ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Deployment of Endpoint Protection for Mac through Microsoft Intune hangs

book

Article ID: 184923

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Attempts to deploy Symantec Endpoint Protection (SEP) for Mac via Microsoft's MDM solution "Intune" hang at approximately 80% of the deployment process.

Environment

SEP 14.2 MP1+
SEP 15

Resolution

Microsoft's Intune solution requires notarized pkg files.

See instructions here to create the SEPRemote.pkg file and use SEP for Mac version 14.2.5580 or newer: Exporting and deploying the Endpoint Protection Macintosh client with remote tools.

SEP installers include a Broadcom signature but they are not notarized because they usually contains elements that are unique to each customer's environment—SEP management server address(es), certificates, etc—and customer must obtain their own Apple Developer ID to sign and notarize pkg files. Consult Apple technical support for help with obtaining a developer identity and notarization: Notarizing macOS Software Before Distribution.

Additional Information

How to check for signature/notarization on a macOS file?

Notarization is a process that includes a signature—it adds an extra "stamp of approval" to a file that is already signed. And if a file isn't signed, it can't be notarized.

To debug signing issues for anything besides an installer package (this won't work on .pkg file) use the codesign utility to test the signature:
codesign -vvv --deep --strict /path/to/binary/or/bundle

Use the vvv option to perform a verification with elevated verbosity. You use the deep option to ensure the utility checks nested code content. The strict option increases the restrictiveness of the validation to match that required by notarization. See the codesign man page for more information about these options and how to interpret the output.

To debug signing issues with installer packages use the pkgutil utility instead:
pkgutil --check-signature /path/to/file.pkg

ref: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues

To check notarization for .app files (this won't work for .pkg):
codesign -vvvv -R="notarized" --check-notarization /path/to/app

To check notarization of .pkg:
spctl -a -vvv -t installer /path/to/pkg

ref: https://developer.apple.com/forums/thread/112135