How to allow system extensions and configure MDM profile on macOS Big Sur 11.x with Symantec Encryption Desktop 10.5 MP1

book

Article ID: 207397

calendar_today

Updated On:

Products

Desktop Email Encryption Desktop Email Encryption, Powered by PGP Technology Encryption Desktop Corporate Powered by PGP Technology Drive Encryption Powered by PGP Technology Encryption Desktop Powered by PGP Technology Encryption Desktop Professional Powered by PGP Technology Encryption Desktop Storage Powered by PGP Technology File Share Encryption Powered by PGP Technology

Issue/Introduction

Symantec Encryption Desktop 10.5.0 MP1 now has added support for macOS Big Sur 11

Network Kernel Extensions (NKE) are deprecated from Big Sur 11.0 onwards.  Symantec Encryption Desktop 10.5 and previous were using these previous NKE modules for the Desktop Messaging feature to encrypt/decrypt emails. To ensure email encryption/decryption works with macOS Big Sur, we developed a completely new Network System Extension which does a similar job of the previous NKE module. 

While we have replaced the old NKE with this new Network System Extension on Big Sur, we will continue to support NKE on macOS Catalina(10.15.x) and macOS Mojave(10.14.x). 

Starting with macOS 11 (Big Sur) there are additional security features that will prompt the user more frequently in order to allow any third-party applications to run successfully.  This article will cover how to allow these pop-ups/notifications and how to suppress some of them as applicable for deployment solutions. 

Resolution

Allowing system extension during installation

To use the Symantec Encryption Desktop Messaging feature on Big Sur, the user needs to authorize the respective software to load and for adding proxy configuration at the time of the installation. To use Virtual Disk on Big Sur, the user will have a few additional steps to load the virtual disk KEXT (kernel extension/modules) on Big Sur. 


Activating network system extension:
To activate system extension, first click ‘OK’:


Next, go to Security Preferences and click ‘Allow’ to finish the activation process.

Note: The "EncryptionProxyHost" is the messaging component needed to be allowed for encryption.

 

Adding proxy configuration in network preferences:
After successful activation of the system extension, a different consent popup is displayed for adding proxy configuration.  Click ‘Allow’ to add this proxy configuration module:

 


Virtual Disk popup:

To use virtual disk on Big Sur, click "OK" as shown in the following screenshot to provide consent and load the Virtual Disk Kernel Extension. 


Next, open System Preferences and click ‘Allow’ where it shows "Broadcom Inc" was blocked:


After you click "Allow" from Security Preferences, you will see the following restart popup. This restart popup is observed only on Big Sur due to increased security requirements.

For now, click "Not Now" and proceed as the installation will prompt for a reboot at the end.

 

NOTE:  The user needs to ensure the authorization for the respective software to load in order for the respective features to work as expected.

 

If you are deploying Symantec Encryption Desktop with deployment solutions, the following information will help you properly add what is needed to allow/suppress certain popups.


Configuration Settings for MDM deployment

 

Kernel Extension Settings

Display name

Team ID 

Display Name & Kernel Extension Bundle ID

 

Broadcom

        

Y2CCP3S9W7

Display Name

Kernel Extension Bundle ID

PGPdiskDriver

com.pgp.iokit.PGPdiskDriver

 

NOTE: The restart popup can not be suppressed through this MDM settings.

 

System extension settings
Following settings can be used in MDM configuration profile to pre-approve the loading of system extension. 

PayloadType

Bundle ID

Team Identifier

Designated Requirement

com.apple.system-extension-policy

com.pgp.neproxy.ext

Y2CCP3S9W7

anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7)

 

Proxy/VPN configuration settings
A com.apple.vpn.managed payload with the following settings can be used to configure Encryption Network proxy service.

 

Property

Value

PayloadType

com.apple.vpn.managed

AuthenticationMethod

Password

IncludeAllNetworks

0

ProviderBundleIdentifier

com.pgp.neproxy.ext

ProviderDesignatedRequirement

anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7)

ProviderType

app-proxy

RemoteAddress

127.0.0.1

OnDemandEnabled

1

OnDemandUserOverrideDisabled

1

OnDemandRules

<array>

<dict>

<key>Action</key>

<string>Connect</string>

</dict>

</array>

VPNSubType

PGPNEProxy.1

VPNType

VPN

VendorConfig

 

 

The following is a sample of an MDM configuration profile for adding network proxy configuration:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ConsentText</key>
	<dict>
		<key>default</key>
		<string>Proxy Configuration for Encryption Desktop</string>
	</dict>	
	<key>PayloadContent</key>
	<array>
        <dict>
			<key>PayloadDescription</key>
			<string>Configure PGP network transparent proxy</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>24D344D7-4089-4787-98A3-FE30D70E72AE</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>24D344D7-4089-4787-98A3-FE30D70E72AE</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>PGPNEProxy</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>IncludeAllNetworks</key>
				<integer>0</integer>
				<key>ProviderBundleIdentifier</key>
				<string>com.pgp.neproxy.ext</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "com.pgp.neproxy.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7)</string>
				<key>ProviderType</key>
				<string>app-proxy</string>
				<key>RemoteAddress</key>
				<string>127.0.0.1</string>
				<key>OnDemandEnabled</key>
				<integer>1</integer>
                			<key>OnDemandUserOverrideDisabled</key>
				<integer>1</integer>
				<key>OnDemandRules</key>
				<array>
					<dict>
						<key>Action</key>
						<string>Connect</string>
					</dict>
				</array>
			</dict>
			<key>VPNSubType</key>
			<string>PGPNEProxy.22</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict/>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>PGP Proxy Configuration</string>
	<key>PayloadDisplayName</key>
	<string>MDMProfileForPGPNEPorxy</string>
	<key>PayloadIdentifier</key>
	<string>E8398A31-255F-473E-8A67-FD56E18D86D9</string>
	<key>PayloadOrganization</key>
	<string>Broadcom</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>E8398A31-255F-473E-8A67-FD56E18D86D9</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

 

Attachments