search cancel

Pre-approving the macOS permissions required by Endpoint Protection / Endpoint Security

book

Article ID: 176222

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Apple macOS 10.15 introduces new system protections in addition to the existing macOS kernel extensions authorization requirement.

The SEP/SES (Symantec Endpoint Protection / Endpoint Security) client UI will present the end-user with either of the following error messages, if they are not properly authorized:

Kernel extensions need authorization

System extensions need authorization

You are at risk! You haven't finished Setup and your computer is not protected

Note that the last error may simply be due to an unfinished setup; even with pre-approved permissions in place, the SEP client GUI may need to be opened at least once to activate the Symantec *.systemextension.

Cause

Appropriate security preferences have not been enabled for the SEP/SES for Mac client. 

Environment

macOS 10.15 and newer

Resolution

Users can manually follow the SEP prompts to enable the necessary permissions. Enrollment in an MDM (Mobile Device Management) system is otherwise necessary for pre-approval of these settings. The following are required by various versions of SEP for Mac client to properly function:

  1. Permission to display notifications
  2. Permission to install Kernel Extensions (older SEP versions -- required as of macOS 10.13)
  3. Permission to install System Extensions (macOS 10.15 -- SEP for Mac 14.3.3384 RU1 or newer -- replaces kernel extensions)
  4. Full Disk Access (macOS 10.15)
  5. Network Content Filtering AKA Web Content Filtering (macOS 10.15 and SEP 14.3.3384 RU1 or newer)
  6. RemovableSystemExtensions (macOS 12 "Monterey" and SEP 14.3.4625 RU3 or newer -- allows an app to remove its own system extensions without prompting for administrator credentials)

Attached at bottom of this article is a mobileconfig file with the correct settings for all SEP and macOS versions. This file can be imported and edited in Jamf or other macOS MDM solution and deployed to enrolled Macs for pre-approval of the settings required by SEP. This is an unsigned XML file and must be imported into MDM and signed before deployment. Symantec does not provide assistance with that, other than the information provided here; consult your MDM tech support and documentation. The iMazing Profile Editor is a good cross-platform tool for viewing and editing unsigned *.mobileconfig files.

This file includes different macOS Team and Bundle IDs to accommodate the transition of SEP to version 14.3 and newer:

SEP Version Bundle ID Team ID
Up to and including 14.3 com.symantec.mes.systemextension   9PTGMPNXZ2
14.3 MP1 and newer   com.broadcom.mes.systemextension   Y2CCP3S9W7

You should generally apply only the permissions required by that version of macOS, e.g. apply only the kernel extension permissions to macOS 10.14 or older, and apply newer permissions only when that has been upgraded to 10.15. See Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

Other related articles:

WARNING about Jamf Pro: importing the attached mobileconfig as a new macOS configuration profile will succeed but if you attempt to save it you may see the errors below. Or there will be no visible errors and it will allow you to save the import even though the System Extensions payloads are empty. Check those payloads and delete/re-create them if necessary as described after the screenshots below.

This is a problem with Jamf Pro; it currently does not import System Extensions payloads correctly from mobileconfig files. Please notify Jamf Technical support about this. All the other payloads are imported correctly. Do NOT attempt to edit the payloads above; delete them—they are buggy and will respond in unexpected ways. Then re-create them manually with the following and then save the profile:  

System Extension Types: AllowedSystemExtensions
  Team Identifier: 9PTGMPNXZ2
  Allowed System Extensions: com.symantec.mes.systemextension

System Extension Types: AllowedSystemExtensionTypes
  Team Identifier: 9PTGMPNXZ2
  ☑ DriverExtension
  ☑ EndpointSecurityExtension
  ☑ NetworkExtension

System Extension Types: AllowedSystemExtensions
  Team Identifier: Y2CCP3S9W7
  Allowed System Extensions: com.broadcom.mes.systemextension

System Extension Types: AllowedSystemExtensionTypes
  Team Identifier: Y2CCP3S9W7
  ☑ DriverExtension
  ☑ EndpointSecurityExtension
  ☑ NetworkExtension

The System Extensions payloads should look like this in the Jamf editor. The Display Name for each is optional:

When troubleshooting your version of SEP profile policies with Symantec technical support, provide a copy of your applied policy exported as unsigned XML for comparison. Use this macOS command line to strip signature from signed .mobileconfig file:

security cms -D -i /path/to/signed.mobileconfig | xmllint --format - > /path/to/unsigned.mobileconfig

Note that when the NCF portion of policy (Network Content Filtering) is applied to macOS 10.15 and newer, an inactive ("Not Running") entry for "SEP Network Security" will appear in macOS network settings even if SEP is uninstalled. This is to be expected for any such MDM policy that is applied and the related software is not installed:

Attachments

1652832471936__Profile for all supported SEP and macOS versions.mobileconfig get_app