When DLP Agents with mobile device management (MDM) profiles are installed on macOS 10.13.2 or later systems, the Agent may not start; or, if the DLP Agent is on a system that is updated to macOS 10.13.2 or later, the DLP Agents may stop running. The reason is related to the new feature introduced with macOS 10.13 (High Sierra), User-Approved Kernel Extension Loading. Beginning with macOS 10.13.2, the kernel extension loading by default is not applied to endpoints deployed with MDM. Users of these endpoints are required to approve loading any kernel extensions, and the users may not approve loading the DLP Agent.
Refer to the Apple Support Article "Prepare for changes to kernel extensions in macOS High Sierra" for additional information: https://support.apple.com/en-in/HT208019.
The following DLP Agent versions are affected if they are running on macOS 10.13.2 and later:
For macOS version support information, see the Symantec Data Loss Prevention System Requirements and Compatibility Guide at http://www.symantec.com/docs/DOC10602.
Update the MDM profile to allow kernel extensions to load the DLP Agent by adding a Team Identifier.
Complete the following steps to add a Team Identifier:
9PTGMPNXZ2as an Allowed Kernel Extension to the payload.
After you update your MDM profile and the payload is pushed to endpoints, confirm that DLP Agents are running.
Run the following script to confirm that DLP Agents are running:
agent_running=$(ps cax | grep -ic "edpa")
kext_running=$(kextstat | grep -ic "dlp.fsd")
if [ $agent_running -eq 0 ]
echo "The DLP Agent is not running. Refer to edpa_ext logs for details."
if [ $kext_running -eq 0 ]
echo "The endpoint user must approve the KEXT for the DLP Agent to run. To approve the KEXT and start the EDPA service, the user goes to the General tab on System Preferences > Security and Privacy, and clicks Allow."
echo "The DLP Agent is running and KEXT is approved."