Skip to main content

Detailed step by step guide using Symantecs system extension as an example since that seemed to be most popular.



Creating this thread for everyone to share new found knowledge, best practices & management tactics all in one place as we venture into a new Kext-Less macOS.



WWDC System Extensions Keynote



https://developer.apple.com/system-extensions/



Click Here for a Great Breakdown of System Extensions from Scott Knight



To start, the best way I know of to obtain a list of system extensions that are present on the machine via terminal is the following command.



systemextensionsctl list


This command will produce the following information regarding system extensions.



enabled active  teamID  bundleID (version)  name    [state]


for a full example, using symantecs release for macOS 10.15, the following is populated



Hugonaut$ systemextensionsctl list

1 extension(s)

--- com.apple.system_extension.endpoint_security

enabled active  teamID  bundleID (version)  name    [state]

*   *   9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0)    Symantec System Extension   [activated enabled]

I have the same issue with MacOS 10.15.x Catalina and SEP 14.2 RU2 when installing - System Extension needs Approval and Full Disk Access is not enabled. I have done ALL of the above and no success

I wish I was here to solve this without writing another "me too" post. I have a case open with Symantec Endpoint Protection and a call scheduled here in the next hour.



I'm heartened to see this article by them: https://support.symantec.com/us/en/article.TECH256631.html



Apparently, they tried at some point making this work with Jamf...yay! Upon following it though, it still doesn't work unless I hand authorize that stupid system extension. I'm wondering if something dramatically changed for them in macOS 10.15.2 or something? I'll update this thread if we do anything useful with my case with them.

Same here as @blackholemac We have profiles for PPPC, SEXT and KEXT, fresh 10.15.2 install. I install the cloud version of SEP (14.2 RU2 25, in system info version 9.0.1) and this is what we see after deploying the pkg, and reboot:
.
will try the tip from @David_h to run the update first.
Update1:
I tried to update ,but the GUI does not allow to access (see error message above), so I try to update in the background
This command (no need for sudo) can run it manually, but behaviour (error above) is the same:



/Library/Application Support/Symantec/Silo/MES/LiveUpdate/LUTool


Update 2:
using the log command from carl ashley/ I see a lot of references to com.symantec.mes and not com.symantec.mes.systemextension so I tried to include both in the PPPC profile.
Not much improvement so far
Update 3:
We use the cloud version of SEP, also known as SES. It has different GUI, but shares a lot with the on-prem versions of SEP (that we also use for some internal mac's) Maybe the GUI warning I see is only for the Cloud version?

So, we're seeing high CPU utilization from the com.symantec.mes.systemextension agent and won't be deploying it in our environment until Symantec sorts out their poorly written sysext, but I did put together a reliable way to install the SEP client and get it authorized:



I have a single config profile with three payloads (PPPC, kext, sysext; screenshot below), scoped out to 10.15 (this is important, because if you apply sysext on 10.14 and then upgrade to 10.15, it doesn't know what to do with this and Catalina will not respect the config).





From there, I have a policy scoped to 10.15 machines that hits on login. I haven't been able to activate the system extension correctly without first launching Symantec Endpoint Protection.app in the user space, so I install the SEP 14.2 RU2 PKG as well as a postinstall script (below) that loads the SEP kexts and launchds, launches SEP in the GUI for five seconds (seems to be long enough to get it to activate the sysext), and then quits. I've tried invoking the binary or figuring out some way to do this separate from the user login, but so far haven't been successful.



#!/bin/bash

#Updated 12/02/19; NRJA



#FOR USE WITH 10.15

#POSTINSTALL SHOULD ONLY BE RUN ON LOGIN



#Load the kexts for SEP

/sbin/kextload /Library/Extensions/{NortonForMac.kext,SymInternetSecurity.kext,SymIPS.kext,SymXIPS.kext}



#Load the LaunchDaemons for SEP

/bin/launchctl load /Library/LaunchDaemons/{com.symantec.SymLUHelper.MES.plist,com.symantec.UninstallerToolHelper.MES.plist,com.symantec.deepsightdownload.MES.plist,com.symantec.liveupdate.daemon.MES.plist,com.symantec.sharedsettings.MES.plist,com.symantec.symdaemon.MES.plist,com.symantec.symqual.detail.MES.plist,com.symantec.symqual.panicreporter.MES.plist,com.symantec.symqual.submit.MES.plist,com.symantec.symseplps.MES.plist}



#Get the shortname of the logged in user

CurUser=$(ls -l /dev/console | awk '{print $3}')



#Launch SEP in the user space in the background and hidden

/usr/bin/su - "${CurUser}" -c "/usr/bin/open -jg '/Applications/Symantec Solutions/Symantec Endpoint Protection.app'"



#Wait for SEP to activate with the SysExt

sleep 5



#Close out of SEP

ps aux | grep -i 'Symantec Endpoint Protection' | grep -v grep | awk '{print $2}' | xargs kill -15


After that completes, you should be able to run systemextensionsctl list and see Symantec's team ID (9PTGMPNXZ2) shows as active and enabled now. This has reliably worked on new Catalina builds as well as upgrades from 10.14 --> 10.15 (we first uninstall SEP before the upgrade and then install the new agent with the instructions above).

@NoahRJ Couple of questions...I notice in your kernel extension payload, you add a line com.symantec.SymXIPS



All of your other kernel extensions in both the label and the identifier have ".kext" at the end. Is there a reason com.symantec.SymXIPS does not?

@blackholemac I grabbed that kext list from this SEP documentation, where SymXIPS doesn't have .kext appended, but the other three do.

@NoahRJ I must say, I'm impressed with your documentation and script....they worked for me like a champ. Unfortunately, much like you, I am noticing the stupid system extension taking up a high level of CPU utilization. I still have an open case with Symantec at the moment. I'm going change the nature of my case with them to report that your findings solved my installation issue but that now Symantec is using up way too much CPU resources. My call is in 25 min...I'm going to try installing Symantec by hand on an unmanaged Mac, manually enabling the stupid stuff and verify that it occurs in that configuration as well. If it does, I can send them logs and FINALLY get escalated to someone there that speaks Mac.

We too were getting the "System Extentions require Authorization" message in SEP although we had the correct Configuration Profiles on the machine. We used this KBA



https://support.symantec.com/us/en/article.TECH256631.htm



Opened a case with SEP and they confirmed there were no issues with our configuration. We continued to test and discoverd the System Extention needs to be installed prior to SEP. Not sure if this is the case for everyone however for us pushing out the Config profile prior to the SEP upgrade / install did the trick.

We are hitting a wall with this process and I'm wondering if we are missing some steps. Despite allowing the system and kernel extensions as well as loading the PPPC profile we are unable to get past the "System Extensios require Authorization" step.



Overview of the steps we are taking:




  • Fresh Catalina install (10.15.3) enrolled via DEP

  • Install the three profiles
    -- Approved Kernel Extensions (Symantec TeamID, 9PTGMPNXZ2, we don't list any kernel bundles)
    -- Allowed System Extensions (Symantec TeamID, we then specify com.symantec.mes.systemextension)
    -- Symantec PPPC policy (allow SystemPolicyAllFiles)

  • Install SEP (14.2.5569.2100)

  • Reboot



I can now see that the system extension is loaded, but it is still marked as "activated waiting for user". I tried using the script shared by @NoahRJ but status remains the same (btw, I am unable to execute this at login, but have manually run it, as a test, immediately after login - not sure if this makes much of a difference regarding it's effectiveness).
I feel like I'm missing something obvious here, but not sure what. We have users upgrading to Catalina and they may not be running Symantec properly. I'm nearly at the point of manually activating on all systems, but would rather not have to schedule something like that.

we have major issues with Symantec EndPoint Protection 14.2 RU2 (14.2.5323.2000) and installing onto MacOS Catalina 10.15.x. The SEP Client installs fine but I am constantly getting System Extension Blocked even though in JAMF I have done all the required PPPC ,

Kernel Extension and System Extension Allows for the Configuration Profile.



PLEASE SHARE RESOLUTION IF ANYONE HAVE

I would love someone to post a comprehensive response to this (maybe someone from Symantec .errrr Broadcom)
The plot thickens as their support website has been recently migrated to broadcom -- and I cannot find anything.



We are running (trying to run Symantec 14.2.2.1 or 14.2 RU2 MP1 ) and are still having problems. have we have KEX, system extensions and PPPC. - Any help will be appreciated. THanks

so broadcom officially took over symantecs site, all we get is the following - anyone have any newer articles?



https://knowledge.broadcom.com/external/article?legacyId=tech256581



https://knowledge.broadcom.com/external/article?legacyId=TECH256631



rumor has it, broadcoms acquisition incited in one way or another, a brain drain on the end of symantecs endpoint protection team which resulted in us having issues with catalina integration.



@ChicagoGuy1984

This is the most useful thread I have seen on this: https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=dba78d62-9cfe-42fb-ac7e-ba4dab7a3b17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer

If anyone has any more info on this it would be greatly appreciated...



At this point, I have all three components (kernel extension whitelist, system extension whitelist, PPPC settings), but I am still having issues on machines that upgrade from Mojave to Catalina with SEP 14.2.5569.2100 installed. I have the config profiles for SEP/Catalina scoped to machines with Catalina installed. I am guessing that the configuration profiles are not deploying before the system extension gets installed. From what I understand, the Mojave and below versions of the SEP installer will install the system extension in /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions. It's there in case Catalina is installed, so it can then be copied/installed into /Library/SystemExtensions. If it gets copied/installed BEFORE the config profiles are brought down, the whitelisting does not occur, and the user will have to allow in System Preferences > Security & Privacy. If this happens, it seems there is no way to whitelist the system extension other than clicking allow. Please correct if I am wrong.



So it seems like the real solution is this:




  1. Install a version of SEP that does not "stage" the system extension on Mojave and below (or remove the staged extension prior to upgrading to Catalina somehow)

  2. Upgrade to Catalina

  3. Make sure the config profiles are applied

  4. Install the latest version of SEP



It sounds like you could perform this automatically by:




  1. Remove the "staged" system extension from /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions on machines running Mojave and older

  2. Scope SEP config profiles to all machines running Catalina

  3. Create a smart group that has criteria matching to Profile Identifiers of your three SEP profiles

  4. Create a policy to install latest SEP Catalina version, scoped to smart group of step 3



This way, when machines upgrade to Catalina, they won't have the System Extension for SEP. They will get their config profiles eventually once they check in and report they are on Catalina. Once they have the Config Profiles, Jamf will push the latest SEP Catalina installer over which will installed the system extension. Upon loading, the whitelist will be present and everything should check out.



Does that sound right? Anyone have something different they are doing?

@joelsenders I have smart groups setup for each operating system. I then have a separate configuration profile categories for each os.



for example, I have a Mojave Smart Group & Catalina Smart Group. I then have separate categories of configuration profiles, a Mojave Category & Catalina Category. Each category has almost identical Configuration profiles, every new OS I create them all again & cater to whats needed. So the Mojave Config Categories profiles are explicitly scoped to Mojave Machines & Same goes for Catalina.



When the Mojave machine runs the upgrade & then becomes Catalina, at first login or first check in as catalina, all Mojave profiles are removed & it lays down the new configuration profiles, including the new symantec profile.



That method is working for me.

@Hugonaut Thanks for the response. I've got a similar setup; the problem is that once the system extension is installed on Catalina, the system extension whitelist doesn't work. It still requires the user to approve it.



It's like there is a race condition; Once Catalina is installed, the whitelist profile needs to come down BEFORE the SEP system extension gets installed. Otherwise it doesn't work. I've got a machine right now in this condition, and there is nothing I can do to whitelist the system extension other than to manually approve it. The whitelist profile does nothing.

very strange. I had no issue laying down the system extension profile payload on a catalina machine that already had sep installed. It worked so I never dove deeper. I would like to see what other people share about this

I appreciate your report. I am going to spin up some VMs and do some more testing.

After reading posts on the #symantec channel on the MacAdmins Slack team and here I think there may be some differences in the SEP client based on where you get it.



If you don't use a Management Console Server and download standalone/unmanaged version of the installer from MySymantec (or whatever Broadcom calls it now), like we do, you get a single installer that works for both macOS 10.14 and macOS 10.15 that installs a version of SEP that has both the Kernel Extension and System Extension.



If you download from a Management Console it sounds like you get two versions of the installer, one for macOS 10.14 and older and one for macOS 10.15 and newer. However, I can't verify the second method as we don't have a Management Console Server.

@spalmer Yes you are correct. We have a SEPM, and it provides us with two different client installers. However, both identify as the same version. From what I can see, the Mojave and below installer doesn't install the system extension into /Library/SystemExtensions (obviously since it's not supported). The Catalina version does. However, the Mojave and below installer installs the system extension into /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions. It would seem that when a machine that has this version is then upgraded to Catalina, the SEP client recognizes that it needs this system extension, and installs it itself (by copying from /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions into /Library/SystemExtensions). That way, a new client install is not necessary when you upgrade to Catalina. This seems like a good idea. I could be wrong on how this works, but that has been in accordance with all of my testing.



My issue is still that the system extension whitelist simply doesn't work. The machine I am typing from currently has all of the whitelist profiles (system extension, kernel extension, PPPC) but still asks me to manually approve in System Preferences > Security and Privacy.

SEP client asking for manual approval of system extension and privacy preferences after upgrade to macOS 10.15, despite the correct configuration policies being in place? The related *.systemextension type is new in Catalina; it doesn't run in earlier macOS versions. I would expect that the OS upgrade would re-check policy against the new extension. But it doesn't. Remains to be seen whether this is a Symantec or Apple bug. And the following isn't really a fix, but demonstrates how to get macOS to re-query the configuration policy: un/re-install SEP but don't use the RemoveSymantecMacFiles tool because it does not handle the newer systemextension. As a matter of fact, the current version of this tool will stop and ask you to use the application's uninstaller if it detects a newer Symantec product. You can still run RSMF afterward.



ATTENTION: You must use the uninstall option in your product's
"Symantec Endpoint Protection" menu.


...



Older versions of RSMF won't warn you, and won't reset the stuck "waiting for user authorization" and re-installing SEP will put you back where you started.

https://www.jamf.com/jamf-nation/discussions/34623/catalina-and-symantec-ep-kernel-extension#responseChild201202

Is there a way to check if a mdm profile with an approved system extension is installed on MacOS?
Approved kext can be found in the file /var/db/SystemPolicyConfiguration/KextPolicy. Is there something similar for System Extensions?

Hello,



With SEP 14.3 MP1, Broadcom system extension is needed to be added.



Did you get it working?

@mhasman I'm seeing the same with SEP 14.3 MP1--even though I have the Broadcom system extension whitelisted via config profile. Edited to add: I didn't have this problem with the system extension being blocked with SEP 14.3.



I'm also seeing the same old issue with SEP 14.3 MP1 where even after the Broadcom system extension is allowed, it doesn't actually install/activate until after someone launches the SEP client for a moment. (This is confirmed by running 'sudo systemextensionsctl list' in Terminal before and after launching the SEP client.) We have had a case open with Broadcom since 6/30/2020, but it's going nowhere.

Reply


Terms & ConditionsCookie settings