Mac SEP clients are stuck in “Authentication Pending” state and do not enroll with EDR.

Symantec EDR 4.6 and later.

The self-signed or CA signed certificate used to encrypt authentication between SEP clients and EDR is missing required information required by Mac OS 10.15 and above.

If you use your own self-signed or CA signed certificate, the certificate meet the following requirements:  

1. The certificate must present the DNS name of the server in the Subject Alternative Name extension of the certificate
2. The certificate must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID

 If the certificate does not meet the above requirements, Mac clients cannot authenticate with SEDR 4.6 or later and will remain in "Authentication Pending" state.