search cancel

Duplicate Hardware IDs registered by Endpoint Protection for Mac

book

Article ID: 162936

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP (Symantec Endpoint Protection) for Mac may register a HWID (Hardward ID, AKA Hardware Key) that is the same as one or more Mac clients. This may result in only one client entry listed in the SEPM (SEP Manager) for several machines, or other reporting discrepancies.

Cause

Ususally this is the result of some type of cloning operation. SEP for Mac should regenerate a new HWID when there has been changes to the network adapter MAC addresses or disk numbering, but in some situations it may continue using old HWID data.

Resolution

The following terminal command-line instructions assume that the SMC folder location is current directory—

SEP 14.2 RU2: /Library/Application\ Support/Symantec/Silo/MES/SMC

SEP 14.2 RU1 MP2 and older: /Library/Application\ Support/Symantec/SMC

To force SEP for Mac to regenerate its HWID, perform the following steps:

  1. Unload symdaemon  by entering the following command in Terminal:
    sudo launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist
  2. Delete the following files - make note of HARDWAREID in the xml file:
    ../SMC/SymantecRegistry.bak 
    ../SMC/SymantecRegistry.xml

  3. Enabling sylink debug logging - this will force regeneration of new SymantecRegistry.xml file. It may take some moments (after restarting symdaemon below) before it is repopulated with HARDWAREID

  4. Restart symdaemon: 
    sudo launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist​

NOTE: SEP for Mac generates its HWID based on a fixed hash (no randomization) of network adapter MAC address(es), hard drive volume IDs, and macOS serial number. Repeating the steps above should result in the same HWID; if the result is a new one then you can assume that the old was a duplicate or otherwise based on hardware that is no longer present. You may see the HWID as HARDWAREID in xml file above, or by enabling sylink debug logging and searching smc_debug.log for "hardware key"