Skip to content

Security permissions on macOS

You need to grant Sophos Endpoint security permissions to run on your Macs. You may need to do this more than once as Apple frequently updates its security requirements.

If you use remote deployment, you grant security permissions during the deployment setup. See Installing Endpoint Protection using Jamf Pro.

We check that we have the permissions we need every 30 minutes. We use the Sophos Service Manager to do this.

You can manually check you have the correct permissions by closing the Sophos Service Manager. You do this in Activity Monitor. Sophos Service Manager restarts automatically and checks permissions after 30 seconds. It then checks every 30 minutes.

Sophos Endpoint shows a notification when it needs permissions. You can grant permissions from this notifiication.

You need to grant permissions to allow scanning and web protection to work. You also need to grant full disk access.

Grant permissions for scanning and Web Protection

You need to grant disk access permissions for scanning and Web Protection. You also need to grant proxy permissions for Web Protection. Without these permissions, scanning and Web Protection don't work properly.

To grant permissions, do as follows:

  1. You see a notification for each of the Sophos programs that needs permissions. In each notification, click Open Security Preferences.

    Notifications that scanning and Web Protection need permissions.

  2. In Privacy & Security, you see a notification that system software needs your attention before you can use it. Click Details in the notification.

    System software needs attention.

  3. Click Allow for both system extensions.

  4. You're then asked to restart both services. Select both services and click OK.

    Restart scanning and Web Protection.

  5. Close Privacy & Security.

  6. You're then asked to allow Sophos Web Extension to act as a proxy. Click Allow.

    Allowing Web Protection to act as a proxy.

  7. Now grant full disk access using the instructions in the next section.

Grant full disk access

To grant full disk access, do as follows:

  1. In the notification, click Details.
  2. Click Open Privacy & Security preferences.
  3. In Privacy & Security, click Privacy.
  4. Click the lock.

    Sign in to update permissions.

  5. Sign in to make changes.

    You need to sign in as an administrator.

  6. Scroll down and click Full Disk Access on the left.

    Full disk access permissions.

  7. Drag the Sophos icon from Sophos Endpoint to Privacy & Security.

    Adding full access permissions for Sophos Endpoint.

  8. You need to grant full disk access to Sophos User Agent. Choose from the following options:

    • Click Select Quit & Reopen to do this immediately.
    • Click Later to give permissions and carry on working. You will need to restart your Mac to give full disk access. You're still protected.
  9. Close Privacy & Security.