Endpoint Protection 14.3 RU3 and later for Mac fails to load its system extension
search cancel

Endpoint Protection 14.3 RU3 and later for Mac fails to load its system extension

book

Article ID: 233029

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) 14.3 RU3 for Mac may fail to load its system extension; the installation appears to finish OK but the SEP client GUI prompts for approval of unfinished setup tasks:

"Setup Incomplete
  You haven't finished Setup and your
  computer is not protected."

And there are no pending approvals at bottom of the macOS Security & Privacy settings General tab.

The list of installed system extensions (command line "systemextensionsctl list") does not include com.broadcom.mes.systemextension; normally this list will display com.broadcom.mes.systemextension with status of "[activated enabled]" or "[activated waiting for user]" 

Running "sudo /Applications/Symantec\ Endpoint\ Protection.app/Contents/MacOS/Symantec\ Endpoint\ Protection -activateSystemExtension" will result in output like:

2022-01-25 11:15:37.455 Symantec Endpoint Protection[1643:12674] call activateSystemExtension
2022-01-25 11:15:37.473 Symantec Endpoint Protection[1643:12674] Failed: error:Error Domain=OSSystemExtensionErrorDomain Code=8 "(null)"

The normal response should be "Succeed" or "Failed: activation request requires user approval"

Cause

This will be caused by communications interference with Apple servers that are used for app notarization and validation checks. SSL inspection of such traffic may even be enough to cause a problem. SEP versions 14.3 RU3 thru RU6 did not have a properly-stapled Apple notarization and this causes a check with those servers when the software is run for the first time. See "App features" and "Certificate validation" address lists at Apple: Use Apple products on enterprise networks.

Resolution

As a work-around, install SEP 14.3 RU2 for Mac first then upgrade to 14.3 RU3 or newer. An upgrade shouldn't require an app validation check with Apple servers.

You may also disable macOS SIP (System Integrity Protection) temporarily: reboot to recovery mode and run "csrutil disable" from terminal and reboot normally and open SEP client and macOS should prompt to allow the system extension. Re-enable SIP after allowing the extension. This workaround is awkward and not suitable for wide deployment.

To resolve this otherwise, make sure that the devices on your network have direct access to the "App features" and "Certificate validation" hosts described in Apple's support article (Use Apple products on enterprise networks) and un/re-install SEP.  When using the Symantec WSS Agent for Mac, for example, adjusting WSS to bypass api.apple-cloudkit.com is enough to eliminate this symptom. Otherwise, consult with Apple support and reference that technical article to determine what is necessary to unblock the required communications.

Symantec is aware of this and will correct the SEP notarization stapling in a future version. This article will be updated as new information becomes available.

Additional Information

Apple: Customizing the notarization workflow