What are some of the more common questions pertaining to Symantec Endpoint Protection (SEP) for Mac?

Which operating systems are supported?

Please see Compatibility between Symantec Endpoint Protection for Mac and versions of Mac OS X for specific Symantec Endpoint Protection version requirements. Note: You may see "System Extension Blocked" when installing SEP on macOS version 10.13, or newer -- this may be resolved by authorizing Symantec kernel extensions by using the macOS Security & Privacy system preference pane.

To authorize the system extension for Symantec Endpoint Protection, during the setup of your Symantec Endpoint Protection client, in the Security & Privacy dialog box, on the General tab, at System software from application "Symantec Endpoint Protection" was blocked from loading, click Allow:

 
What if I wish to perform a major upgrade to the macOS operating system with SEP installed?

For minor updates to Mac OS X, such as 10.14.4 to 10.14.5, the Symantec Endpoint Protection client can remain in place.

For a major update to Mac OS X on a client system (from OS X 10.13 to OS X 10.14, for example), upgrade the Symantec Endpoint Protection client to the version that is compatible with the newer operating system, and then upgrade the operating system. Otherwise, uninstall the Symantec Endpoint Protection client and cleanly reinstall the compatible version after upgrade to avoid possible corruption to logs and other Symantec Endpoint Protection components.

 
What about Mac OS X Server?

Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; Symantec Endpoint Protection for Mac will function and scan for threats as expected. For guidance on best practices, please see Recommendations for installing Symantec Endpoint Protection for Macintosh on Mac OS X Server.

How do I install SEP for Mac?

Installing the Symantec Endpoint Protection client for Mac covers both managed and unmanaged installations. Push deployment from the Symantec Endpoint Protection Manager (using the Client Deployment Wizard) is supported as of Symantec Endpoint Protection 12.1.5.

I already have a Symantec antivirus/security product on my Mac. Do I have to uninstall it first before installing SEP for Mac?

Endpoint Protection client for Mac versions earlier than 12.1.4 must be uninstalled before you upgrade to version 14. You do not need to uninstall later versions first. See Supported upgrade paths to Symantec Endpoint Protection.

What about upgrading SEP for Mac to a newer version? Can I use Upgrade Groups with Package (auto-upgrade)?

Auto-Upgrade is supported as of 14, but cannot be used to upgrade from 12.1. You must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a later client version. However, you can usually install the new version directly over the old without uninstalling first; see the previous question.

There's no Add or Remove programs for Mac. How do I uninstall?

As of version 14, you can uninstall through the menu bar once the SEP client UI is open. See Uninstalling the Symantec Endpoint Protection client for Mac for more information.

How can I configure the SEP Manager to supply definitions to SEP for Mac clients?

The Symantec Endpoint Protection Manager cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of Symantec Endpoint Protection version 12.1 RU4 the Symantec Endpoint Protection Manager can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through Symantec LiveUpdate or from an internal LiveUpdate Administrator (LUA) server. Please see Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Macintosh for information on how to configure LUA for this content.

Note: it is not recommended or supported for LiveUpdate Administrator and Symantec Endpoint Protection Manager to be on the same physical server. If you are looking for the standalone definitions updater, Intelligent Updater, for the Symantec Endpoint Protection (SEP) client for Mac, please refer to "Intelligent Updater and Endpoint Protection for Macintosh".

Can a SEP for Mac client get updates from a Group Update Provider (GUP)?

No, for the same reasons outlined above.

 
Can a SEP for Mac client act as a GUP?

No.

How do I get Rapid Release definitions onto my SEP for Mac client?

Rapid Release definitions are not available for Mac security products.

How often are updates for SEP for Mac released?

Daily, usually in the morning Pacific time (west coast, USA).

 
How do I know whether or not the SEP for Mac client is managed?

Connection Status: Connected appears under Management on the Symantec QuickMenu.

Is it possible to convert an unmanaged SEP for Mac client to a managed client?

Yes, see How to convert an unmanaged Symantec Endpoint Protection for Macintosh client to managed for more information.

How do I prevent Windows policies from applying to Macs?

Windows-specific policies will not apply to Macs; only those policies which contain Mac specific settings will be parsed and applied by the SEP for Mac client.

Can Mac clients use custom Intrusion Prevention signatures?

No.
 

What about Device Control?

Version 14 introduced Device Control for the Mac client. You can enable Device Control on managed clients only. See Mac Device Control in Endpoint Protection.

Is Active Directory integration supported for Mac clients?

Use SEP 14.3 RU1 MP1 (14.3.3580) or newer to support SEPM synchronization with AD/LDAP OUs.

I can send Mac clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?

Even though the command can be sent, these features are not supported for Symantec Endpoint Protection for Mac clients.

How can I quickly disable the SEP client on Macintosh, e.g. for troubleshooting purposes?

In the latest version of Symantec Endpoint Protection, Virus and Spyware Protection and Network Threat Protection can be disabled/re-enabled by unloading/loading the SymDaemon service:

sudo launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist
sudo launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist
# the asterisk in daemon pathnames will accommodate suffix variations - SEP 14.0+ use com.symantec.symdaemon.NFM.plist

Is Location Awareness supported for SEP for Mac?

Location Awareness was introduced for Symantec Endpoint Protection for Mac clients in version 12.1. Supported conditions for ALS and Mac clients:
-    Computer IP Address
-    Gateway Address
-    DNS Server address
-    DHCP server address
-    Network connection Type
-    Management Server connection
-    DNS Lookup
-    Wireless SSID
-    DHCP connection DNS suffix
-    ICMP request (ping)

Can Mac clients use User Mode?

It is not possible to convert a SEP for Mac client to User Mode. Onlly Computer Mode will work.

How can I lock down settings for SEP for Mac clients?

There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect or Network Threat Protection (intrusion prevention), make sure their group is set to Server Control and unlock the padlock icon within the appropriate policy types.

When the policy types are locked and/or the group is set to Server Control, SEP for Mac UI options will be disabled and grey. When unlocked, they will be green and changeable for an admin-level account.

How can I prevent SEP for Mac users from manually launching LiveUpdate?

The macOS Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrators and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.

 
Does SEP for Mac do email scanning?

No. SEP for Mac only performs file system virus/spyware scanning. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of SEP for Windows. SEP for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if SEP scans mail folders under the user profile directories. As a best practice, those directories should be excluded from SEP scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.

 
Where can I find LiveUpdate/installation/other logs for troubleshooting?

The GatherSymantecInfo tool can be used to collect SEP for Mac client data. An exported System Profiler report will often also provide a lot of information about the system in question.

• LiveUpdate log: /Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/LiveUpdateLog (not human readable)
• LiveUpdate lux log: /Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/lux.log

There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Mac OS Network settings.

For the installation, no separate log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing. Click to expand Files, click to expand /private/var/log, and then look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" appears at the beginning of the installation cycle.

What about Communication Module/Sylink debugging?

This document can be used to enable Sylink debugging for client communication problems with the Symantec Endpoint Protection Manager.

Where can I find additional technical information?

When using System Information / System Profiler, instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.
About System Information and System Profiler