Learn how to edit the MDM profile to enable Full Disk Access on Symantec Data Loss Prevention (DLP) Endpoint Agent for Mac.
The DLP Agent is supported with use on macOS 10.15.
In addition to the hotfixes, DLP Agent support for macOS 10.15 and 11 also requires "Full Disk Access" for the Agent to work correctly. Full Disk Access is part of Apple's security framework for macOS, and the feature enables an application to scan all the files on an endpoint system.
While individual users can allow or deny access for specific applications like the DLP Agent, you can bypass end-user prompts for allowing disk access by deploying an MDM device profile to users in your organization. The profile can configure security settings on endpoint systems that also have the DLP Agent.
Update the MDM configuration values for the DLP Agent for macOS. To update MDM configuration values, use a third-party mobile device management (MDM) solution or Profile Manager, part of the macOS Server app.
Refer to the following information for values to update in the MDM profile:
Payload type | com.apple.TCC.configuration-profile-policy |
---|---|
Services | SystemPolicyAllFiles |
Identifier | /Library/Manufacturer/Endpoint Agent/edpa |
CodeRequirement | identifier edpa and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "Y2CCP3S9W7" |
IdentifierType | path |
Allowed | 1 |
The attached file (DLP-Agent_macOS10.15_MDM.rtf) provides the MDM configuration values in a version formatted as a plist file. You can copy the plist content into the MDM file you create.
For more details, see the Configuration Profile Reference for Apple developers, especially the section "Privacy Preferences Policy Control Payload."
References
MDM profiles may need the following details:
Symantec Team ID: 9PTGMPNXZ2 (in all versions earlier than those listed below)
Broadcom Team ID: Y2CCP3S9W7 (as of 15.7.0103 or 15.5.0213)