progress. wss 126.96.36.19989 with the system extension above, shows activated and I'm not getting the pop ups other than the vpn configurations. I have a message out to our team that manages symantec to see if they can find a profile or a web content filter for wss. If I find anything I'll post it.
My team has basically convinced our info sec team to get rid of all Symantec products. They have let us down in the past, but they've completely failed this year. SEP isn't working on Big Sur properly and they failed to provide a content filter for the WSS. If you can, please drop these losers as soon as possible. We're moving to Palo Alto Cortex and Global Protect.
No M1 support, until Q2??? What a joke. Get it together Symantec.
In our environment I am seeing where we need both the old Approved KEXT for macOS 10.15x:
Display Name: Broadcom, Inc
Team ID: Y2CCP3S9W7
Approved Kernel Extensions (Bundle ID): com.symantec.kext.wssa
and the System Extension for macOS 11.x:
Display Name: Broadcom, Inc
System Extension Types: Allowed System Extensions
Team ID: Y2CCP3S9W7
Allowed System Extension: com.symantec.wssa.wssax
Working with support to verify the pkg provided by SME is right, we are also getting notifications for VPN config to account for on macOS 11.x
@markdmatthews @LaMantia @bwoods @nsbickhart After doing some research I finally came across https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bigsur.html. According to Broadcom the VPN prompt can't be automated per "This step in the process cannot be automated in an MDM. Currently, Apple does not support the MDM profile configuration of Transparent Proxy Providers." Considering it's Broadcom/Symantec, that's hard to believe but I'll take their word for it. I hope this information helps everyone else that's been waiting for an answer.
@IamGroot I was able to 100% automate those via:
1. Select ‘Computers > Configuration Profiles’
2. Select New
3. Select the Options tab > General payload a. Name enter Symantec WSS Agent - VPN Profiles b. Description enter “WSS Agent Tunnel (Packet-tunnel) and WSS Agent Proxy (App-proxy) for macOS Big Sur and later.” c. Category choose Applications d. Distribution Method choose Install Automatically e. Level choose Computer Level
4. Select > VPN payload, select Configure a. Connection Name enter WSS Agent Tunnel b. Verify VPN Type is VPN c. Connection Type select Custom SSL d. Identifier enter com.symantec.wssa.ui e. Server enter 127.0.0.1 f. Enable Provider Bundle Identifier i. Provider Bundle Identifier enter com.symantec.wssa.wssax g. Provider Type select Packet-tunnel h. Enable Provider Designated Requirement i. Provider Designated Requirement enter “anchor apple generic and identifier "com.symantec.wssa.wssax" and (certificate leaf[field.1.2.840.1136188.8.131.52.9] / exists / or certificate 1[field.1.2.840.1136184.108.40.206.6] / exists / and certificate leaf[field.1.2.840.1136220.127.116.11.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7)”
5. Scroll up and choose Add + a. Connection Name enter WSS Agent Proxy b. Verify VPN Type is VPN c. Connection Type select Custom SSL d. Identifier enter com.symantec.wssa.ui e. Server enter 127.0.0.1 f. Enable Provider Bundle Identifier i. Provider Bundle Identifier enter com.symantec.wssa.wssax g. Provider Type select App-proxy h. Enable Provider Designated Requirement i. Provider Designated Requirement enter “anchor apple generic and identifier "com.symantec.wssa.wssax" and (certificate leaf[field.1.2.840.113618.104.22.168.9] / exists / or certificate 1[field.1.2.840.113622.214.171.124.6] / exists / and certificate leaf[field.1.2.840.1136126.96.36.199.13] / exists / and certificate leaf[subject.OU] = Y2CCP3S9W7)”
** Scope to Big Sur (or later i.e. Not Like 10.5)
@markdmatthews Thank you a ton! You just saved me so much frustration that I've been dealing with. I really appreciate that. Something I've noticed is that it installs two proxy filters, WSS Agent Tunnel and WSS Agent Proxy. When I Allow them to be installed it appears the internet connection on the endpoint completely cuts off until I uninstall WSS Agent. However, when I ignored the Allow or Don't Allow and simply logged out and back in, it only installed the WSS Agent Tunnel adapter and the internet connection is fine. Have you ran into that at all?
As for the System Extension, what happens if you leave the Display Name blank? I have mine blank and the rest of the same configurations you have and it appears to be installing fine right now.
@IamGroot not ran into that at all; I am currently testing upgrades and new installs for 10.15.x and 11.x on Intel and M1 based devices.
At this point I would be willing to try anything – although I feel like they are missing an "Identifier" in the documentation. They also do determine based on macOS version IF they "need" KEXT or System Ext (breaking out the pkg pres/postinstall scripts and installvars); not sure why they didn't kill off KEXT entirely.
I'm running into some strange issues as well. If I add the VPN payload to the config profile, WSS agent doesn't load properly. It seems like the SYSEXT is blocked even if it is MDM approved and I don't get any prompt asking me to manually approve it.
If I remove the VPN payload, the agent works fine but I get the VPN prompt which is what I'm trying to avoid...
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bigsur.html - In following this, deployment of this config profile pre macOS upgrade to BigSur works fine, the WSS agent is functional. However post upgrade we are seeing the prompt to enable the System Extension. Has anyone here been able to automate this approval? Relying on our end users to approve this is simply not an option.
I had both com.symantec.wssa.wssax and com.symantec.wssa.ui listed in the allowed System Extensions payload, removing com.symantec.wssa.ui seems to have fixed it.
FYI, I've also been testing WSS 8.0 and seeing some major improvement with the whitelisting process. MS Teams was giving us a lot of grief but v8.0 can use wildcards with .app which has done the trick.
Symantec finally updated their documentation for wss agent on Big Sur. I added the vpn profiles as stated in the article and no more popups on Big Sur from the first device I loaded.
@ooftee Is this on Big Sur? Still seeing issues on Big Sur (new deployments) with Pkg deploying KEXT (Kernal Extension) in Symantec WSS Agent 188.8.131.5289.pkg; once installed rebuilding AuxKC as a System Extension.
This requires user approval and a restart... anyone else seeing this?
I wouldn’t expect a ‘Kernel Extension Update’ in that instance (on a brand new zero touch Big Sur deployment) and from a Broadcom perspective the ask is for a Pkg for macOS 11 or later that ONLY includes a System Extension at deployment.
@nsbickhart - in following those instructions from Broadcom I am still seeing a user prompt that the System Extension was Updated when upgrading a machine from 10.14 or 10.15 to Big Sur. I haven't tested a clean Big Sur install then JAMF enrollment and installation of the config profile and the WSS agent. I have a case open with Broadcom on this and am awaiting a response.
@brianmcbride99 working pretty good on new installs of big sur. Still seeing popups when upgrading. I believe the profile has to be installed on the device before the application or you will get the popups. I am seeing wss hose up internet browsing, but that could be something that our symantec team needs to fix. If I find out why that's happening, I'll post it.
@markdmatthews I'm seeing what you're seeing but with Blackmagic Inc. Design Software as Per: https://www.jamf.com/jamf-nation/discussions/38634/kernel-extensions-big-sur-blackmagic.
They are still using KEXTs under Big Sur.
But I don't know if this is due to the Software being installed prior to the Configuration Profile being loaded as per @brianmcbride99 . I need to test on a fresh install.
I'm seeing the pop-up even after entering all of the suggested Bundle IDs.
Just came across this @IamGroot https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/Help/Connectivity_3/conn-about-wssa/conn-wssa-bypassapp.html
So something that worked without issue in previous WSS agent versions and macOS versions now suddenly we have to identify ourselves and create bypasses for??? Is Broadcom literally trying to force users to a different product.(
@brianmcbride99 I didn't even notice that on there, thank you! This seems to be the new thing for vendors. We recently introduced another product into our environment that made us add app bypass filters as well for these kinds of things. It's a very tedious process as you have to identify each and every application you want bypassed. I agree with you, some vendors are really trying their hardest to lose their customers. I'll try this out today and let you know if I have any luck. Fingers crossed!
@markdmatthews - we are seeing something similar to this when upgrading to macOS 11, only stating something to the effect of the system extension being updated and needs to be approved. I'm assuming you are pre deploying the config profile approving the system extension and setting the VPN settings as they mention here
I did, and still get the approval prompt similar to yours. I have an open case with Broadcom, with zero movement in over a week.
I've been working with Broadcom support on this. We use falcon and anyconnect. Bypassed both, running 7.2 and it still seems to be fighting with anyconnect. I grabbed some more pcap logs and sent to support but haven't heard anything back since last week. The profiles for system extension/vpn seem to be taking care of the popups on new loads, but the issue remains with navigating to anything via a browser, it just won't allow anything out. Sometimes, if you click disconnect on the wss tunnel, it'll let you out, but it's all random.