How to remove the IPS feature from an unmanaged SEP Macintosh client


Article ID: 181623


Updated On:


Endpoint Protection




When installing an unmanaged SEP for Macintosh client (versions 12.1 RU4 or newer), there is no option to install with the "Network Threat Protection" feature removed or permanently disabled. This is by design since an unmanaged installation is meant to provide the end user with full control of the client settings.

Note that the "Network Threat Protection" settings label in the SEP for Macintosh client GUI is misleading. NTP policy has no effect on SEP for Macintosh. The only firewall feature available for the Macintosh is Intrusion Prevention (IPS).

Due to the complexity of some client deployments, support has identified a work-around that can be used to implement an unmanaged Mac client that will have IPS permanently disabled. This involves installing a managed client with a specific policies and then converting it to an unmanaged client.

How to make your clients unmanaged with IPS disabled. 

  1. Configure a group in the SEPM that is not inheriting policies and that has the Intrusion Prevention policy withdrawn or disabled. NOTE: be sure also to configure the group's Client Interface Control Settings (under Location-specific Settings) for Server Control, otherwise the client will override the policy configuration and re-enable IPS.
  2. Export a managed Mac package that is using the policies from the group created in step 1.
  3. Transfer and then install the exported Mac package onto the Macs.
  4. Retrieve the unmanaged SyLink.xml that is located inside the standalone Mac installer located on the SEP installation media.
    1. Locate and navigate the SEP installation media Disk 1 > SEP_Mac > mount the Symantec Endpoint Protection.dmg file.
    2. Navigate to the "Additional Resources" folder and copy-paste the SyLink.xml to another location. NOTE that the "Additional Resources" folder is found in 12.1 RU4 by right-clicking the installer app and selecting "Show package contents" and navigating to "Contents".
  5. Replace the SyLink.xml file on the installed SEP client
    1. Stop the SymDaemon process – from a terminal window type:
      sudo launchctl unload /Library/LaunchDaemons/*plist
      (Enter admin password when prompted)
    2. Copy-paste the previously saved out SyLink.xml to /Library/Application Support/Symantec/SMC/
    3. Restart the Mac OR restart the SymDaemon process – from a terminal window type:
      sudo launchctl load /Library/LaunchDaemons/*plist

Now the client is running as unmanaged and the NTP/IPS features are locked and disabled.