Attempts to deploy Symantec Endpoint Protection (SEP) for Mac via Microsoft's MDM solution "Intune" hang at approximately 80% of the deployment process.
SEP 14.2 MP1+
Symantec Endpoint Security (SES) 14.3+
Microsoft's Intune solution requires notarized pkg files.
See instructions here to create the SEPRemote.pkg file and use SEP for Mac version 14.2.5580 or newer: Exporting and deploying the Endpoint Protection Macintosh client with remote tools.
SEP installers include a Broadcom signature but they are not notarized because they usually contains elements that are unique to each customer's environment—SEP management server address(es), certificates, etc—and customer must obtain their own Apple Developer ID to sign and notarize pkg files. Consult Apple technical support for help with obtaining a developer identity and notarization: Notarizing macOS Software Before Distribution.
How to check for notarization on a macOS file?
Notarization is a process that includes a signature—notarization adds an extra "stamp of approval" to a file that is already signed. File must be signed first; if a file isn't signed, it can't be notarized.
To debug signing issues for anything besides an installer package (this won't work on .pkg file) use the codesign utility to test the signature:
codesign -vvv --deep --strict /path/to/binary/or/bundle
Use the vvv option to perform a verification with elevated verbosity. You use the deep option to ensure the utility checks nested code content. The strict option increases the restrictiveness of the validation to match that required by notarization. See the codesign man page for more information about these options and how to interpret the output.
To debug signing issues with installer packages use the pkgutil utility instead:
pkgutil --check-signature /path/to/file.pkg
To check notarization for .app files (this won't work for .pkg):
codesign -vvvv -R="notarized" --check-notarization /path/to/app
To check notarization of .pkg:
spctl -a -vvv -t install /path/to/pkg