Must open client GUI before Endpoint Protection or Endpoint Security *.systemextension will automatically load

book

Article ID: 198559

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

After installing or upgrading SEP or SES (Symantec Endpoint Protection/Security), you must open client GUI at least once before Endpoint Protection or Endpoint Security *.systemextension will automatically load and enable Virus and Spyware Protection on subsequent reboots. You will see an alert "You are at risk! You haven't finished setup and your computer is not protected. Click Finish Setup to update your preferences and activate your protection."   This will occur even if pre-approval of the necessary macOS permissions are in place.

Cause

This is currently according to Apple's design; the new *.systemextension type in macOS 10.15 "Catalina" is activated only when an end user starts the associated application for the first time.

Resolution

Use SEP 14.3 RU2 for Mac (version 14.3.4625) and create a SEPRemote.pkg for a completely silent deployment to Mac clients. See Exporting and deploying the Endpoint Protection Macintosh client with remote tools and Pre-approving the macOS permissions required by SEP.

The SEPM remote push of Mac client uses a different process and still prompts user to open client GUI at least once: "You are at risk! Finish Setup."

Workaround for older versions:

After installing SEP or SES and restarting the Mac, login and open the Symantec client GUI and answer any prompts that appear. Virus and Spyware protection will then be fully enabled, without any further necessary action.

These steps could be automated as part of an unattended installation. For example, the following commands (run with administrative privileges) would perform a silent installation of SEP using the remote deployment package, open SEP GUI in background, and reboot after a pause allowing the *.systemextension to load. 

installer -pkg /path/to/SEPRemote.pkg -target /
open -ja "Symantec Endpoint Protection"
shutdown -r +1

Note: a shutdown/reboot is not necessary in SEP for Mac 14.3 RU1 and above. See instructions here for creating the SEPRemote.pkg.

A properly activated and loaded extension can be verified with the following command line:

systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state]
* * Y2CCP3S9W7 com.broadcom.mes.systemextension (9.0.4/9.0.4) Symantec System Extension [activated enabled]