Mac SEP clients can’t enroll with EDR

book

Article ID: 208596

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Mac SEP clients are stuck in “Authentication Pending” state and do not enroll with EDR.

Cause

The self-signed or CA signed certificate used to encrypt authentication between SEP clients and EDR is missing required information required by Mac OS 10.15 and above.

Environment

Symantec EDR 4.6 and later.

Resolution

If you use your own self-signed or CA signed certificate, the certificate meet the following requirements:  

  1. The certificate must present the DNS name of the server in the Subject Alternative Name extension of the certificate
  2. The certificate must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID

 If the certificate does not meet the above requirements, Mac clients cannot authenticate with SEDR 4.6 or later and will remain in "Authentication Pending" state.