Anti-Virus for macOS

These instructions are primarily for people who want to install Sophos Central Endpoint (Anti-Virus) onto their self-managed or BYOD Apple macOS devices. Please check with your local IT Support Staff about antivirus protection for college and departmental systems as local arrangements often apply, and installing the version intended for personal systems may cause problems.

Table of Contents

  1. Installing the Sophos Software
  2. Sophos Endpoint for macOS 11 (Big Sur) or M1 (Silicon) Apple machines
    1. Installing Sophos Endpoint on Big Sur for the first time
    2. Updating Sophos from macOS Catalina to Big Sur
  3. Checking the status of Sophos 
  4. Updating Sophos for the first time
  5. Keeping Sophos up to date
  6. Frequently Asked Questions (FAQ)
  7. Uninstalling Sophos
  8. Further information and documentation

Installing Sophos

If you haven't already obtained Sophos you can download it via the following link: When the download is complete, navigate to the area it has been downloaded to and open the file named ''. The unzipped file should contain two items: Sophos Installer Components and the Sophos Installer. Please check that your device meets the necessary system requirements before opening the 'Sophos Installer'. You will then be presented with the window displayed below.

Please note: before installing the Sophos software you must uninstall any other anti-virus software you may have installed on the machine (read the software manufacturer's instructions on how to do this).

sophos mac install

Click 'Install'. This will begin the installation. You will then be prompted to insert your administrator username and password. Once you have added these credentials, please click 'Install Helper'.

sophos mac install

Sophos normally takes just a few minutes to install and then you'll see a completion screen. This will confirm that Sophos Endpoint for macOS has successfully installed, the machine has been registered with Sophos Central and the software has been correctly configured. Click 'Quit' when you are ready to continue.

Installing Sophos for macOS 11 (Big Sur) or M1 (Silicon) Apple machines

Due to changes in the latest macOS (Version 11 - Big Sur), extra steps are required to complete installation on your machine. Please see the steps below and linked documentation in order to install Sophos on your machine. 

Note: Apple machines running Apple M1 (Silicon) hardware will need to install Rosetta 2 for Sophos Endpoint to run. Further information on this from Sophos is available at the end of this section.

Installing Sophos Endpoint on macOS Big Sur for the first time

Once you have installed Sophos Endpoint for macOS from as per the instructions above, there are a couple of extra steps to take for those machines running Big Sur.  

  1. After the installation is complete you will see pop-ups relating to system extensions that need to be allowed via Security and Privacy in your System Preferences. These systems extensions will be SophosScan and SophosWebNetworkExtension.
    System Extensions

    Click the 'Open Security Preferences' button on the pop-up. When the Security and Privacy pane has opened, navigate to the 'General' tab, unlock the padlock and log in with your machine credentials. Click Allow.


    A notification may appear asking to restart these services. Select the checkboxes and click OK. A notification may appear asking to restart these services. Select the checkboxes and click OK. 

    sophos extensions
  2. A notification will then open asking that the Sophos Web Extension as a Proxy be allowed. Click Allow.
    Sophos Network Extension
  3. A notification will appear in the top right, asking that you switch on notifications. This will allow Sophos to send notifications to you whenever a detection has been made. Toggle the slider to allow notifications. You may wish to change the notification settings, which can be done via System Preferences > Notifications. 
  4. A Sophos Full Disk Access required notification will appear on your Mac (this may be in the Notification Center on the right hand side), instructing you to drag and drop extensions into the Full Disk Access folder found in your Security and Privacy preferences. Follow the instructions as outlined in the notification below:
Sophos Full Disk Access

You will then need to restart your Mac to complete this installation/update.

Updating Sophos from macOS Catalina to Big Sur 

If you already have Sophos Endpoint from the University installed on your Apple machine and are updating from macOS Catalina to Big Sur, please see the instructions below: 

  1. You will notice that the following error shows when opening the Sophos icon on the menu bar at the top of your screen. 
    Sophos not running
  2. Open Sophos Endpoint and navigate to the 'About' option in the bottom right hand corner. After this, click 'Run Diagnostic Tool'. This will open the Sophos Endpoint Self Help Tool. It will have a number of red warning signs, noting issues to be fixed. 
    Sophos Endpoint Self Help
  3. Navigate to the 'Prerequisites' section. You will see the following screen which requests that certain issues be fixed. 
  4. First, click 'Open Security and Privacy'. You will see a note reporting that some software requires your attention. 
  5. Click 'Details' and check that both Sophos system extensions are ticked, then click OK. A notification may appear asking to restart these services. Select the checkboxes and click OK. 
    sophos extensions
  6. Return to the 'Prerequisites' section of the Sophos Endpoint Self Help Tool, then click Fix next to the 'Full Disk Access' option under the 'Permissions' section. This will open the following screen. Follow the instructions on this window to allow Full Disk Access. 
    full disk access


  7. Return to the 'Prerequisites' section of the Sophos Endpoint Self Help Tool, then click Fix next to the 'Transparent Proxy' option under the 'Permissions' section. This will open the below pop-up. Please click Allow on this option. 
    Sophos Network Extension
  8. You should now switch on notifications. This will allow Sophos to send notifications to you whenever a detection has been made. Please navigate to System Preferences > Notifications and find the Sophos Endpoint UI Server. Toggle to allow notifications and choose how you would like to see them using the options available.
  9. Close the Self Help Tool and re-open Sophos. Navigate to the 'About' section and click Update Now. Sophos Endpoint should then update successfully and all service should be running. You can check this in the Self Help Tool. 
    services running


Instructions from Sophos:

Checking the status of Sophos

When the software has been successfully installed, navigate to the menu bar at the top of your screen. You should now see an icon depicting the symbol of a shield, which you can use to easily access the Sophos Endpoint software. When you click on this icon you should be presented with the status of Sophos running on your machine. As per the screen shot below, it should confirm that your machine is protected.

sophos mac menu bar

Upon clicking 'Open Sophos Endpoint' you will be presented with the below window. It shows a summary of detected threats that Sophos has protected your device from, as well as options to view Events and more detailed Scan Information. The status of your machine is also displayed here.

sophos mac endpoint

Updating Sophos for the first time

Sophos Endpoint for macOS now needs to be updated so that it can detect recent malware. To do this make sure that you are connected to the Internet and then click on the shield to bring up the menu shown and select 'Open Endpoint'.

When you have navigated to the Sophos Endpoint window, click the 'About' option in the lower right hand corner. You will then be presented with the following screen.

sophos update first time

In order to update Sophos Endpoint for the first time, click 'Update Now'. This will then connect to Sophos Central and download the most recent update to your machine. When this is complete, you will be presented with a green tick confirming that the software is up to date.

sophos updated

Keeping Sophos up to date

Sophos Endpoint is configured to automatically download and install updates to keep your defences against viruses, trojans, and worms as up-to-date as possible. On networked computers, this occurs once an hour for the Sophos detection engine and every 10 minutes for the threat detection data. 

If either the automatic update or the manual update fails for any reason the shield on the menu bar will have a cross in the middle of it. Your computer does need to be connected to the Internet in order to download updates so if you see this icon when you are not connected this is normal and nothing to be concerned about. When you reconnect to the Internet it may take up to an hour before Sophos tries to update again and the shield returns to normal. In this instance you may wish to 'Update Now' manually to bring the machine back to date promptly. To find out when the program last updated itself, click on the shield on the menu bar, select 'Open Endpoint' then 'About'.

You should see a window showing the last date and time that Sophos was updated.

sophos zoom

You can also update Sophos manually at any time by clicking 'Update Now'.

Frequently Asked Questions (FAQ)

Below we have answered a number of frequently asked questions regarding Sophos Endpoint for MacOS.

I would like to run a scan on my machine – how do I do this?

In order to run a scan, open Sophos Endpoint. You have two options, either to start the scan using the 'Scan Now' button on the intial window, or navigate to the 'Scan Info' option.

sophos mac scan now

Click 'Scan Now' to initiate a scan of your machine. This may take some time, but you can see the progress in the form of a completion bar, as well as the number of files that are remaining to scan and any detections.

I have an issue with Sophos - how can I get assistance?

In order to report an issue with Sophos Endpoint for macOS on your BYOD device, please speak with the IT Services Service Desk. They can be contacted at or 01865 (6)12345. When reporting this issue it is important to include the following information:

  • Version of macOS
  • Your unique Endpoint ID
  • Version of Sophos

Rather helpfully, all of this information can be found within Sophos itself. In order to find this information, open Sophos Endpoint and navigate to the 'About' section. You should then click the 'Run Diagnostic Tool' button. This will open the Sophos Endpoint Self Help tool.

sophos self help

This tool provides more in-depth detail into Sophos Endpoint and the background process and policies set up for this device. In this instance, please navigate to the 'System' option. You will be presented with a screen similar to the below screenshot. We recommend providing these details to the Service Desk when reporting an issue so that they have all the data required to begin an investigation.

sophos self help 2

Uninstalling Sophos

In order to uninstall Sophos Endpoint, navigate to your Applications folder and locate the application 'Remove Sophos Endpoint'. Run this application.

sophos uninstall

Click 'Continue', then insert your administrator password to continue. The uninstall will then proceed to run. When the uninstall has completed, you will be presented with the following screen.

sophos uninstall

Further Information and Documentation

If you encounter any problems there is a Frequently Asked Questions (FAQ) web page with answers to some of the most common issues that people encounter.

Sophos provide full documentation in their Sophos Endpoint for macOS documentation. This has also been provided as a PDF manual.

Support Contacts

For a personally managed device or for general advice, please contact the IT Services Service Desk.

For a University or Department owned device, please contact your Local IT Support Staff.

IT Support Staff to contact OxCERT.

About this Service

This service is provided by

OxCERT logo

For more details about service governance refer to the service catalogue entry.