Install Sophos Connect Client on macOS
Sophos Connect can be used on macOS for Remote Access with Sophos Firewall. In current versions, IPsec is no longer the only option: Since Sophos Connect 2.0, Remote Access SSL VPN on macOS is also possible. This has changed the recommendation for many environments.
This article describes the installation on macOS, the import of the appropriate connection, and the key checks after establishing the connection. For the fundamental decision between Sophos Connect, SSL VPN, OpenVPN clients, and ZTNA, see Sophos Connect or SSL VPN: Which Remote Access Solution Fits?.
Which Article Fits?
Sophos Connect on macOS quickly overlaps with other remote access articles. Depending on the task, a different starting point may be better:
| Situation | Suitable Starting Point |
|---|---|
| Install Sophos Connect on macOS | This article |
Set up SSL VPN on macOS with .ovpn | Set up Sophos SSL VPN with Sophos Connect on macOS |
| Prepare Sophos Connect on the Firewall | Configure Sophos Connect on Sophos Firewall |
| Plan client versions, updates, and profile maintenance | Check and Securely Update Sophos Connect Client Version |
| VPN is connected, but traffic does not work | Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture |
This separation is important because client installation is only part of remote access operations. Firewall rules, DNS, MFA, certificates, VPN portal, and profile distribution remain separate checkpoints.
Prerequisites
- Sophos Firewall with configured remote access
- Sophos Connect Client in a version compatible with the firewall and platform
- For Sophos Connect 2.0 or newer: macOS Ventura 13 or newer
- Mac with Intel processor or Apple Silicon via Rosetta 2
- Configuration file for IPsec (
.scxor.tgb) or SSL VPN (.ovpn) - User account with VPN permission and, if enabled, working MFA
- Firewall rules for traffic from the
VPNzone or the used remote access zone
If SSL VPN is to be used on macOS, Sophos Connect 2.0 or newer must be used. Older internal instructions should therefore be checked to see if they still assume the earlier IPsec-only situation. For version checking, update planning, and typical DNS/profile issues, see Check and Securely Update Sophos Connect Client Version.
Important: No provisioning file support is documented for macOS. Therefore, for macOS, planning should be done with an imported IPsec configuration file or an .ovpn file. If a rollout is to be fully automated, it must first be checked whether the deployed MDM can accurately map the file and user processes.
1. Download Sophos Connect Client
The Sophos Connect Client for macOS can be obtained depending on the environment via the firewall, the VPN portal, or the Sophos Download Page. In managed environments, it should be defined which client version is distributed and where users obtain the appropriate configuration file.
For IPsec, a .scx or .tgb file is typically used. For SSL VPN, an .ovpn file is imported. Which file is correct depends on the remote access configuration on the firewall.
| Profile Type | File | macOS Note |
|---|---|---|
| IPsec Remote Access | .scx or .tgb | usable with Sophos Connect on Intel and Apple Silicon |
| SSL VPN | .ovpn | Sophos Connect 2.0 or newer required |
| Provisioning | .pro | not planned as standard for macOS |
In a classic Sophos Connect IPsec configuration, the connection is exported in WebAdmin:
- Open
VPN>Sophos Connect Clienton the Sophos Firewall. - Export connection.
- Securely store the file and provide it only to authorised users.
Depending on the download source, the installer is in a zip file. After unpacking, you typically find the Sophos Connect.pkg package for macOS.
For managed Macs, the installer should not be widely distributed without a pilot group. At least one Intel Mac and one Apple Silicon Mac should be tested first if both platforms are present in the company.
2. Install Sophos Connect Client
The installation is started with a double-click on Sophos Connect.pkg. After completing the installation wizard, the window can be closed with Close.
On Apple Silicon devices, Rosetta 2 may be required. If macOS displays a corresponding message during installation, Rosetta 2 should be installed, and the client should be restarted.
After installation, the version should be checked directly in the client. This is especially important if multiple installation packages were circulating internally or if users had previously installed the client.
3. Download Connection File
On first start, Sophos Connect requires a connection configuration. This file should come from the currently valid firewall configuration and not be reused from an old user archive.
Typical connection files:
| Purpose | File | Where it comes from |
|---|---|---|
| IPsec Remote Access | .scx or .tgb | Export under VPN > Sophos Connect Client |
| SSL VPN | .ovpn | VPN portal or administrative export |
If old remote access IPsec configurations are still in use before an SFOS-22-MR1 upgrade, an old profile should not simply be redistributed. In this case, first check Migrate Legacy Remote Access IPsec before SFOS 22 MR1.
Profiles should be treated like access data. An old .ovpn, .scx, or .tgb file can still contain internal networks, gateway names, certificates, or user references. If gateway, certificate, DNS, user group, IP pool, or authentication have changed, the profile should be re-exported and re-imported.
4. Set Up Sophos Connect Client
Setting up the Sophos Connect Client is completed in a few steps:
- Open Sophos Connect.
- Select
Import Connection. - Import the appropriate connection file.
- Check the connection under Connections.
- Click
Connect. - Log in with the VPN user and confirm MFA if enabled.
After successfully establishing the connection, you should also check whether internal DNS names are resolved and whether the required systems are reachable. If the connection is established but no traffic flows, Log Viewer, Policy Test, and Packet Capture can help. The appropriate guide is Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture.
For SSL VPN on macOS, the DNS test is particularly important. Sophos Connect 2.0 MR1 fixes an issue where DNS settings for SSL VPN connections on macOS were not applied correctly. If internal names are not resolved, the version and profile status should be checked first before blindly adjusting DNS rules.
IPsec with macOS Built-in Tools
Depending on the firewall configuration, Remote Access IPsec can also be set up with macOS built-in tools. This is a separate operating model and should not be confused with Sophos Connect. It can be useful if no additional client software is desired, but it does not fit every environment.
Practical procedure if this variant is consciously used:
- Log in to the User Portal of the Sophos Firewall.
- Download the appropriate IPsec configuration for Apple devices.
- Open and install the profile on the Mac.
- Check the connection in macOS network settings.
- Test the connection and validate internal targets.
If Sophos Connect and macOS built-in tools are used in parallel, this should be intentionally documented. Otherwise, support cases arise where users say “VPN” but mean different profiles, protocols, and DNS behaviours.
Check After Installation
After installation, these points should be checked:
- Sophos Connect version matches the macOS version used.
- Rosetta 2 is available on Apple Silicon if the client requires it.
- The imported file corresponds to the desired protocol: IPsec or SSL VPN.
- User is authorised in the correct VPN group.
- MFA works and is queried understandably.
- Client receives a suitable VPN IP.
- Internal DNS names are resolved.
- Firewall rules for the
VPNzone allow only the required targets.
Acceptance Test for macOS
A green connection status is not sufficient as acceptance. For a reliable rollout, a test user should go through these points:
| Test | Expected Result |
|---|---|
| Check client version | Version matches macOS, IPsec or SSL VPN, and internal release |
| Check Apple Silicon | Rosetta 2 is present and Sophos Connect starts reliably |
| Import profile | correct file for IPsec or SSL VPN is accepted |
| Test MFA | Login requires the expected second factor |
| Test DNS | internal FQDNs resolve correctly |
| Test access | allowed servers work, disallowed targets remain blocked |
| Check Log Viewer | Traffic from the VPN zone hits the expected firewall rule |
| Test reconnect | Disconnect, network change, and reconnect work |
In mixed environments, at least one Intel Mac and one Apple Silicon Mac should be tested. If Windows clients are also in use, the behaviour should not be silently equated. Platform, profile type, and client version may differ.
Rollout Notes for Managed Macs
For a few users, a manual installation with controlled profile import is often sufficient. In larger environments, Sophos Connect should be treated like other security-relevant client software.
Before a broad rollout, clarify:
- Which Sophos Connect version is approved?
- Which macOS versions are in use?
- Are there Intel Macs, Apple Silicon Macs, or both?
- Is IPsec, SSL VPN, or both used?
- Where do users get the current profile?
- Who informs users when profiles need to be re-imported?
- How does the helpdesk recognise outdated profiles?
- Are VPN portal, MFA, and certificates monitored separately?
Old installation packages and old profiles should be removed from internal download repositories or clearly marked as outdated. Especially with remote access, “some old profile from the download folder” quickly leads to unnecessary troubleshooting.
Troubleshooting
Connection is imported but not established
First, check whether the file belongs to the correct protocol and whether the Sophos Connect version is suitable for it. SSL VPN on macOS requires Sophos Connect 2.0 or newer. Then check user authorisation, MFA, certificate, gateway, firewall time, and reachable VPN portal or gateway FQDN.
Internal names are not resolved
For SSL VPN on macOS, the deployed Sophos Connect version should be checked, as there have been specific fixes in this area. Then check DNS server, search domains, imported profile, and firewall rules.
If IP addresses work but names do not, DNS is likely. If IP addresses also do not work, routing, firewall rules, NAT, or return path are more likely.
Connection is established, but no access works
Then the cause is often firewall rules, routing, NAT, or return path. In the Log Viewer, it should be visible whether traffic from the VPN zone hits the expected rule. For IPsec special cases, see Sophos Firewall IPsec VPN Troubleshooting.
Connection does not work after profile change
After changes to gateway, certificate, port, DNS, IP pool, user group, or authentication, the profile should be re-exported and re-imported. A client update does not automatically replace an old profile.
Saving credentials is not visible
Sophos has re-enabled this option for SSL VPN on macOS in Sophos Connect 2.0 MR1. After an update, the configuration file must be re-imported to use the option. In environments with MFA, it should also be checked whether saving credentials fits the security concept.
Connection is established, but large transfers hang
If login, DNS, and small accesses work, but larger file transfers or certain applications hang, MTU/MSS should also be checked. The error pattern often fits fragmentation, PPPoE, tunneled connections, or an asymmetric path. The procedure is in Check Sophos Firewall MTU and MSS for VPN Issues.
Collect Support Data
If the error is not directly visible, the time, user, macOS version, Sophos Connect version, profile type, source network, and target system should be documented. On the firewall, Log Viewer, sslvpn.log, IPsec logs, Packet Capture, and the affected firewall rule help. The assignment of log files is in Sophos Firewall Troubleshooting: Services and Logs.
FAQ
Does Sophos Connect support SSL VPN on macOS?
Is Apple Silicon supported?
Can macOS built-in tools still be used for IPsec?
Does Sophos Connect support provisioning files on macOS?
.pro provisioning files should not be planned as standard. IPsec configuration files and SSL VPN OVPN files are documented for macOS, but no provisioning support.