Configuring MDM profiles for Full Disk Access for macOS 10.15 and DLP Agent support
search cancel

Configuring MDM profiles for Full Disk Access for macOS 10.15 and DLP Agent support

book

Article ID: 176368

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

Learn how to edit the MDM profile to enable Full Disk Access on Symantec Data Loss Prevention (DLP) Endpoint Agent for Mac.

Resolution

The DLP Agent is supported with use on macOS 10.15. 

  • macOS 10.15: You must apply a hotfix to the DLP Agent 15.1 MP2 or 15.5 MP2
  • macOS 11: You must be on DLP 15.7 MP2 or higher.

In addition to the hotfixes, DLP Agent support for macOS 10.15 and 11 also requires "Full Disk Access" for the Agent to work correctly. Full Disk Access is part of Apple's security framework for macOS, and the feature enables an application to scan all the files on an endpoint system. 

While individual users can allow or deny access for specific applications like the DLP Agent, you can bypass end-user prompts for allowing disk access by deploying an MDM device profile to users in your organization. The profile can configure security settings on endpoint systems that also have the DLP Agent. 

Update the MDM configuration values for the DLP Agent for macOS. To update MDM configuration values, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.

Refer to the following information for values to update in the MDM profile:

Payload type com.apple.TCC.configuration-profile-policy
Services SystemPolicyAllFiles
Identifier /Library/Manufacturer/Endpoint Agent/edpa
CodeRequirement identifier edpa and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "Y2CCP3S9W7"
IdentifierType path
Allowed 1

The attached file (DLP-Agent_macOS10.15_MDM.rtf) provides the MDM configuration values in a version formatted as a plist file. You can copy the plist content into the MDM file you create. 

 

Additional Information

For more details, see the Configuration Profile Reference for Apple developers, especially the section "Privacy Preferences Policy Control Payload." 

Note: If no Mac Server is in use, and OSX machines are all individually deployed, then the Kernel extension will need to be manually approved on each individual Mac. 
See this Apple technote for details:
 
Note: In some cases it has been observed that the installation fails if a previous version is already installed incorrectly, resolution is to uninstall the agent, and re-install via MDM
 

References

MDM profiles may need the following details:
Symantec Team ID: 9PTGMPNXZ2 (in all versions earlier than those listed below)

Broadcom Team ID: Y2CCP3S9W7 (as of 15.7.0103 or 15.5.0213)

Attachments

DLP-Agent_macOS10.15_MDM.rtf get_app