What are some of the more common questions pertaining to Symantec Endpoint Protection (SEP) for Mac?
Please see Compatibility between Symantec Endpoint Protection for Mac and versions of Mac OS X for specific Symantec Endpoint Protection version requirements. Note: You may see "System Extension Blocked" when installing SEP on macOS version 10.13, or newer -- this may be resolved by authorizing Symantec kernel extensions by using the macOS Security & Privacy system preference pane.
For minor updates to Mac OS X, such as 10.14.4 to 10.14.5, the Symantec Endpoint Protection client can remain in place.
For a major update to Mac OS X on a client system (from OS X 10.13 to OS X 10.14, for example), upgrade the Symantec Endpoint Protection client to the version that is compatible with the newer operating system, and then upgrade the operating system. Otherwise, uninstall the Symantec Endpoint Protection client and cleanly reinstall the compatible version after upgrade to avoid possible corruption to logs and other Symantec Endpoint Protection components.
Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; Symantec Endpoint Protection for Mac will function and scan for threats as expected. For guidance on best practices, please see Recommendations for installing Symantec Endpoint Protection for Macintosh on Mac OS X Server.
Installing the Symantec Endpoint Protection client for Mac covers both managed and unmanaged installations. Push deployment from the Symantec Endpoint Protection Manager (using the Client Deployment Wizard) is supported as of Symantec Endpoint Protection 12.1.5.
Endpoint Protection client for Mac versions earlier than 12.1.4 must be uninstalled before you upgrade to version 14. You do not need to uninstall later versions first. See Supported upgrade paths to Symantec Endpoint Protection.
Auto-Upgrade is supported as of 14, but cannot be used to upgrade from 12.1. You must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a later client version. However, you can usually install the new version directly over the old without uninstalling first; see the previous question.
As of version 14, you can uninstall through the menu bar once the SEP client UI is open. See Uninstalling the Symantec Endpoint Protection client for Mac for more information.
The Symantec Endpoint Protection Manager cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of Symantec Endpoint Protection version 12.1 RU4 the Symantec Endpoint Protection Manager can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through Symantec LiveUpdate or from an internal LiveUpdate Administrator (LUA) server. Please see Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Macintosh for information on how to configure LUA for this content.
Note: it is not recommended or supported for LiveUpdate Administrator and Symantec Endpoint Protection Manager to be on the same physical server. If you are looking for the standalone definitions updater, Intelligent Updater, for the Symantec Endpoint Protection (SEP) client for Mac, please refer to "Intelligent Updater and Endpoint Protection for Macintosh".
No, for the same reasons outlined above.
Rapid Release definitions are not available for Mac security products.
Daily, usually in the morning Pacific time (west coast, USA).
Connection Status: Connected appears under Management on the Symantec QuickMenu.
Yes, see How to convert an unmanaged Symantec Endpoint Protection for Macintosh client to managed for more information.
Windows-specific policies will not apply to Macs; only those policies which contain Mac specific settings will be parsed and applied by the SEP for Mac client.
It is not tested or supported.
Even though the command can be sent, these features are not supported for Symantec Endpoint Protection for Mac clients.
In the latest version of Symantec Endpoint Protection, Virus and Spyware Protection and Network Threat Protection can be disabled/re-enabled by unloading/loading the SymDaemon service:
sudo launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist
sudo launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist
# the asterisk in daemon pathnames will accommodate suffix variations - SEP 14.0+ use com.symantec.symdaemon.NFM.plist
Location Awareness was introduced for Symantec Endpoint Protection for Mac clients in version 12.1. Supported conditions for ALS and Mac clients:
- Computer IP Address
- Gateway Address
- DNS Server address
- DHCP server address
- Network connection Type
- Management Server connection
- DNS Lookup
- Wireless SSID
- DHCP connection DNS suffix
- ICMP request (ping)
It is not possible to convert a SEP for Mac client to User Mode. Onlly Computer Mode will work.
There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect or Network Threat Protection (intrusion prevention), make sure their group is set to Server Control and unlock the padlock icon within the appropriate policy types.
When the policy types are locked and/or the group is set to Server Control, SEP for Mac UI options will be disabled and grey. When unlocked, they will be green and changeable for an admin-level account.
The macOS Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrator and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.
No. SEP for Mac only performs file system virus/spyware scanning. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of SEP for Windows. SEP for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if SEP scans mail folders under the user profile directories. As a best practice, those directories should be excluded from SEP scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.
There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Mac OS Network settings.
For the installation, no separate log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing. Click to expand Files, click to expand /private/var/log, and then look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" appears at the beginning of the installation cycle.
This document can be used to enable Sylink debugging for client communication problems with the Symantec Endpoint Protection Manager.
When using System Information / System Profiler, instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.
About System Information and System Profiler