Apple macOS 10.15 introduces new system protections in addition to the existing macOS kernel extensions authorization requirement.
The SEP/SES (Symantec Endpoint Protection / Endpoint Security) client UI will present the end-user with either of the following error messages, if they are not properly authorized:
Kernel extensions need authorization
System extensions need authorization
You are at risk! You haven't finished Setup and your computer is not protected
Note that the last error may simply be due to an unfinished setup; even with pre-approved permissions in place, the SEP client GUI may need to be opened at least once to activate the Symantec *.systemextension.
macOS 10.15 and newer
Appropriate security preferences have not been enabled for the SEP/SES for Mac client.
Enrollment in an MDM (Mobile Device Management) system is necessary for pre-approval of these settings. Attached at bottom of this article is a mobileconfig file with the correct settings for all SEP and macOS versions. This file can be imported and edited in Jamf or other macOS MDM solution and deployed to enrolled Macs. This is an unsigned XML file and must be imported into MDM and signed before deployment. Symantec does not provide assistance with that, other than the information provided here; consult your MDM tech support and documentation.
If there is no MDM pre-approval in place, users can manually follow the SEP prompts to enable the necessary permissions. The following are required by various versions of SEP for Mac client to properly function:
The mobileconfig file includes different macOS Team and Bundle IDs to accommodate the transition of SEP to version 14.3 and newer:
|SEP Version||Bundle ID||Team ID|
|Up to and including 14.3||com.symantec.mes.systemextension||9PTGMPNXZ2|
|14.3 MP1 and newer||com.broadcom.mes.systemextension||Y2CCP3S9W7|
You should generally apply only the permissions required by that version of macOS, e.g. apply only the kernel extension permissions to macOS 10.14 or older, and apply newer permissions only when that has been upgraded to 10.15. See Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15
The iMazing Profile Editor is a good cross-platform tool for viewing and editing unsigned *.mobileconfig files.
Other related articles:
When troubleshooting your version of SEP profile policies with Symantec technical support, provide a copy of your applied policy exported as unsigned XML for comparison. Use this macOS command line to strip signature from signed .mobileconfig file:
security cms -D -i /path/to/signed.mobileconfig | xmllint --format - > /path/to/unsigned.mobileconfig
Note that when the NCF portion of policy (Network Content Filtering) is applied to macOS 10.15 and newer, an inactive ("Not Running") entry for "SEP Network Security" will appear in macOS network settings even if SEP is uninstalled. This is to be expected for any such MDM policy that is applied and the related software is not installed: