ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Monitoring macOS applications where SIP is enabled

book

Article ID: 163398

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

PLEASE NOTE: This article is now superseded by the content in the Broadcom Tech Docs portal.
Follow this link for current information on MacOS and SIP settings







The DLP Agent monitors macOS applications protected by System Integrity Protection (SIP). The following table lists the DLP Agent and macOS versions where SIP monitoring is supported by default:

Table 1: SIP monitoring supported by default
DLP Agent version SIP monitoring supported by default

14.5

macOS 10.11 through 10.11.4

14.6.x

macOS 10.11 through 10.11.5

15.0.x

macOS 10.11 through 10.11.5

macOS 10.12 through 10.12.5

macOS 10.13.2 through 10.13.4 (on MP1)

15.1.x

macOS 10.11 through 10.11.6

macOS 10.12 through 10.12.6

macOS 10.13 through 10.13.3 (through 10.13.6 on MP1)

15.5.x

macOS 10.11 through 10.11.6

macOS 10.12 through 10.12.6

macOS 10.13 through 10.13.6

macOS 10.14.0

15.7.x

macOS 10.11 through 10.11.6

macOS 10.12 through 10.12.6

macOS 10.13 through 10.13.6

macOS 10.14 through 10.14.6

macOS 10.15 through 10.15.2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you plan to update the macOS to a version that exceeds the default supported version for a given DLP Agent version, you must update the agent configuration. If you do not update the agent configuration, the DLP Agent can no longer monitor applications protected by SIP, and DLP Agent versions 14.6.x and 15.0.x display a Critical agent alert. The agent continues to monitor all other channels. 

Resolution

Steps to monitor SIP-protected applications

Complete the following steps to monitor SIP-protected applications on updated macOS endpoints:

WarningDo not enter macOS versions that the DLP Agent does not support. Entering an unsupported version causes kernel errors or system crashes to occur.
  1. Log in to the Enforce Server administration console.
  2. Go to System > Agents > Agent Configuration and click an agent configuration that is applied to the macOS agent.
  3. Click the Advanced agent settings tab and locate the setting: Hooking.SIP_AGENT_OSX_VERSION_COMPATIBILITY.str.
  4. Add the DLP Agent version and updated macOS version to the default value separated by a semicolon. Refer to Table 2 and Table 3 which list SIP monitoring support for macOS and DLP Agent version combinations. The tables list the value you enter to enable SIP monitor coverage. "Not supported" indicates that SIP monitoring is not supported for the macOS and DLP Agent version combination. "Supported" indicates that you are not required to enter a string to monitor SIP-protected application on the macOS/DLP Agent version. 
  5. Consider the following when adding strings to the Hooking.SIP_AGENT_OSX_VERSION_COMPATIBILITY.str setting:
    • Add new values using the default syntax: DLPAgent-version:macOS-version. 
    • Add a value for each DLP Agent version (14.5 and greater) running on endpoints. For example, if you are running version 14.6 and 14.6 MP1 agents with macOS version 10.12.0, you enter a separate value for each agent version (14.6 and 14.6 MP1 agents). For this example scenario, you would enter 14.6.0:10.12.5;14.6.0100:10.12.5.
    • Enter a DLP Agent version that exactly matches the version that displays on the Enforce Server administration console. Refer to the Agent Overview screen in the Enforce Server administration console to confirm the agent version.
    • Enter a macOS version equal to or greater than the macOS version running on endpoints. If you enter 14.6.0100:10.12.5, macOS versions 10.12 through 10.12.5 are monitored on version 14.6 MP1 agents.
    • Add a value for each DLP Agent version (14.5 and greater) running on endpoints. For example, if you are running DLP Agent version 14.6 (on macOS 10.12.0 endpoints) and 14.6 MP1 (on macOS endpoints up to version 10.12.5) in your environment, you enter the following: 14.6.0:10.12.0;14.6.0100:10.12.5.
    • Note: DLP Endpoint Agent hotfixes are cumulative for both Mac and Windows machines. Thus, if you have applied a subsequent hotfix for your Mac Agent, you will need to update the SIP settings accordingly. For example, the latest Public Hotfix on FileConnect for Mac Agents is 15.0.0107 - and it includes the hotfix for the Kernel Panic. Thus, the correct SIP settings for Macs running the latest hotfix for their respective releases is: 15.0.0107:10.11.6;15.0.0107:10.12.6;15.0.0107:10.13.4
  6. Save your changes to apply the setting. After saving changes, the agent begins monitoring SIP-protected applications. For version 14.6.x and 15.0.x agents, saving also updates the agent alert status from Critical to OK.

Strings for monitoring SIP-protected applications

The following tables provide strings for monitoring SIP-protected applications for Symantec Data Loss Prevention 14.x and 15.x, with the 15.x table appearing first, followed by the 14.x table.

Table 2: macOS and DLP Agent version 15.x combinations
 macOS version DLP version 15.0 DLP version 15.0 MP1 DLP version 15.1 DLP version 15.1 MP1 DLP version 15.1 MP2 DLP version 15.5 DLP version 15.5 MP1 DLP version 15.5 MP2 DLP version 15.7
10.11.3 Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

10.11.4

Supported

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.11.5

Supported

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.11.6

Not supported

15.0.101:10.11.6

You must install the latest 15.0 MP1 hot fix to use this string. See the Support Center article ALERT2538 for details.

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.0

15.0.0:10.12.0

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.1

15.0.0:10.12.1

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.2

15.0.0:10.12.2

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.3

15.0.0:10.12.3

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.4

15.0.0:10.12.4

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.5

15.0.0:10.12.5

Supported

Supported

Supported

Supported

Supported

Supported Supported Supported

10.12.6

Not supported

15.0.101:10.12.6

You must install the latest 15.0 MP1 Hotfix to use this string. See the Support Center article ALERT2538 for details.

Supported

Supported

Supported

Supported

Supported Supported Supported

10.13

15.0.0:10.13.0

15.0.0100:10.13.0

Supported

Supported

Supported

Supported

Supported Supported Supported

10.13.1

15.0.0:10.13.1

15.0.0100:10.13.1

Supported

Supported

Supported

Supported

Supported Supported Supported
10.13.2

Not supported

15.0.101:10.13.2

You must install the latest 15.0 MP1 Hotfix to use this string. See the Support Center article ALERT2520 for details.

Supported

Supported

Supported

Supported

Supported Supported Supported
10.13.3

Not supported

15.0.101:10.13.3

You must the latest 15.0 Hotfix to use this string.

Supported

Supported

Supported

Supported

Supported Supported Supported
10.13.4 Not supported

15.0.101:10.13.4

You must install the latest 15.0 Hotfix to use this string.

If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details.

15.1.0:10.13.4

Supported

Supported

Supported

Supported Supported Supported
10.13.5 15.0.0:10.13.5

15.0.101:10.13.5

You must install the latest 15.0 Hotfix to use this string.

If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details.

15.1.0:10.13.5

Supported

Supported

Supported

Supported Supported Supported
10.13.6 15.0.0:10.13.6

15.0.107:10.13.6

You must install the latest 15.0
MP1 Hotfix to use this string.

15.1.0:10.13.6

Supported

Supported

Supported

Supported Supported Supported
10.14

Not supported

Not supported

15.1.0:10.14.0

Supported

Supported

Supported

Supported 15.5.0:10.14.0 Supported
10.14.1 Not supported

Not supported

Not supported

15.1.0100:10.14.1

Not supported

15.5.0:10.14.1

15.5.0100:10.14.1 15.5.0:10.14.1 Supported
10.14.2 Not supported Not supported Not supported

15.1.0100:10.14.2

Not supported

15.5.0:10.14.2

15.5.0100:10.14.2

15.5.0:10.14.2 Supported
10.14.3 Not supported Not supported Not supported Not supported Not supported

15.5.0:10.14.3

15.5.0100:10.14.3

15.5.0:10.14.3 Supported
10.14.4 Not supported Not supported Not supported Not supported Not supported

15.5.0:10.14.4

15.5.0100:10.14.4

15.5.0:10.14.4 Supported
10.14.5 Not supported Not supported Not supported Not supported

15.1.0200:10.14.5

 

Not supported

15.5.0104:10.14.5

You must install the latest 15.5 MP1 Hotfix to use this string.

15.5.0204:10.14.5 Supported
10.14.6 Not supported Not supported Not supported Not supported

15.1.0200:10.14.6

 

Not supported

15.5.0106:10.14.6

You must install the latest 15.5 MP1 Hotfix to use this string.

15.5.0204:10.14.6

You must install the latest 15.5 MP2 Hotfix to use this string.

Supported
10.15.1 Not supported Not supported Not supported Not supported

15.1.0209:10.15.2

You must install the latest 15.1 MP2 Hotfix to use this string.

Not supported Not supported

15.5.0204:10.15.1

You must install the latest 15.5 MP2 Hotfix to use this string.

Supported
10.15.2 Not supported Not supported Not supported Not supported 

15.1.0209:10.15.2

You must install the latest 15.1 MP2 Hotfix to use this string.

Not supported Not supported

15.5.0207:10.15.2

You must install the latest 15.5 MP2 Hotfix to use this string.

Supported
10.15.3            

15.1.0209:10.15.3

You must install the latest 15.5 MP1 Hotfix to use this string.

15.5.0207:10.15.3

You must install the latest 15.5 MP1 Hotfix to use this string.

15.7.0:10.15.3

 

Table 3: macOS and DLP Agent version 14.x combinations
macOS
version
DLP version
14.5
DLP version
14.5 MP1
DLP version
14.6
DLP version
14.6 MP1
DLP version
14.6 MP2
DLP version
14.6 MP3
10.11.3 Supported Supported Supported Supported Supported Supported
10.11.4 Supported Supported Supported Supported Supported Supported
10.11.5 Not supported 14.5.103:10.11.5 Supported Supported Supported Supported
10.11.6 Not supported Not supported Not supported Not supported 14.6.205:10.11.6
You must
install the 14.6
MP2 hot fix to
use this string.
See the
Support Center
article
ALERT2538 for
details.
Supported
10.12.0 Not supported Not supported 14.6.0:10.12.0 14.6.0100:10.12.0 14.6.0200:10.12.0 14.6.0300:10.12.0
10.12.1 Not supported Not supported Not supported 14.6.0100:10.12.1 14.6.0200:10.12.1 14.6.0300:10.12.1
10.12.2 Not supported Not supported Not supported 14.6.0100:10.12.2 14.6.0200:10.12.2 14.6.0300:10.12.2
10.12.3 Not supported Not supported Not supported 14.6.0100:10.12.3 14.6.0200:10.12.3 14.6.0300:10.12.3
10.12.4 Not supported Not supported Not supported 14.6.0100:10.12.4 14.6.0200:10.12.4 14.6.0300:10.12.4
10.12.5 Not supported Not supported Not supported 14.6.0100:10.12.5 14.6.0200:10.12.5 14.6.0300:10.12.5
10.12.6 Not supported Not supported Not supported Not supported

14.6.205:10.12.6

You must install the 14.6 MP2 hot fix to use this string. See the Support Center article ALERT2538 for details.

14.6.0300:10.12.6
10.13.0 Not supported Not supported Not supported Not supported 14.6.0200:10.13.0 14.6.0300:10.13.0
10.13.1 Not supported Not supported Not supported Not supported 14.6.0200:10.13.1 14.6.0300:10.13.1
10.13.2

Not supported

Not supported

Not supported

Not supported

14.6.205:10.13.2

You must install the 14.6 MP2 hot fix to use this string. See the Support Center article ALERT2519 for details.

14.6.0300:10.13.2
10.13.3

Not supported

Not supported

Not supported

Not supported

14.6.205:10.13.3

You must install the Hotfix_14.6.0205 to use this string. 

14.6.0300:10.13.3
10.13.4

Not supported

Not supported

Not supported

Not supported

14.6.205:10.13.4

You must install the Hotfix_14.6.0205 to use this string. 

If you use MDM profiles to manage agents, you must make changes to your profile to run agents. See TECH250016 for details.

14.6.0300:10.13.4

10.13.5

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

10.13.6

Not supported

Not supported

Not supported

Not supported Not supported

Not supported

10.14.0

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

10.14.2

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

10.14.3

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

10.14.4

Not supported

Not supported

Not supported

Not supported

Not supported

Not supported

10.14.5

Not supported

Not supported

Not supported

Not supported

Not supported

14.6.0304:10.14.5

You must install the latest 14.6 MP3 Hotfix to use this string.

10.14.6 Not supported Not supported Not supported Not supported Not supported

14.6.0304:10.14.6

You must install the latest 14.6 MP3 Hotfix to use this string.