Installation Process on macOS
The standard hidden service account "_sophos" that is used during installation/setup on macOS is granted a secure token upon creation. This is NOT desired behavior as it means that Sophos cannot be installed during a preStage enrollment into an MDM solution.
Please add the following tag to the user-creation process for the sophos user so that the account does not receive a secure token: sudo dscl . append /Users/sophos AuthenticationAuthority ";DisabledTags;SecureToken"
See this article from Apple for more information: https://support.apple.com/guide/deployment-reference-macos/using-secure-and-bootstrap-tokens-apdff2cf769b/web