How to convert an unmanaged Endpoint Protection for Macintosh client to managed


Article ID: 152371


Updated On:


Endpoint Protection


It is necessary to convert an unmanaged Symantec Endpoint Protection (SEP) for Macintosh client into a managed client.

This process can also be used to update the sylink file on a previously managed client.



Export communications settings (sylink.xml) from the target client group within the Symantec Endpoint Protection Manager (SEPM), then copy it to the Desktop of the Macintosh you wish to make managed.

SEP 12.1:

In SEP 12.1 there is a SyLinkDrop tool that can be used to copy the sylink.xml file to the SEP Macintosh client. This tool is installed along with the SEP Macintosh client in the Symantec folder: /Library/Application Support/Symantec/SMC/tools/SyLinkDrop. It can also be found in the product source files under \Tools\SylinkDrop\Mac, but this version may not be as up-to-date as the one installed with the SEP client (See SyLinkDrop for Macintosh generates an error "Fail to replace Sylink file").

SEP 14:

The SyLinkDrop tool is installed with the SEP 14 for Mac client in the /Applcations/Symantec Solutions directory.

The SyLinkDrop version used must match the SEP for Mac client version. The tool from 12.1 RU4 and RU5 will not work to convert older SEP clients, and vice-versa. This is due to differences in the SEP master service that SyLinkDrop tries to restart after replacing the sylink.xml - see Technical Information below on how to manually stop/start the smclient or symdaemon.

  1. On the Macintosh where SEP is installed, launch the SylinkDrop tool.
  2. Click "Browse" to browse for the sylink.xml file previously exported from the SEPM.
  3. Press "Update SyLink" to update. You will be prompted to input your admin password.
  4. If successful, you will see the message: "Replace SyLink File Successfully"
  5. Press "Exit" to close the application.


For all versions of SEP, you may also manually place the sylink.xml file into the appropriate folder on the Macintosh client computer per the following instructions:

  1. Open the Symantec Endpoint Protection Manager (SEPM) console.
  2. Click on the Clients tab, and then right-click on the group that the SEP for Mac client should reside in once converted to managed.
  3. Choose "Export Communications Settings", and when prompted, save the file to a location such as the Desktop. (Note: the file will have a long name prefaced with the group information. Please rename the file so that it is only called "sylink.xml".)
  4. On the client computer that's going to be converted to a managed client, for 12.1 RU2 and earlier stop the smcdaemon, and for 12.1 RU4 or RU5 stop the symdaemon (see Technical Information below).
  5. Copy the sylink.xml file to the client machine, pasting it into the following folder:

    SEP 14.2 RU2: /Library/Application Support/Symantec/Silo/MES/SMC
    SEP 14.2 RU1 MP2 and older: /Library/Application Support/Symantec/SMC

    (See image below). NOTE: there are multiple Library folders on Mac systems, the correct one can be found in Finder>Go>Computer in the computer's hard drive.

  6. Reboot the computer, or restart the smcdaemon (or symdaemon) on the Macintosh.

If the SEPM console is not accessible, the sylink.xml file can be obtained using the instructions provided in the document 'How to change a Symantec Endpoint Protection client from unmanaged to managed in MR1 and MR2.' (see link below), substituting "Temporary" for the name of the group that the Macintosh client should join.

Technical Information

From Terminal command line:

For 12.1 RU2 and earlier, to stop and start the smcdaemon:

sudo /Library/StartupItems/SMC/smclient --stop      (Note: There is a space after sudo and before --stop)
sudo /Library/StartupItems/SMC/smclient --start    (Note: There is a space after sudo and before --start)

For 12.1 RU4 and newer, to stop and start the symdaemon:

sudo launchctl unload /Library/LaunchDaemons/*plist
sudo launchctl load /Library/LaunchDaemons/*plist

  • When prefacing the command with sudo, there will be a prompt to authenticate with an administrator password (the password entry will not echo to the Terminal window).
  • The asterisk in daemon pathnames will accommodate suffix variations - SEP 12.1.x uses .plist and SEP 14.0 uses .NFM.plist