ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Pre-approving the macOS permissions required by Endpoint Protection / Endpoint Security

book

Article ID: 176222

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Apple macOS 10.15 introduces new system protections in addition to the existing macOS kernel extensions authorization requirement.

The SEP/SES (Symantec Endpoint Protection / Endpoint Security) client UI will present the end-user with either of the following error messages, if they are not properly authorized:

Kernel extensions need authorization

System extensions need authorization

You are at risk! You haven't finished Setup and your computer is not protected

Note that the last error may simply be due to an unfinished setup; even with pre-approved permissions in place, the SEP client GUI needs to be opened at least once to activate the Symantec *.systemextension.

Cause

Appropriate security preferences have not been enabled for the SEP/SES for Mac client. 

Environment

macOS 10.15 and newer

Resolution

Users can manually follow the SEP prompts and instructions to enable the necessary permissions. Enrollment in an MDM (Mobile Device Management) system is otherwise necessary for pre-approval of these settings. The following are required for the SEP for Mac client to properly function:

  1. Permission to install Kernel Extensions (required as of macOS 10.13)
  2. Permission to install System Extensions (new in macOS 10.15)
  3. Full Disk Access (new in macOS 10.15)
  4. Network Content Filtering (AKA Web Content Filtering; new in macOS 10.15 and SEP 14.3 RU1)
  5. RemovableSystemExtensions - a SystemExtensions property new to macOS 12 "Monterey" and SEP 14.3 RU3 and allows an app to remove its own system extensions without prompting for administrator credentials.

NOTE: you should apply only the permissions required by that version of macOS, e.g. apply only the kernel extension permissions to macOS 10.14 or older, and apply other permissions only when that has been upgraded to 10.15. See Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

Other related articles:

Attached at bottom of this article are mobileconfig files with the correct settings for all SEP versions that can be imported and edited in Jamf or other macOS MDM tool. MDM policies can be administered centrally and applied to your Macs so that no user action is necessary to allow system extensions when deploying SEP. This file includes different macOS Team and Bundle IDs to accommodate the transition of SEP to version 14.3 and newer:

SEP Version Bundle ID Team ID
Up to and including 14.3 com.symantec.mes.systemextension   9PTGMPNXZ2
14.3 MP1 and newer   com.broadcom.mes.systemextension   Y2CCP3S9W7

This is an unsigned XML file and must be imported into MDM and signed before deployment. Symantec does not provide assistance with that, other than the information provided here; consult your MDM tech support and documentation.

In Jamf Pro, for example: FIRST — import/upload the mobileconfig as a new macOS configuration profile. It will appear in the Jamf editor, and if you attempt to save it you will see the errors below.

WARNING: Jamf is failing more insidiously with the latest version of our mobileconfig—it will allow you to save the import even though the System Extensions payloads are empty. You must still delete/re-create the System Extensions payloads as described.

This is a problem with Jamf Pro; it currently does not import System Extensions payloads correctly from mobileconfig files. Please notify Jamf Technical support about this. All the other payloads are imported correctly. Do NOT attempt to edit the payloads above; delete them—they are buggy and will respond in unexpected ways. Then re-create them manually with the following four and then save the profile:  

System Extension Types: AllowedSystemExtensions
  Team Identifier: 9PTGMPNXZ2
  Allowed System Extensions: com.symantec.mes.systemextension

System Extension Types: AllowedSystemExtensionTypes
  Team Identifier: 9PTGMPNXZ2
  ☑ DriverExtension
  ☑ EndpointSecurityExtension
  ☑ NetworkExtension

System Extension Types: AllowedSystemExtensions
  Team Identifier: Y2CCP3S9W7
  Allowed System Extensions: com.broadcom.mes.systemextension

System Extension Types: AllowedSystemExtensionTypes
  Team Identifier: Y2CCP3S9W7
  ☑ DriverExtension
  ☑ EndpointSecurityExtension
  ☑ NetworkExtension

The System Extensions payloads should look like this in the Jamf editor. The Display Name for each is optional:

When troubleshooting your version of SEP profile policies with Symantec technical support, provide a copy of your applied policy exported as unsigned XML for comparison. Use this macOS command line to strip signature from signed .mobileconfig file:

security cms -D -i /path/to/signed.mobileconfig | xmllint --format - > /path/to/unsigned.mobileconfig

Note that when the NCF portion of policy (Network Content Filtering) is applied to macOS 10.15 and newer, an inactive ("Not Running") entry for "SEP Network Security" will appear in macOS network settings even if SEP is uninstalled. This is to be expected for any such MDM policy that is applied and the related software is not installed:

Attachments

1636403577302__Profile for SEP - Catalina and older.mobileconfig get_app
1636403567532__Profile for SEP - Big Sur and newer.mobileconfig get_app