Jamf Nation Community

We have a pool of computers that are running DG and they do not have SIP disabled. I agree with the previous poster, no security product worth its salt should require you to disable native OS security.

Hello,

Thanks for the feedback. According to Digital Guardian you need to disable SIP for the following features;

• Email visibility and control
• MS Office/PDF visibility and control
• IP protection (e.g. source code) & advanced controls (i.e. file save as)
• Generic copy/paste of data between applications
• Print controls
• Screen Capture controls

I think that this product just doesn't meet our requirements and we will look for another solution.

Thanks

Steve

I believe most, if not all of these permissions can be granted in "Security & Privacy" preferences, at least in Mojave.
This has been the case with our antivirus which requires the "Full Disk Access" permission to even function on Mojave devices.

My organization wanted me to find a better way to implement dual boot on the Macs (just hold option on bootup guys!) and I tried refind for a while, but it turned out to be not worth the effort because any time there was a Windows update or Mac update you would need to disabled SIP again and reinstall refind. I could have left SIP disabled but it's not worth the risk. I removed refind for the machines, and they were ok with it once I explained why it was bad.

We are a current DG customer. They do not require us to disable SIP on our Macs.

Yeah, disabling SIP should be a no go for any security tool...

Unfortunately what they told you is true for us as a customer. We have been relegated to disable SIP in order to provide visibility to those items you listed Stevie.

Please let us know if you find a DLP tool that checks all the boxes and doesn't require SIP to be disabled.

In practice, disabling SIP seems like bad news in any security context and I would steer clear of Digital Guardian until if or when they can refactor their product to use System Extensions as prescribed by Apple at their most recent WWDC.

We current have CoSoSys Endpoint Protector for USB Device control but that is being replaced with Bitdefender. However, it now looks like we will go full cycle and give CoSoSys DLP another look. It was only dropped because our InfoSec team didn't like the reports and alerts which were generated. From a user's point of view its doesn't slow their computer down and from an IT point of view their support is good and the software always works with new macOS releases.

@tlarkin

A mix but that is decided by a different team concerning Security and Risk. Mainly the ask was for something that didn't require SIP to be turned off.

In what I've looked at so far, it may have to be a combination of tools working in unison to provide a combination of DLP and EDR.

Has anyone looked at cmdReporter? I asked on the #endpoint_security MacAdmin Slack channel if anyone was using a DLP tool they were happy with, and the vendor replied they currently had some limited DLP functionality, were working to add more, and open to suggestions if there was something lacking. That sounds like a very attentive developer, and it's not kext based which bodes well for stability with macOS updates.

Digital Guardian wanted to provide some clarification for everyone on this thread. The Digital Guardian (DG) Agent has always supported macOS for DLP; however, with the introduction of SIP in Mojave, there was a modest reduction in the amount of visibility the DG Agent had into data movement. This was the case for all DLP agents that operated in the kernel, regardless of the vendor. While Digital Guardian was addressing this issue, one option for customers was to disable SIP if they wanted the full visibility of the DG Agent, but Digital Guardian never recommended this to customers – it was an independent customer choice. With the company’s 7.6 release, the functionality is restored. Early access to version 7.6 of the DG Agent for macOS is available now for customers, with general availability scheduled for November 21, 2019.

Thank you for clearing this up.

@digitalguardian SIP was not introduced in Mojave. :/

Indeed. System Integrity Protection was first introduced in 2015, as part of OS X El Capitan: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-app...

It’s now been out for over four years and its protections are fairly well documented by this point in 2019.

Our apologies, we agree and know SIP was first introduced in 2015 as part of El Capitan. We should have been clearer in our last post. Instead of saying "with the introduction of SIP in Mojave", we should have said "with the extension of SIP in Mojave to cover third-party apps, like MS Office, and not just those supplied by Apple…". Will be more careful in future posts : )

@digitalguardian Does this mean that 7.6 release will be supporting Catalina System Extension instead of Kernel drivers?

@ShadowGT for a more complete answer from a technology/code perspective you should reach out to your DG Support contact. They can also provide you with the early access version of the agent if you’re interested in testing. In the meantime, we can confirm that 7.6 will support Catalina and the DLP use cases/policies our customers have been accustomed to supporting (i.e. monitoring and controlling print, copy, save as commands, etc.). New code has been developed to achieve that on Catalina, but a DG Agent for macOS that uses the new system extensions exclusively, is still being developed for a future release.

We are using Forcepoint DLP and you don’t have to disable anything, it is working seamless as they are using extensions in Chrome, Safari, outlook and mail. But the agent needs FDA.