Configuring MDM profiles for enabling Full Disk Access on macOS 10.15.x for Symantec Endpoint Desktop
Article ID: 176490
Updated On:
Products
Issue/Introduction
The transition of Symantec Encryption Desktop to 64-bit technology is now complete. Starting with Symantec Encryption Management Server 3.4.2 Maintenance Pack 4 (MP4), administrators can manage Mac client computers running Symantec Encryption Desktop 10.4.2 MP4 on macOS Catalina (10.15.x).
To ensure that Symantec Encryption Desktop, including the components, work correctly with macOS 10.15.x, you need to enable Full Disk Access on Mac client computers before the installation.
Applications that run on macOS Catalina computers require user consent to access files, such as Mail, Messages, Safari, Home, and Time Machine. Similarly, Symantec Encryption Desktop requires Full Disk Access permission on macOS Catalina computers to encrypt or decrypt files.
Individual users can allow or deny access for Symantec Encryption Desktop using the user consent prompts or go to System Preferences > Security and Privacy > Privacy tab and assign Full Disk Access permissions.
However, administrators can deploy Symantec Encryption Desktop so that the user consent prompts are not displayed, and the Full Disk Access permission is enabled automatically. To implement this, administrators can create and deploy a Mobile Device Management (MDM) profile to users in your organization and automatically allow Full Disk Access. The profile can configure security settings on Mac endpoint systems running Symantec Encryption Desktop 10.4.2 MP4.
This article lists the configuration settings that you can use in an MDM profile to enable Full Disk Access on your macOS Catalina endpoint systems running Symantec Encryption Desktop 10.4.2 MP4.
Resolution
Following is an example scenario that you may consider if you want to update the configuration profile settings and deploy the configuration profile to your macOS Catalina endpoint systems using a third-party MDM tool before installing Symantec Encryption Desktop.
Table: Configuration profile settings
Note: The Privacy Preferences payload is designated by specifying com.apple.TCC.configuration-profile-policy value as the PayloadType value.
|
Identifier |
Identifier Type |
Code requirement |
Service – App access |
|
com.pgp.engine |
Bundle ID |
identifier "com.pgp.engine" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2" |
SystemPolicyAllFiles - Allow |
|
com.pgp.pgp |
Bundle ID |
identifier "com.pgp.pgp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2" |
SystemPolicyAllFiles - Allow |
|
com.pgp.viewer |
Bundle ID |
identifier "com.pgp.viewer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2" |
SystemPolicyAllFiles - Allow |
|
com.pgp.shredder |
Bundle ID |
identifier "com.pgp.shredder" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2" |
SystemPolicyAllFiles - Allow |
|
/Library/Application Support/PGP/SEDFVd |
Path |
identifier "com.Symantec.Encryption.SEDFVd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2" |
SystemPolicyAllFiles - Allow |
Table: Kernel Extensions Settings
|
Display name |
Team ID |
Display Name & Kernel Extension Bundle ID |
|
|
Symantec |
9PTGMPNXZ2 |
Display Name |
Kernel Extension Bundle ID |
|
PGPdiskDriver |
com.pgp.iokit.PGPdiskDriver |
||
|
PGPnke |
com.pgp.kext.PGPnke |
||
The attached file, SED-Client_macOS10.15_MDM.rft, provides the MDM configuration values in a plist file format. You can copy the content into the MDM configuration file when you create it.
Additional Information
For more details, see the "Privacy Preferences Policy Control Payload" section available at Configuration Profile Reference for Apple developers.
Attachments
Feedback
