Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-endpoint-Mac-security-permissions

Security permissions on macOS

You need to grant Sophos Endpoint security permissions to run on your Macs. You may need to do this more than once as Apple frequently updates its security requirements.

If you use remote deployment, you grant security permissions during the deployment setup. See Installing Endpoint Protection using Jamf Pro.

We check that we have the permissions we need every 30 minutes. We use the Sophos Service Manager to do this.

You can manually check you have the correct permissions by closing the Sophos Service Manager. You do this in Activity Monitor. Sophos Service Manager restarts automatically and checks permissions after 30 seconds. It then checks every 30 minutes.

Sophos Endpoint shows a notification when it needs permissions. You can grant permissions from this notifiication.

You need to grant permissions to allow scanning and web protection to work. You also need to grant full disk access.

Grant permissions for scanning and Web Protection

You need to grant disk access permissions for scanning and Web Protection. You also need to grant proxy permissions for Web Protection. Without these permissions, scanning and Web Protection don't work properly.

To grant permissions, do as follows:

  1. Click Open System Settings on each Sophos program notification that needs permissions.

    Notifications that scanning and Web Protection need permissions.

  2. In Privacy & Security, click Details to see more details about the notification.

    System software needs attention.

  3. Click Allow for both system extensions.

  4. Select both services and click OK to restart both services.

    Restart scanning and Web Protection.

  5. Close Privacy & Security.

  6. Click Allow to allow Sophos Network Extension to act as a proxy.

    Allowing Network Extension to act as a proxy.

You must then grant full disk access. See the next section for more details.

Grant full disk access

You must sign in as an administrator.

To grant full disk access, do as follows:

  1. In the notification, click Details.
  2. Click Open Privacy & Security preferences.

  3. In Privacy & Security, click Privacy.

    Note

    You may see Security & Privacy depending on the macOS version you're using.

  4. Click the lock.

    Sign in to update permissions.

  5. Sign in to make changes.

  6. Scroll down and click Full Disk Access on the left.

    Full disk access permissions.

  7. Click the Sophos icon on your menu bar and then click Open Sophos Endpoint.

  8. Click About.
  9. Click Run Diagnostic Tool.
  10. Click Prerequisites and then click Allow Full Disk Access.

  11. Drag the Sophos icon from Sophos Endpoint to the applications list in Full Disk Access.

    Adding full access permissions for Sophos Endpoint.

  12. You need to grant full disk access to Sophos User Agent. Choose from the following options:

    • Click Quit & Reopen to do this immediately.
    • Click Later to give permissions and carry on working. You'll need to restart your Mac to give full disk access. You're still protected.

  13. Close Privacy & Security.