I have a confi profile to approve the Symantec EP kernel extension. The software installs and i have no prompt to allow, so all looks good.
After reboot i go to the symantec app and the kernel extension is blocked and i have to allow it, and also i get 'full disk access is not enabled' so i click 'fix' and sys preferences opens up and i have to go into 'privacy' and allow full disk access for the 'symantec system extension'!!!
once i allow 'full disk access' SEP goes green and it says 'your computer is protected'
is anyone else getting the crazy results?
I follow the Symantec do and wasn't able to get it working...
Here is the "code" I used for PPPC part, is it correct?
identifier "com.symantec.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.1136126.96.36.199.6]/* exits */ and certificate leaf[field.1.2.840.1136188.8.131.52.13]/* exits */ and certificate leaf[subject.OU] ="9PTGMPNXZ2"
so far macs running 10.14 and earlier i'll just keep using the other Config Profile 'Approved Kernel Extension' with just the TeamID
gonna test it and update you with results
@gachowski looks like i got it to work by using the 3 payloads.
1 - PPPC
2 - Approved Kernel Extensions -----> did not enter any kernel extension bundle IDs, just entered the Team ID
3 - System Extensions
going to test again, this time on a 10.14.6 upgraded to 10.15.2. I uninstalled the previous SEP version from 10.14.6, now its upgrading to 10.15.2
Will install the SEP 10_15 Config Profile then run the self service policy that installs 14.2 RU2
@gachowski it works following that post but I talked to @NoahRJ and he's not comfortable deploying it yet given it's high CPU consumption. I have a case open with support, but I'm still in the "hey I can't run a .exe file on a Mac to help you get what your engineers are asking for" phase. I have a good support contract with them, but the people I get on the other end of their phones are fairly useless. One comment earlier in the case was "don't worry about this article here (https://support.symantec.com/us/en/article.TECH256631.html). Instead, you should use an MDM solution to push the software out to your clients." <Sighs> Anyway, feel free to keep me in the loop with your travels on Symantec. I am going to try to test NoahRJ's technique against 10.15.3 today and hope it either helps or at least didn't break anything. There also is a new build of SEP that dropped two days ago, BUT it didn't list anything in the release notes relevant to the Mac.
I have a case open with Symantec right now on the issue...They had me collect spindumps today... Of course when I go to collect them they aren’t hogging resources until I’m not paying attention and don’t think to open activity monitor and capture. I’ve got one machine that I did capture a good dump on and I’m gonna send them that today. Do you have a case number open on the same issue with them? My case number is 31638747
Classic race condition:
If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization".
If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.