DLP Agents deployed with MDM profiles on macOS 10.13.2 and later not loading

book

Article ID: 171411

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

When DLP Agents with mobile device management (MDM) profiles are installed on macOS 10.13.2 or later systems, the Agent may not start; or, if the DLP Agent is on a system that is updated to macOS 10.13.2 or later, the DLP Agents may stop running. The reason is related to the new feature introduced with macOS 10.13 (High Sierra), User-Approved Kernel Extension Loading. Beginning with macOS 10.13.2, the kernel extension loading by default is not applied to endpoints deployed with MDM. Users of these endpoints are required to approve loading any kernel extensions, and the users may not approve loading the DLP Agent.

Refer to the Apple Support Article "Prepare for changes to kernel extensions in macOS High Sierra" for additional information: https://support.apple.com/en-in/HT208019.

Environment

The following DLP Agent versions are affected if they are running on macOS 10.13.2 and later:

  • 14.6 MP2 with Hotfix_14.6.0205 
  • 15.0 MP1 with Hotfix_15.0.0101
  • 15.1

For macOS version support information, see the Symantec Data Loss Prevention System Requirements and Compatibility Guide at http://www.symantec.com/docs/DOC10602.

Resolution

Allow kernel extensions to load the DLP Agent

Update the MDM profile to allow kernel extensions to load the DLP Agent by adding a Team Identifier.

Complete the following steps to add a Team Identifier:

  1. Configure a payload for Kernel Extensions.
  2. Enable Allow User Overrides to allow users to approve kernel extensions. 
  3. Add the Team Identifier 9PTGMPNXZ2 as an Allowed Kernel Extension to the payload.
  4. Save the payload.
  5. Set the payload to deploy to all clients where the DLP Agent is installed.

Confirm that the agent is running

After you update your MDM profile and the payload is pushed to endpoints, confirm that DLP Agents are running. 

Run the following script to confirm that DLP Agents are running:

agent_running=$(ps cax | grep -ic "edpa")

kext_running=$(kextstat | grep -ic "dlp.fsd")

if [ $agent_running -eq 0 ]

then

echo "The DLP Agent is not running. Refer to edpa_ext logs for details."

exit 2

fi

if [ $kext_running -eq 0 ]

then

echo "The endpoint user must approve the KEXT for the DLP Agent to run. To approve the KEXT and start the EDPA service, the user goes to the General tab on System Preferences > Security and Privacy, and clicks Allow."

exit 2

fi

echo "The DLP Agent is running and KEXT is approved."

NOTE: Prevent the agent from stopping in the future by preventing endpoint users from making changes to the profile on the endpoint.