Monitoring macOS applications where SIP is enabled
Article ID: 163398
Updated On:
Products
Issue/Introduction
PLEASE NOTE: This article is now superseded by the content in the Broadcom Tech Docs portal.
Follow this link for current information on MacOS and SIP settings
The DLP Agent monitors macOS applications protected by System Integrity Protection (SIP). The following table lists the DLP Agent and macOS versions where SIP monitoring is supported by default:
| DLP Agent version | SIP monitoring supported by default |
|---|---|
|
14.5 |
macOS 10.11 through 10.11.4 |
|
14.6.x |
macOS 10.11 through 10.11.5 |
|
15.0.x |
macOS 10.11 through 10.11.5 macOS 10.12 through 10.12.5 macOS 10.13.2 through 10.13.4 (on MP1) |
| 15.1.x |
macOS 10.11 through 10.11.6 macOS 10.12 through 10.12.6 macOS 10.13 through 10.13.3 (through 10.13.6 on MP1) |
| 15.5.x |
macOS 10.11 through 10.11.6 macOS 10.12 through 10.12.6 macOS 10.13 through 10.13.6 macOS 10.14.0 |
| 15.7.x |
macOS 10.11 through 10.11.6 macOS 10.12 through 10.12.6 macOS 10.13 through 10.13.6 macOS 10.14 through 10.14.6 macOS 10.15 through 10.15.2 |
If you plan to update the macOS to a version that exceeds the default supported version for a given DLP Agent version, you must update the agent configuration. If you do not update the agent configuration, the DLP Agent can no longer monitor applications protected by SIP, and DLP Agent versions 14.6.x and 15.0.x display a Critical agent alert. The agent continues to monitor all other channels.
Resolution
Steps to monitor SIP-protected applications
Complete the following steps to monitor SIP-protected applications on updated macOS endpoints:
- Log in to the Enforce Server administration console.
- Go to System > Agents > Agent Configuration and click an agent configuration that is applied to the macOS agent.
- Click the Advanced agent settings tab and locate the setting: Hooking.SIP_AGENT_OSX_VERSION_COMPATIBILITY.str.
- Add the DLP Agent version and updated macOS version to the default value separated by a semicolon. Refer to Table 2 and Table 3 which list SIP monitoring support for macOS and DLP Agent version combinations. The tables list the value you enter to enable SIP monitor coverage. "Not supported" indicates that SIP monitoring is not supported for the macOS and DLP Agent version combination. "Supported" indicates that you are not required to enter a string to monitor SIP-protected application on the macOS/DLP Agent version.
- Consider the following when adding strings to the Hooking.SIP_AGENT_OSX_VERSION_COMPATIBILITY.str setting:
- Add new values using the default syntax: DLPAgent-version:macOS-version.
- Add a value for each DLP Agent version (14.5 and greater) running on endpoints. For example, if you are running version 14.6 and 14.6 MP1 agents with macOS version 10.12.0, you enter a separate value for each agent version (14.6 and 14.6 MP1 agents). For this example scenario, you would enter 14.6.0:10.12.5;14.6.0100:10.12.5.
- Enter a DLP Agent version that exactly matches the version that displays on the Enforce Server administration console. Refer to the Agent Overview screen in the Enforce Server administration console to confirm the agent version.
- Enter a macOS version equal to or greater than the macOS version running on endpoints. If you enter 14.6.0100:10.12.5, macOS versions 10.12 through 10.12.5 are monitored on version 14.6 MP1 agents.
- Add a value for each DLP Agent version (14.5 and greater) running on endpoints. For example, if you are running DLP Agent version 14.6 (on macOS 10.12.0 endpoints) and 14.6 MP1 (on macOS endpoints up to version 10.12.5) in your environment, you enter the following: 14.6.0:10.12.0;14.6.0100:10.12.5.
- Note: DLP Endpoint Agent hotfixes are cumulative for both Mac and Windows machines. Thus, if you have applied a subsequent hotfix for your Mac Agent, you will need to update the SIP settings accordingly. For example, the latest Public Hotfix on FileConnect for Mac Agents is 15.0.0107 - and it includes the hotfix for the Kernel Panic. Thus, the correct SIP settings for Macs running the latest hotfix for their respective releases is: 15.0.0107:10.11.6;15.0.0107:10.12.6;15.0.0107:10.13.4
- Save your changes to apply the setting. After saving changes, the agent begins monitoring SIP-protected applications. For version 14.6.x and 15.0.x agents, saving also updates the agent alert status from Critical to OK.
Strings for monitoring SIP-protected applications
The following tables provide strings for monitoring SIP-protected applications for Symantec Data Loss Prevention 14.x and 15.x, with the 15.x table appearing first, followed by the 14.x table.
| macOS version | DLP version 15.0 | DLP version 15.0 MP1 | DLP version 15.1 | DLP version 15.1 MP1 | DLP version 15.1 MP2 | DLP version 15.5 | DLP version 15.5 MP1 | DLP version 15.5 MP2 | DLP version 15.7 |
|---|---|---|---|---|---|---|---|---|---|
| 10.11.3 | Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
|
10.11.4 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.11.5 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.11.6 |
Not supported |
15.0.101:10.11.6 You must install the latest 15.0 MP1 hot fix to use this string. See the Support Center article ALERT2538 for details. |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.0 |
15.0.0:10.12.0 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.1 |
15.0.0:10.12.1 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.2 |
15.0.0:10.12.2 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.3 |
15.0.0:10.12.3 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.4 |
15.0.0:10.12.4 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.5 |
15.0.0:10.12.5 |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.12.6 |
Not supported |
15.0.101:10.12.6 You must install the latest 15.0 MP1 Hotfix to use this string. See the Support Center article ALERT2538 for details. |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.13 |
15.0.0:10.13.0 |
15.0.0100:10.13.0 |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
|
10.13.1 |
15.0.0:10.13.1 |
15.0.0100:10.13.1 |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.13.2 |
Not supported |
15.0.101:10.13.2 You must install the latest 15.0 MP1 Hotfix to use this string. See the Support Center article ALERT2520 for details. |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.13.3 |
Not supported |
15.0.101:10.13.3 You must the latest 15.0 Hotfix to use this string. |
Supported |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.13.4 | Not supported |
15.0.101:10.13.4 You must install the latest 15.0 Hotfix to use this string. If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details. |
15.1.0:10.13.4 |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.13.5 | 15.0.0:10.13.5 |
15.0.101:10.13.5 You must install the latest 15.0 Hotfix to use this string. If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details. |
15.1.0:10.13.5 |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.13.6 | 15.0.0:10.13.6 |
15.0.107:10.13.6 You must install the latest 15.0 |
15.1.0:10.13.6 |
Supported |
Supported |
Supported |
Supported | Supported | Supported |
| 10.14 |
Not supported |
Not supported |
15.1.0:10.14.0 |
Supported |
Supported |
Supported |
Supported | 15.5.0:10.14.0 | Supported |
| 10.14.1 | Not supported |
Not supported |
Not supported |
15.1.0100:10.14.1 |
Not supported |
15.5.0:10.14.1 |
15.5.0100:10.14.1 | 15.5.0:10.14.1 | Supported |
| 10.14.2 | Not supported | Not supported | Not supported |
15.1.0100:10.14.2 |
Not supported |
15.5.0:10.14.2 |
15.5.0100:10.14.2 |
15.5.0:10.14.2 | Supported |
| 10.14.3 | Not supported | Not supported | Not supported | Not supported | Not supported |
15.5.0:10.14.3 |
15.5.0100:10.14.3 |
15.5.0:10.14.3 | Supported |
| 10.14.4 | Not supported | Not supported | Not supported | Not supported | Not supported |
15.5.0:10.14.4 |
15.5.0100:10.14.4 |
15.5.0:10.14.4 | Supported |
| 10.14.5 | Not supported | Not supported | Not supported | Not supported |
15.1.0200:10.14.5
|
Not supported |
15.5.0104:10.14.5 You must install the latest 15.5 MP1 Hotfix to use this string. |
15.5.0204:10.14.5 | Supported |
| 10.14.6 | Not supported | Not supported | Not supported | Not supported |
15.1.0200:10.14.6
|
Not supported |
15.5.0106:10.14.6 You must install the latest 15.5 MP1 Hotfix to use this string. |
15.5.0204:10.14.6 You must install the latest 15.5 MP2 Hotfix to use this string. |
Supported |
| 10.15.1 | Not supported | Not supported | Not supported | Not supported |
15.1.0209:10.15.2 You must install the latest 15.1 MP2 Hotfix to use this string. |
Not supported | Not supported |
15.5.0204:10.15.1 You must install the latest 15.5 MP2 Hotfix to use this string. |
Supported |
| 10.15.2 | Not supported | Not supported | Not supported | Not supported |
15.1.0209:10.15.2 You must install the latest 15.1 MP2 Hotfix to use this string. |
Not supported | Not supported |
15.5.0207:10.15.2 You must install the latest 15.5 MP2 Hotfix to use this string. |
Supported |
| 10.15.3 |
15.1.0209:10.15.3 You must install the latest 15.5 MP1 Hotfix to use this string. |
15.5.0207:10.15.3 You must install the latest 15.5 MP1 Hotfix to use this string. |
15.7.0:10.15.3 |
| macOS version |
DLP version 14.5 |
DLP version 14.5 MP1 |
DLP version 14.6 |
DLP version 14.6 MP1 |
DLP version 14.6 MP2 |
DLP version 14.6 MP3 |
|---|---|---|---|---|---|---|
| 10.11.3 | Supported | Supported | Supported | Supported | Supported | Supported |
| 10.11.4 | Supported | Supported | Supported | Supported | Supported | Supported |
| 10.11.5 | Not supported | 14.5.103:10.11.5 | Supported | Supported | Supported | Supported |
| 10.11.6 | Not supported | Not supported | Not supported | Not supported | 14.6.205:10.11.6 You must install the 14.6 MP2 hot fix to use this string. See the Support Center article ALERT2538 for details. |
Supported |
| 10.12.0 | Not supported | Not supported | 14.6.0:10.12.0 | 14.6.0100:10.12.0 | 14.6.0200:10.12.0 | 14.6.0300:10.12.0 |
| 10.12.1 | Not supported | Not supported | Not supported | 14.6.0100:10.12.1 | 14.6.0200:10.12.1 | 14.6.0300:10.12.1 |
| 10.12.2 | Not supported | Not supported | Not supported | 14.6.0100:10.12.2 | 14.6.0200:10.12.2 | 14.6.0300:10.12.2 |
| 10.12.3 | Not supported | Not supported | Not supported | 14.6.0100:10.12.3 | 14.6.0200:10.12.3 | 14.6.0300:10.12.3 |
| 10.12.4 | Not supported | Not supported | Not supported | 14.6.0100:10.12.4 | 14.6.0200:10.12.4 | 14.6.0300:10.12.4 |
| 10.12.5 | Not supported | Not supported | Not supported | 14.6.0100:10.12.5 | 14.6.0200:10.12.5 | 14.6.0300:10.12.5 |
| 10.12.6 | Not supported | Not supported | Not supported | Not supported |
14.6.205:10.12.6 You must install the 14.6 MP2 hot fix to use this string. See the Support Center article ALERT2538 for details. |
14.6.0300:10.12.6 |
| 10.13.0 | Not supported | Not supported | Not supported | Not supported | 14.6.0200:10.13.0 | 14.6.0300:10.13.0 |
| 10.13.1 | Not supported | Not supported | Not supported | Not supported | 14.6.0200:10.13.1 | 14.6.0300:10.13.1 |
| 10.13.2 |
Not supported |
Not supported |
Not supported |
Not supported |
14.6.205:10.13.2 You must install the 14.6 MP2 hot fix to use this string. See the Support Center article ALERT2519 for details. |
14.6.0300:10.13.2 |
| 10.13.3 |
Not supported |
Not supported |
Not supported |
Not supported |
14.6.205:10.13.3 You must install the Hotfix_14.6.0205 to use this string. |
14.6.0300:10.13.3 |
| 10.13.4 |
Not supported |
Not supported |
Not supported |
Not supported |
14.6.205:10.13.4 You must install the Hotfix_14.6.0205 to use this string. If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details. |
14.6.0300:10.13.4 |
| 10.13.5 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
| 10.13.6 |
Not supported |
Not supported |
Not supported |
Not supported | Not supported |
Not supported |
| 10.14.0 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
| 10.14.2 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
| 10.14.3 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
| 10.14.4 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
| 10.14.5 |
Not supported |
Not supported |
Not supported |
Not supported |
Not supported |
14.6.0304:10.14.5 You must install the latest 14.6 MP3 Hotfix to use this string. |
| 10.14.6 | Not supported | Not supported | Not supported | Not supported | Not supported |
14.6.0304:10.14.6 You must install the latest 14.6 MP3 Hotfix to use this string. |
Feedback
