server. This issue occurred after Apple changed the URL for apps from to

    [From xms_10.10.0.10202.bin][CXM-68615]

  12. With iOS VPP configured in XenMobile, iBooks obtained through VPP don’t appear on the Configure > Media page as described in Add media.

    [From xms_10.10.0.10103.bin][CXM-66161]

  13. In XenMobile Server, publish an MDX app for iOS or Android platform. The XenMobile Server Public API does not support the modification of App description in the corresponding platform.

    [From xms_10.10.0.10103.bin][CXM-66449]

  14. Sometimes when Secure Hub is disconnected, security actions need to be performed twice to trigger Firebase Cloud Messaging (FCM) notifications for an event.

    [From xms_10.10.0.10103.bin][CXM-66911]

  15. In the dashboard, the number of Pending Activation Requests under the Notifications section are displayed incorrectly.

    [From xms_10.10.0.10103.bin][CXM-66914]

  16. The Firebase Cloud Messaging (FCM) token on the XenMobile Server doesn’t change until you delete or uninstall the Secure Hub.

    [From xms_10.10.0.10103.bin][CXM-66923]

  17. While enrolling Android enrolment for devices, the following error appears: Cannot decrypt value.

    [From xms_10.10.0.10103.bin][CXM-66928]

  18. The name and owner of your Android Enterprise enterprise might not display correctly in the Google Play store administrator console.

    [From xms_10.10.0.10103.bin][CXM-66933]

Installing This Update

Note: If your system is configured in cluster mode, follow the steps below to update each node, one after the other.

Important: Before installing this update, take a snapshot of the current settings and create a backup of the database.

  1. Log on to your account on the Citrix website and download the XenMobile Server update (.bin) file to an appropriate location.
  2. In the XenMobile Server Console of a node click Settings > Release Management. The Release Management page appears, which displays the currently installed software version, as well as a list of any updates, patches, and upgrades you have already uploaded.
  3. Under Release Management, click Update. The Update dialog box appears.
  4. Click Browse to upload the update (.bin) file you have downloaded from
  5. Click Update and then if prompted, restart the XenMobile Server node using command line.

To verify the patch deployment

After installing this patch, log on to the XenMobile Server Console as an administrator, then navigate to Settings > Release Management > Updates. Information about the most recent successful patch installation appears in this section.


Troubles running SEP 14.2 RU2 on OSX prior to Catalina (< 10.15)

I need a solution


So, I have a couple of MACs running SEP, and recentrly I pushed newest update (14.2 RU2) for them.

This version adds support for OSX Catalina (10.15), and, as far as I can see, on Catalina everything is really fine.

But older OSX versions (10.13, 10.14) face a couple of troubles:

1. Random reboots. I don’t know, how it is called in OSX terminology, but I mean black screen with white text “Your computer restarted because of a problem. Press a key or wait a few seconds to continue starting up.”

2. Firewall notifications. At my SEPM server, my firewall policy for MACs have entry “Display a notification on the computer when the client blocks an application” disabled. But, ignoring this, users began to face notifications about different remote connections with buttons “allow” and “deny”. The strangest part is the header of notifications – it says “Norton Security” 🙂 Tested a bit, withdrawing firewall policy via SEPM prevents notifications from spawning.

Maybe anyone else faced these issues? Any ideas?



SEP Client Communication Issues

I need a solution

Good Morning,

I have a problem with the SEP for Mac OS client, the console has been updated to fix the vulnerability and to address the 
issue of the database not working to back up, after the upgrade, Windows and Windows environment testing and environments 
were performed. Mac, Windows has worked normally so far, but after testing in Mac environment, it does not work, 
Client for Mac OS 10.14 has been installed and it installs normally no longer communicates with console, updates vaccine, 
no longer has communication with the manager, not to impact my environment, had to reinstall the client before

I wonder if anyone is also having a problem regarding this?


Citrix SSO APP for IOS – Behavior for Push Notifications

Question: When we receive a push notification on the IOS SSO APP, what are the ways we can approve the notification ?


When Screen is Locked

Option1: Click the notification, unlock the phone and you will be in the SSO APP, then hit Approve – then hit the home button to close the SSO APP.

Option2: Users need to either force touch (3D touch) or slide the notification to the left ,more and approve or long press and approve

When Screen is Unlocked

Option-1: Drag Down on the notification and Hit Approve.

Option-2: Click the notification, you will be in the SSO APP, then hit Approve – then hit the home button to close the SSO APP.

Note: The app might prompt for Touch-ID/Face-ID/Passcode as an extra factor in which case the app is always launched into foreground.


Full disk access required message displays on Catalina when using an MDM solution with the correct access

In Sophos Mac Endpoint 9.9.5, we introduced a notification for “Full disk access required” when the OS is MacOS 10.15 Catalina, and we detect that the full disk access rights detailed in knowledge base article 134552 are not in place.

We have found an issue where customers using an MDM solution (eg: JAMF or Profile Manager) to provide this access will still receive this notice, even with the correct rights in place.

This will be corrected in the 9.9.6 release to Central and On Premise customers near the end of November/beginning of December 2019. It does not prevent the software from working, and is only a visual notice.

Applies to the following Sophos product(s) and version(s)

Central Mac Endpoint 9.9.5

Sophos Anti-Virus for Mac OS X 9.9.5

Customers using an MDM solution to provide disk access rights to Sophos in MacOS 10.15 Catalina will receive a notice on the endpoints titled “Full disk access required” in error.

It does not prevent our software from working, and is a notice only. If rights are added via the dialog, or manually via Security & Privacy on the Endpoint, the message will not appear.

Development have identified the issue and created a fix. This is currently in testing and confirmed for release in 9.9.6 in late November/early December 2019.

It is safe to dismiss the message. It will reappear approximately every 4 hours.

To avoid the message completely, add Full Disk Access rights using the method described in the dialog.

Add Full Disk Access rights using the method described in the dialog or ignore the dialog.]

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


Mac OS 10.15 Catalina Support and Known Issues

This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release.

Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access, however for system level access, no notification is presented by the OS. Several Sophos services require this system level of access in order to detect and clean threats. This means that Apple will not notify users if these issues are being experienced.

All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

Operating systems

MacOS 10.15 Catalina

MacOS 10.15 Catalina overview

With the release of macOS 10.15 Catalina, Apple has added additional security lock downs to the operating system, including per application disk access lock downs. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended upgrading to 10.15 until your organization has a transition plan in place.

Required version: Sophos Endpoint 9.9.4 or above

In order to support macOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 and below will not install on a 10.15 system, and Central clients 9.9.2 or below will fail to communicate with Central until they update.

Sophos released 9.9.4 to Central in September 2019. 9.9.4 is also Preview subscription for Enterprise Console customers as of mid-September 2019.

For both Central and Enterprise Console, 9.9.5 releases in mid-October 2019 (to Recommended and Preview for Enterprise Console), and includes permissions popup to make installations a bit easier.

Apple has locked down the following User Folders in OS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.

All Versions

The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.

  • SophosCleanD – Unable to clean up threats in the above folders
  • SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
  • Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
  • SophosServiceManager – Parent process for SophosScanAgent
  • Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
  • sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.
  • SDU4OSX / Sophos Diagnostic Utility – Unable to access all logs

Sophos Central 9.9.4 and above

  • SophosEndpointUIServer – User is not notified of threat detection (no popup)
  • SophosCleanD – Unable to restore files (Cryptoguard) in the above folders
  • Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)

Sophos Endpoint (Enterprise Console Managed) 9.9.4 and above

  • For initial install, all install files must be copied from the CID share locally first before running the install.
  • SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved

Older Endpoint versions

  • Subject to the same limitations as above
  • May have other issues not covered
  • Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
  • 9.9.2 and below will fail to communicate with MCS (Central)

The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.

  1. Open System Preferences.
  2. Open Security & Privacy.
  3. Go to the Privacy tab.
  4. Click the lock in the lower left and authenticate to make changes
  5. Select “Full Disk Access” on the left side
  6. Leave this window open.
  7. Open a Finder window
  8. Go, go to folder
  9. Enter: /Library/Sophos Anti-virus and click go.

  10. Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
    • SophosAutoUpdate (Enterprise Console managed only)
    • SophosCleanD
    • SophosScanAgent
    • SophosServiceManager
    • Sophos Endpoint UIServer (Central Managed only)
    • Sophos Diagnostic Utility (from /Library/Sophos Anti-virus/tools/)

  11. You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now are both valid.

Note: The tool “sweep”, which is /usr/local/bin/, cannot be added via this method as it is not a .app. It will prompt the user the first time the tool is run in order to be allowed. It will only be called if you are using it via command line.

Alternate Method of correction:

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Visit the following kba articles for further instructions:

KNOWN ISSUE: “Full disk access required” message displays on Catalina when using an MDM solution with the correct access (with Sophos 9.9.5). Please see this KB134833

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


  • No Related Posts

SEP 14.2 RU2 On-Prem vs. Cloud version.

I do not need a solution (just sharing information)

I’ve been able to download and install the SEP 14.2 RU2 in our test environment to support macOS Catalina (10.15). We’re planning on upgrading our production environment in about a week. My question is, why are we not seeing the update for the SEP 15 cloud console? Note that we do not have a hybrid environment. They’re separate systems.

Our SEP 15 system still shows the MAC devices with the “14.2 RU1C 183” agent. Building a new installation package still provides the same “14.2 RU1C 183” version.