Configuring MDM profiles for Full Disk Access for macOS and DLP Agent support
search cancel

Configuring MDM profiles for Full Disk Access for macOS and DLP Agent support

book

Article ID: 176368

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

Learn how to edit the MDM profile to enable Full Disk Access on Symantec Data Loss Prevention (DLP) Endpoint Agent for Mac.

Resolution

 

DLP Agent support for macOS also requires "Full Disk Access" for the Agent to work correctly. Full Disk Access is part of Apple's security framework for macOS, and the feature enables an application to scan all the files on an endpoint system. 

While individual users can allow or deny access for specific applications like the DLP Agent, you can bypass end-user prompts for allowing disk access by deploying an MDM device profile to users in your organization. The profile can configure security settings on endpoint systems that also have the DLP Agent. 

Update the MDM configuration values for the DLP Agent for macOS. To update MDM configuration values, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.

Refer to the following information for values to update in the MDM profile:

Payload typecom.apple.TCC.configuration-profile-policy
ServicesSystemPolicyAllFiles
Identifier/Library/Manufacturer/Endpoint Agent/edpa
CodeRequirementidentifier edpa and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "Y2CCP3S9W7"
IdentifierTypepath
Allowed1

 

To download the latest version of the mdm sample please download from the MacOS Agent downloads for your version of DLP.

Additional Information

For more details, see the Configuration Profile Reference for Apple developers, especially the section "Privacy Preferences Policy Control Payload." 

Note: If no Mac Server is in use, and OSX machines are all individually deployed, then the Kernel extension will need to be manually approved on each individual Mac. 
See this Apple technote for details:
 
Note: In some cases it has been observed that the installation fails if a previous version is already installed incorrectly, resolution is to uninstall the agent, and re-install via MDM
 

For full instructions to install macOS DLP agent see:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1/install-dlp/installing-symantec-dlp-agents/installing-the-dlp-agent-for-macos.html

References

MDM profiles may need the following details:
Symantec Team ID: 9PTGMPNXZ2 (in all versions earlier than those listed below)

Broadcom Team ID: Y2CCP3S9W7 (as of 15.7.0103 or 15.5.0213)

Powered by Wolken Software