Known issues using macOS 10.13 with DLP Agent versions 14.6 MP2 through 15.5

book

Article ID: 170328

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover

Issue/Introduction

  • Symantec Data Loss Prevention (DLP) versions 14.6 MP2 through 15.5 support agent monitoring on macOS 10.13.
  • Refer to "Table 1: Known issues for 14.6 MP2 through 15.5 support on macOS 10.13" for a list of known issues and workarounds where they exist.

Resolution

 Table 1: Known issues for 14.6 MP2 through 15.5 support on macOS 10.13
Issue Workaround

If you use MDM profiles and update endpoints to macOS 10.13.2 and later, the DLP Agent may stop running.

If you install the DLP Agent on macOS 10.13.2 and later and use MDM profiles, the agent may not start running. 

These issues occur because macOS prompts users to approve third-party software extensions to load and users may not approve the DLP Agent to run.

For more information on this issue and why it occurs on macOS 10.13.2 and later, refer to the Apple article "Prepare for changes to kernel extensions in macOS High Sierra."

Update MDM profiles to whitelist the DLP Agent kernel extension. For steps refer to http://www.symantec.com/docs/TECH250016.

 

If you do not use MDM profiles, the "System Extension Blocked" dialog displays on the endpoint after the agent installation completes, and the EDPA service does not start.

If the EDPA service does not start, the agent cannot monitor data. 

This issue occurs because macOS 10.13 requires that endpoint users approve newly-installed third-party kernel extensions (KEXTs) before they can load.

For more information on this issue and why it occurs on macOS 10.13, refer to the Apple Technical Note TN2459.

Use a valid MDM profile to sign Symantec drivers to enable the EDPA service.

If you do not use MDM profiles, the endpoint user completes the following to enable monitoring:

  1. Click OK when the "System Extension Blocked" dialog displays.
  2. Go to System Preferences > Security and Privacy, and select the General tab. Click Allow to start the EDPA service.

If the endpoint user does not click Allow within two minutes of the "System Extension Blocked" dialog displaying, the EDPA service does not start. For version 14.6 MP2 and 15.0 DLP Agents , an administrator must start the EDPA service using the start_agent tool, and the endpoint user must click the Allow button.

After 30 minutes, the System Extension Blocked dialog and the Allow button no longer display. For 14.6 MP2 and 15.0 agents, the administrator runs the start_agent tool to display the Allow button again, then the endpoint user clicks the Allow button. For version 15.1 DLP Agents, the Allow button displays again after the endpoint is restarted.

You can run a script to identify endpoints where the EDPA service is running: 

agent_running=$(ps cax | grep -ic "edpa")

kext_running=$(kextstat | grep -ic "dlp.fsd")

if [ $agent_running -eq 0 ]

then

echo "The DLP Agent is not running. Refer to edpa_ext logs for details."

exit 2

fi

if [ $kext_running -eq 0 ]

then

echo "The endpoint user must approve the KEXT for the DLP Agent to run. To approve the KEXT and start the EDPA service, the user goes to the General tab on System Preferences > Security and Privacy, and clicks Allow."

exit 2

fi

echo "The DLP Agent is running and KEXT is approved."

After upgrading the DLP Agent from version 14.6 MP2 to version 15.0, the "System Extension Blocked" dialog displays on the endpoint, prompting the user to approve the third-party kernel extension (KEXT).

For more information on this issue and why it occurs on macOS 10.13, refer to the Apple Technical Note TN2459.

This issues does not prevent the agent from monitoring data, but does prevent agent security components from running.

The endpoint user completes the following to approve the KEXT:

  1. Click OK when the "System Extension Blocked" dialog displays.
  2. Go to System Preferences > Security and Privacy, and select the General tab. Click Allow to start the EDPA service.

After 30 minutes, the Allow button no longer displays. The endpoint user restarts the endpoint to display the Allow button again.

Safari is not monitored by default.

As of 15.1, DLP Agents on Macs can monitor Safari as a first-class channel. To monitor Safari in DLP 15.0 and earlier, use Application File Access. 

Applications protected by System Integrity Protection are not monitored by default.

Enable SIP monitoring for macOS 10.13 for DLP Agent versions 14.6 MP2 and 15.0 to monitor applications protected by SIP. Refer to www.symantec.com/docs/TECH235226

Endpoint Discover scans on endpoint file systems mounted on the Apple File System (APFS) fail.

The version 14.6 MP2 and 15.0 DLP Agents do not support scans on APFS drives.

None.