Updates
2023-12-11: The Sonoma-compatible client for WithSecure Elements (version 23.2.51507) is now available for first time installation, and also as an automatic update for existing installations.
2023-12-07: We are aware that for some customers, databases are not updating when using the current EPP client on macOS Sonoma. This issue is fixed in the upcoming release, which is available as a pre-release for customers who have enabled "Early Access" in their Elements profile.
2023-11-28: We have released MDR for mac with Sonoma support to Pilot customers today, and it is expected to be generally available on 5th December 2023. The currently anticipated release of Elements EPP/EDR for mac with Sonoma support is 12th December 2023
2023-10-20: Instructions for enabling the audit subsystem improved for clarity
2023-10-04: Article updated with information related to checking audit subsystem for Detection and Response
2023-09-29: Article updated with more information about Endpoint Protection
2023-09-26: Article updated to make parts more clear, addition of an FAQ section, and anticipated release schedule for clients
High-level summary
Apple will release macOS 14 “Sonoma” on September 26th 2023, and currently this version is not yet supported by WithSecure products.
Impacted products
The following WithSecure products for Mac are known to be impacted by this change.
- WithSecure Elements Endpoint Detection and Response (now fixed)
- WithSecure Elements Endpoint Protection (now fixed)
- WithSecure Client Security
- WithSecure Countercept (now fixed)
What is the customer impact?
Detection and Response
Due to Apple disabling the audit subsystem in new macOS Sonoma, our Detection and Response products for the Mac will not function correctly.
We do appreciate that some of our customers will not be able to delay the rollout of Sonoma, or have already deployed it to some devices, so we recommend those customers enable the audit service as follows
As a user who has “sudo” privileges, run the following commands:
- sudo cp /etc/security/audit_control.example /etc/security/audit_control
- sudo launchctl enable system/com.apple.auditd
- sudo reboot
NOTE: If these commands print "you are not in the sudoers list" then you do not have the necessary privileges and should contact your system administrator.
The status of the audit subsystem can be checked by running:
- launchctl print system/com.apple.auditd
If that command prints out details, then the audit is subsystem is configured & enabled, and should be active after the reboot. The D&R sensor should then work.
Endpoint Protection
The Endpoint Protection products have some minor compatibility issues with Sonoma, due to other changes in the operating system.
Browser Extensions
- The Safari browser extension for the EPP products does not fully work. The "Allow for One Day" functionality is not yet supported. This issue also affects macOS 13 Ventura.
- Ratings icons are not always shown in Google search results
- The block page is shown sometimes after a site is added to the allowed sites list
- The "Allow access" windows does not immediately disappear after clicking Allow
Software Updater
- The Software Updater does not currently function correctly with Sonoma, so cannot update third-party applications at this time.
All other aspects of the Endpoint Protection products work correctly, including anti-virus and anti-malware scanning, database updates, and all related protection components.
Frequently asked questions
Q: Is “Software Updater” the component updating virus definitions or the aspect used for handling 3rd party software?
A: Software Updater is the component that can upgrade 3rd party products in macOS, It does not update virus definitions, and these definition updates function correctly
Q: What other known issues are there a user might witness or experience?
A: We are not currently aware of any other issues.
Q: What is the status with Browser Extensions?
A: Currently the Firefox and Chrome extensions work, with some minor issues. For Safari, Apple introduced some new functionality such as "Allow for One Day", and the product does not yet support this. NOTE: The extensions have been now been re-tested with the release version of Sonoma.
When will WithSecure release Sonoma-compatible versions of their products?
Our Mac developers are working hard to create new versions of the products, which are fully compatible with macOS Sonoma, but in the meantime we strongly recommend that our customers do not immediately update to this macOS release.
WithSecure Countercept for mac, with Sonoma support, has now been released.
WithSecure Elements Agent for mac, with Sonoma support, has now been released.
We recommend that you bookmark this page, as we will be updating it as the situation evolves.
