bump

Getting ready to test this as well, I haven't seen anything.

I can confirm this is the correct System extension. Works fine on macOS Catalina and Big Sur. Just need root cert payload and VPN filter?

Screen shot..

@LaMantia Thanks for this, is the VPN content filter a generic one or org specific?
If generic, would you mind sharing it.

@LaMantia that's the system extension. I need the content filter for the network filter feature.

progress. wss 7.2.1.14589 with the system extension above, shows activated and I'm not getting the pop ups other than the vpn configurations. I have a message out to our team that manages symantec to see if they can find a profile or a web content filter for wss. If I find anything I'll post it.

@nsbickhart Any luck finding anything? I've been trying to figure it out as well and haven't gotten very far.

@IamGroot nope, haven't found anything. I did find out that the new WSS agent is showing in crash reports and am getting the "your computer restarted because of a problem" message when rebooting. I wish we could just not use Symantec.

I think Broadcom is telling us to have the user accept the content filter???

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-jamf.html

My team has basically convinced our info sec team to get rid of all Symantec products. They have let us down in the past, but they've completely failed this year. SEP isn't working on Big Sur properly and they failed to provide a content filter for the WSS. If you can, please drop these losers as soon as possible. We're moving to Palo Alto Cortex and Global Protect.

No M1 support, until Q2??? What a joke. Get it together Symantec.

In our environment I am seeing where we need both the old Approved KEXT for macOS 10.15x:
Display Name: Broadcom, Inc
Team ID: Y2CCP3S9W7
Approved Kernel Extensions (Bundle ID): com.symantec.kext.wssa

and the System Extension for macOS 11.x:
Display Name: Broadcom, Inc
System Extension Types: Allowed System Extensions
Team ID: Y2CCP3S9W7
Allowed System Extension: com.symantec.wssa.wssax

Working with support to verify the pkg provided by SME is right, we are also getting notifications for VPN config to account for on macOS 11.x

@markdmatthews , Thanks for the update. I had my admin to put in a ticket to address this VPN config too.

@markdmatthews Did you have any luck getting the config profile settings for the VPN stuff in 11.x?

@markdmatthews @LaMantia @bwoods @nsbickhart After doing some research I finally came across https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bigsur.html. According to Broadcom the VPN prompt can't be automated per "This step in the process cannot be automated in an MDM. Currently, Apple does not support the MDM profile configuration of Transparent Proxy Providers." Considering it's Broadcom/Symantec, that's hard to believe but I'll take their word for it. I hope this information helps everyone else that's been waiting for an answer.

@IamGroot I was able to 100% automate those via:
1. Select ‘Computers > Configuration Profiles’
2. Select New
3. Select the Options tab > General payload
a. Name enter Symantec WSS Agent - VPN Profiles
b. Description enter “WSS Agent Tunnel (Packet-tunnel) and WSS Agent Proxy (App-proxy) for macOS Big Sur and later.”
c. Category choose Applications
d. Distribution Method choose Install Automatically
e. Level choose Computer Level
4. Select > VPN payload, select Configure
a. Connection Name enter WSS Agent Tunnel
b. Verify VPN Type is VPN
c. Connection Type select Custom SSL
d. Identifier enter com.symantec.wssa.ui
e. Server enter 127.0.0.1
f. Enable Provider Bundle Identifier
i. Provider Bundle Identifier enter com.symantec.wssa.wssax
g. Provider Type select Packet-tunnel
h. Enable Provider Designated Requirement
i. Provider Designated Requirement enter “anchor apple generic and identifier "com.symantec.wssa.wssax" and (certificate leafifield.1.2.840.113635.100.6.1.9] / exists / or certificate 1tfield.1.2.840.113635.100.6.2.6] / exists / and certificate leafifield.1.2.840.113635.100.6.1.13] / exists / and certificate leafisubject.OU] = Y2CCP3S9W7)”
5. Scroll up and choose Add +
a. Connection Name enter WSS Agent Proxy
b. Verify VPN Type is VPN
c. Connection Type select Custom SSL
d. Identifier enter com.symantec.wssa.ui
e. Server enter 127.0.0.1
f. Enable Provider Bundle Identifier
i. Provider Bundle Identifier enter com.symantec.wssa.wssax
g. Provider Type select App-proxy
h. Enable Provider Designated Requirement
i. Provider Designated Requirement enter “anchor apple generic and identifier "com.symantec.wssa.wssax" and (certificate leafrfield.1.2.840.113635.100.6.1.9] / exists / or certificate 1 field.1.2.840.113635.100.6.2.6] / exists / and certificate leafrfield.1.2.840.113635.100.6.1.13] / exists / and certificate leafrsubject.OU] = Y2CCP3S9W7)”

** Scope to Big Sur (or later i.e. Not Like 10.5)

Now seeing issue with Big Sur on the System Extension (even though it is on the device already prior to WSS installation)

@markdmatthews Thank you a ton! You just saved me so much frustration that I've been dealing with. I really appreciate that. Something I've noticed is that it installs two proxy filters, WSS Agent Tunnel and WSS Agent Proxy. When I Allow them to be installed it appears the internet connection on the endpoint completely cuts off until I uninstall WSS Agent. However, when I ignored the Allow or Don't Allow and simply logged out and back in, it only installed the WSS Agent Tunnel adapter and the internet connection is fine. Have you ran into that at all?

As for the System Extension, what happens if you leave the Display Name blank? I have mine blank and the rest of the same configurations you have and it appears to be installing fine right now.

@IamGroot not ran into that at all; I am currently testing upgrades and new installs for 10.15.x and 11.x on Intel and M1 based devices.

At this point I would be willing to try anything – although I feel like they are missing an "Identifier" in the documentation. They also do determine based on macOS version IF they "need" KEXT or System Ext (breaking out the pkg pres/postinstall scripts and installvars); not sure why they didn't kill off KEXT entirely.

I'm running into some strange issues as well. If I add the VPN payload to the config profile, WSS agent doesn't load properly. It seems like the SYSEXT is blocked even if it is MDM approved and I don't get any prompt asking me to manually approve it.
If I remove the VPN payload, the agent works fine but I get the VPN prompt which is what I'm trying to avoid...

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bigsur.html - In following this, deployment of this config profile pre macOS upgrade to BigSur works fine, the WSS agent is functional. However post upgrade we are seeing the prompt to enable the System Extension. Has anyone here been able to automate this approval? Relying on our end users to approve this is simply not an option.

I had both com.symantec.wssa.wssax and com.symantec.wssa.ui listed in the allowed System Extensions payload, removing com.symantec.wssa.ui seems to have fixed it.
FYI, I've also been testing WSS 8.0 and seeing some major improvement with the whitelisting process. MS Teams was giving us a lot of grief but v8.0 can use wildcards with .app which has done the trick.

Symantec finally updated their documentation for wss agent on Big Sur. I added the vpn profiles as stated in the article and no more popups on Big Sur from the first device I loaded.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bigsur.html

@ooftee Is this on Big Sur? Still seeing issues on Big Sur (new deployments) with Pkg deploying KEXT (Kernal Extension) in Symantec WSS Agent 7.2.1.14589.pkg; once installed rebuilding AuxKC as a System Extension.

This requires user approval and a restart... anyone else seeing this?

I wouldn’t expect a ‘Kernel Extension Update’ in that instance (on a brand new zero touch Big Sur deployment) and from a Broadcom perspective the ask is for a Pkg for macOS 11 or later that ONLY includes a System Extension at deployment.

@nsbickhart - in following those instructions from Broadcom I am still seeing a user prompt that the System Extension was Updated when upgrading a machine from 10.14 or 10.15 to Big Sur. I haven't tested a clean Big Sur install then JAMF enrollment and installation of the config profile and the WSS agent. I have a case open with Broadcom on this and am awaiting a response.