How to allow system extensions and configure MDM profile on macOS Big Sur 11.x with PGP Encryption Desktop (Email Encryption and Virtual Disk)
Article ID: 207397
Updated On:
Products
Issue/Introduction
PGP Encryption Desktop 10.5.0 MP1 (Symantec Encryption Desktop) now has added support for macOS Big Sur 11
Network Kernel Extensions (NKE) are deprecated from Big Sur 11.0 onwards.
PGP Encryption Desktop 10.5 and previous were using these previous NKE modules for the Desktop Messaging feature to encrypt/decrypt emails.
To ensure email encryption/decryption works with macOS Big Sur, we developed a completely new Network System Extension which does a similar job of the previous NKE module.
While we have replaced the old NKE with this new Network System Extension on Big Sur, we will continue to support NKE on macOS Catalina(10.15.x) and macOS Mojave(10.14.x).
Starting with macOS 11 (Big Sur) there are additional security features that will prompt the user more frequently in order to allow any third-party applications to run successfully. This article will cover how to allow these pop-ups/notifications and how to suppress some of them as applicable for deployment solutions.
Resolution
Allowing system extension during installation
To use the PGP Encryption Desktop Messaging feature on Big Sur, the user needs to authorize the respective software to load and for adding proxy configuration at the time of the installation. To use Virtual Disk on Big Sur, the user will have a few additional steps to load the virtual disk KEXT (kernel extension/modules) on Big Sur.
Activating network system extension:
To activate system extension, first click ‘OK’:
Next, go to Security Preferences and click ‘Allow’ to finish the activation process.
Note: The "EncryptionProxyHost" is the messaging component needed to be allowed for encryption.
Adding proxy configuration in network preferences:
After successful activation of the system extension, a different consent popup is displayed for adding proxy configuration. Click ‘Allow’ to add this proxy configuration module:
Virtual Disk popup:
To use virtual disk on Big Sur, click "OK" as shown in the following screenshot to provide consent and load the Virtual Disk Kernel Extension.
Next, open System Preferences and click ‘Allow’ where it shows "Broadcom Inc" was blocked:
After you click "Allow" from Security Preferences, you will see the following restart popup. This restart popup is observed only on Big Sur due to increased security requirements.
For now, click "Not Now" and proceed as the installation will prompt for a reboot at the end.
NOTE: The user needs to ensure the authorization for the respective software to load in order for the respective features to work as expected.
If you are deploying Symantec Encryption Desktop with deployment solutions, the following information will help you properly add what is needed to allow/suppress certain popups.
Configuration Settings for MDM deployment
Kernel Extension Settings
|
Display name |
Team ID |
Display Name & Kernel Extension Bundle ID |
|
|
Broadcom |
Y2CCP3S9W7 |
Display Name |
Kernel Extension Bundle ID |
|
PGPdiskDriver |
com.pgp.iokit.PGPdiskDriver |
||
NOTE: The restart popup can not be suppressed through this MDM settings.
System extension settings
Following settings can be used in MDM configuration profile to pre-approve the loading of system extension.
|
PayloadType |
Bundle ID |
Team Identifier |
Designated Requirement |
|
com.apple.system-extension-policy |
com.pgp.neproxy.ext |
Y2CCP3S9W7 |
anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7) |
Proxy/VPN configuration settings
A com.apple.vpn.managed payload with the following settings can be used to configure Encryption Network proxy service.
|
Property |
Value |
|
PayloadType |
com.apple.vpn.managed |
|
AuthenticationMethod |
Password |
|
IncludeAllNetworks |
0 |
|
ProviderBundleIdentifier |
com.pgp.neproxy.ext |
|
ProviderDesignatedRequirement |
anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7) |
|
ProviderType |
app-proxy |
|
RemoteAddress |
127.0.0.1 |
|
OnDemandEnabled |
1 |
|
OnDemandUserOverrideDisabled |
1 |
|
OnDemandRules |
<array> <dict> <key>Action</key> <string>Connect</string> </dict> </array> |
|
VPNSubType |
PGPNEProxy.1 |
|
VPNType |
VPN |
|
VendorConfig |
The following is a sample of an MDM configuration profile for adding network proxy configuration:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ConsentText</key>
<dict>
<key>default</key>
<string>Proxy Configuration for Encryption Desktop</string>
</dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configure PGP network transparent proxy</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>24D344D7-4089-4787-98A3-FE30D70E72AE</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>24D344D7-4089-4787-98A3-FE30D70E72AE</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>PGPNEProxy</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>IncludeAllNetworks</key>
<integer>0</integer>
<key>ProviderBundleIdentifier</key>
<string>com.pgp.neproxy.ext</string>
<key>ProviderDesignatedRequirement</key>
<string>anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7)</string>
<key>ProviderType</key>
<string>app-proxy</string>
<key>RemoteAddress</key>
<string>127.0.0.1</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandUserOverrideDisabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
</dict>
<key>VPNSubType</key>
<string>PGPNEProxy.22</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDescription</key>
<string>PGP Proxy Configuration</string>
<key>PayloadDisplayName</key>
<string>MDMProfileForPGPNEPorxy</string>
<key>PayloadIdentifier</key>
<string>E8398A31-255F-473E-8A67-FD56E18D86D9</string>
<key>PayloadOrganization</key>
<string>Broadcom</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>E8398A31-255F-473E-8A67-FD56E18D86D9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
If you are using macOS with M1/M2 systems and are having some issues, please reach out to Symantec Encryption Support for further guidance.
Additional Information
207386 - Deploying PGP Encryption Desktop with MDM deployment settings on macOS (Symantec Encryption Desktop)
207397 - How to allow system extensions and configure MDM profile on macOS Big Sur 11.x with PGP Encryption Desktop (Email Encryption and Virtual Disk)
207391 - Configuring SSL/TLS for email communication for the Mail app with macOS Big Sur/macOS 11 and PGP Encryption Desktop
206979 - Known Issues with PGP Encryption Desktop and macOS 11/Big Sur (Symantec Encryption Desktop)
Feedback
