Pre-approving the macOS permissions required by Endpoint Protection / Endpoint Security
Article ID: 176222
Updated On:
Products
Issue/Introduction
Apple macOS 10.15 introduces new system protections in addition to the existing macOS kernel extensions authorization requirement.
The SEP/SES (Symantec Endpoint Protection / Endpoint Security) client UI will present the end-user with either of the following error messages, if they are not properly authorized:
Kernel extensions need authorization
System extensions need authorization
You are at risk! You haven't finished Setup and your computer is not protected
Note that the last error may simply be due to an unfinished setup; even with pre-approved permissions in place, the SEP client GUI may need to be opened at least once to activate the Symantec *.systemextension.
Environment
macOS 10.15 and newer
Cause
Appropriate security preferences have not been enabled for the SEP/SES for Mac client.
Resolution
Enrollment in an MDM (Mobile Device Management) system is necessary for pre-approval of these settings. Attached at bottom of this article is a mobileconfig file with the correct settings for all SEP and macOS versions. This file can be imported and edited in Jamf or other macOS MDM solution and deployed to enrolled Macs. This is an unsigned XML file and must be imported into MDM and signed before deployment. Symantec does not provide assistance with that, other than the information provided here; consult your MDM tech support and documentation.
If there is no MDM pre-approval in place, users can manually follow the SEP prompts to enable the necessary permissions. The following are required by various versions of SEP for Mac client to properly function:
- Permission to display notifications
- Permission to install Kernel Extensions (older SEP versions -- required as of macOS 10.13)
- Permission to install System Extensions (macOS 10.15 -- SEP for Mac 14.3.3384 RU1 or newer -- replaces kernel extensions)
- Full Disk Access (macOS 10.15)
- Network Content Filtering AKA Web Content Filtering (macOS 10.15 and SEP 14.3.3384 RU1 or newer)
- RemovableSystemExtensions (macOS 12 "Monterey" and SEP 14.3.4625 RU3 or newer -- allows an app to remove its own system extensions without prompting for administrator credentials)
Additional Information
The mobileconfig file includes different macOS Team and Bundle IDs to accommodate the transition of SEP to version 14.3 and newer:
| SEP Version | Bundle ID | Team ID |
| Up to and including 14.3 | com.symantec.mes.systemextension | 9PTGMPNXZ2 |
| 14.3 MP1 and newer | com.broadcom.mes.systemextension | Y2CCP3S9W7 |
The iMazing Profile Editor is a good cross-platform tool for viewing and editing unsigned *.mobileconfig files.
Other related articles:
- About authorizing kernel extensions for Symantec Endpoint Protection for macOS 10.13 or later
- System Extension Blocked notification on macOS 10.13 High Sierra
- Endpoint Protection for Mac reports "Full Disk Access is not enabled".
When troubleshooting your version of SEP profile policies with Symantec technical support, provide a copy of your applied policy exported as unsigned XML for comparison. Use this macOS command line to strip signature from signed .mobileconfig file:
security cms -D -i /path/to/signed.mobileconfig | xmllint --format - > /path/to/unsigned.mobileconfig
Note that when the NCF portion of policy (Network Content Filtering) is applied to macOS 10.15 and newer, an inactive ("Not Running") entry for "SEP Network Security" will appear in macOS network settings even if SEP is uninstalled. This is to be expected for any such MDM policy that is applied and the related software is not installed:
You should generally use only the permissions applicable to the target macOS version, e.g. apply Kernel Extensions permissions only to macOS 10.14 or older, and newer System Extensions permissions only macOS 10.15 or newer. See Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15. See also the error below you may see when applying kernel extension permissions to M1 Macs:
“Configure System Extensions to approve kernel, network, driver, and security extensions on managed Mac machines. Applicable only for macOS 10.14 and above. Kernel extensions is not supported for devices having the M1 chip. Kernel extensions profile and all restrictions will fail when linked to M1 chip devices”
For macOS 10.15 and newer, remove the Kernel Extensions Policy by editing the mobileconfig xml in a text editor or in visual editor such as the iMazing Profile Editor for Mac.:
Attachments
Feedback
