How to System Extension in macOS

Hugonaut
Valued Contributor

Detailed step by step guide using Symantecs system extension as an example since that seemed to be m...

Creating this thread for everyone to share new found knowledge, best practices & management tactics all in one place as we venture into a new Kext-Less macOS.

WWDC System Extensions Keynote

https://developer.apple.com/system-extensions/

Click Here for a Great Breakdown of System Extensions from Scott Knight

To start, the best way I know of to obtain a list of system extensions that are present on the machine via terminal is the following command.

systemextensionsctl list

This command will produce the following information regarding system extensions.

enabled active  teamID  bundleID (version)  name    [state]

for a full example, using symantecs release for macOS 10.15, the following is populated

Hugonaut$ systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
*   *   9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0)    Symantec System Extension   [activated enabled]
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
54 REPLIES 54

mm2270
Legendary Contributor II

@Hugonaut Is systemextensionsctl something new in 10.15 only? I am unable to run it on a 10.14.6 Mac, so I'm assuming it's a new tool shipped with Catalina.

Hugonaut
Valued Contributor

@mm2270 yes it is.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

larry_barrett
Valued Contributor

I'm curious about the systemextensctl reset, it says it will reset the System Extension state. Does this mean the state when it was installed (assuming enabled)?

Hugonaut
Valued Contributor

@larry_barrett not yet an available feature so who knows, this is what I get when I run it with sip enabled. I will test with SIP disabled and follow up.

Hugonaut$ systemextensionsctl reset
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

larry_barrett
Valued Contributor

@Hugonaut Same. Guess we'll find out more once the limitation is removed.

Hugonaut
Valued Contributor

@larry_barrett with SIP Disabled it completely wipes any system extensions approved or not.

Hugonaut$ systemextensionsctl reset

This Popup requests Authentication
529860529e5946e28509814eec7a6957

& Then Terminal Reads

Database reset successfully.
Hugonaut$ systemextensionsctl list
0 extension(s)
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

larry_barrett
Valued Contributor

@Hugonaut Interesting. Thank you.

mapurcel
Contributor II

@Hugonaut did you use a Jamf System Extension payload to get SEP enabled? We just got the new SEP client and with the payload it puts the system extension in an 'activated waiting for user' state...

systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
           *    9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0Symantec System Extension    [activated waiting for user]

mikedowler
New Contributor

The System Extension payload (at least in 10.16.1) has 3 options:
- Allowed System Extensions
- Allowed Team Identifiers
- Allowed System Extension Types

For me, "Allowed Team Identifiers" provides the best balance between security and admin overhead. But (at least in 10.16.1) it doesn't appear to work. If I download the profile and remove the signing, there is no mention of the Team ID I entered in the GUI. "Allowed System Extensions" does appear to work, but is more restrictive. The settings you need are:
Team Identifier: 9PTGMPNXZ2
Allowed System Extensions: com.symantec.mes.systemextension

NoahRJ
Contributor II

@mikedowler Just to check that I'm following your workflow properly, I've created the config profile in Jamf, put together the System Extensions payload with "Allowed System Extensions" for the type, populated the team identifier, and explicitly added com.symantec.mes.systemextension as an allowed System Extension.

However, despite scoping that out to a test Mac on 10.15.1 and confirmed it's installed, running sudo systemextensionctl list returns 0 extensions, and when I launch SEP, it still indicates that "System extensions need authorization". Any idea what might be broken in my setup? I've also tried setting Allowed Team Identifier and specifying that identifier, but no luck there either.

99e0ce019c7e41cfa31eaacef76475c9

Hugonaut
Valued Contributor

@NoahRJ

What does your configuration profile - system extension payload look like, does it look like this? I'm on Jamf Pro 10.16.1 - This works on macOS Catalina 10.15.1.

fd6b7dde3b9a4a58ac6197fde8924bd8

Also, You need a PPPC Profile to grant the system extension Access to All Files. So if you stick to a Granular Approach, you need 3 profiles.

  1. Kernel Extension Configuration Profile
  2. System Extension Configuration Profile
  3. PPPC - Full Disk Access for Symantecs System Extension
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

NoahRJ
Contributor II

Thanks very much, @Hugonaut! I didn't have the PPPC piece created for the System Extension, so after generating that and a fresh uninstall/reinstall of SEP, things look to be working now. :thumbs_up:

MatG
Contributor II

Great Thread :) @NoahRJ @Hugonaut @mikedowler

I'm still having problems. I have 1 profile with 3 payloads, PPPC, Approved Kernel Extension, System Extension

PPPC to allow Full Disk Access:
ed2c38143f994488a0506ce4156a212f

Approved Kernel Extension
8550b0f55fb541af966acdb956483a4d

System Extension
d649509641a7410e9482acd401f72da1

I removed Symantec, restarted, ensured Profile is in place, install Symantec, restart, but still I get:
c4eef8e12d9e4a7ba205c3d9ab512895

Could someone please provide screen shots of all 3 items?....I must be doing something wrong here.

Hugonaut
Valued Contributor

@MatG no need to create a PPPC payload for mainapp. Your System Extension Payload profile is correct, have you given it time to load?

Also, (PPPC) grant it access to EVERYTHING, your PPPC profile looks a little light unless im missing something. Remember, when the systemextension is fully utilized (i dont believe symantec is fully utilizing it yet) its doing a full system scan, I wanted mine to include all possible avenues of data, external & internal. (This is COMPLETE overkill, you only need SystemPolicyAllFiles)

b6b474febb034ca3ac1373dafd7f48c1

for kernel extensions payload, it's also best to give access to the following 4 Kexts explicitly.
bb5d1b4c190845a7b4bf6005c07a2941

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

MatG
Contributor II

Great help as usual thanks all.

leobrt
New Contributor II

Hello @NoahRJ , @Hugonaut , @MatG
After following your workflow correctly, I always have the message in sep for system extensions need authorization :( have you been able to find a solution to this?

NoahRJ
Contributor II

@leobrt Are you doing this upgrading from Mojave to Catalina? Or on a fresh Catalina build? I've found that the configuration profile needs to be applied only after the machine is on Catalina - it's hit or miss whether the system will respect it if it's applied on 10.14 and then upgraded to 10.15. Once the PPPC/kext/sysext pieces are in place on a Catalina machine, then you install SEP, launch it, and it should get whitelisted properly.

leobrt
New Contributor II

@NoahRJ
Hi,
Indeed, the Mac were under Mojave and migrated to Catalina. I test with a new Catalina installation and I say again. If this is the cause it is a real problem because all our Mac are in this case ..

leobrt
New Contributor II

@NoahRJ
Thank's a lot, it's working !

mapurcel
Contributor II

great thread, anyone else seeing the systemextension chew up the CPU? 4d02153e4cd94769b3445041b79e5f28

David_H
New Contributor II

Just add a quick comment to this, that cause me to pull my hair out. With SEP 14.2.2 It was complaining about the System Extension not working, when in fact it was just missing the virus definitions, never once said this. Once I ran a Live-Update the System Extension was approved and the extensions changed from waiting "user approval" to "activated enabled". So make sure to run live update before re-creating the profiles. :p

wmehilos
Contributor

@mapurcel Yes. On my own machine it was causing the fans to spin up at idle. I actually deleted the systemextension file from within the Endpoint Protection.app bundle just to see what would happen, and SEP still seems to work fine on 10.15.2 without it eating up 1/8th of my CPU 24/7.

jmariani
Contributor

Yes, high CPU usage from the sep systemextension here as well.

mapurcel
Contributor II

came across this article about needing separate builds for 10.14 and 10.15, reached out to Symantec to confirm but haven't heard back yet...

(12/20/19) Update, if your SEPM is 14.2 RU2, there are indeed two options for building the package. In our case, we are unable to update the server so had to use a unconfigured package, followed by a 2nd package, the communications package, to connect the unmanaged install to our server. I've noticed the Catalina flavor of the build isn't as bad on the CPU, but the extension still runs higher that I would like to see..

P_Featherstonha
New Contributor II

Having major issues with Symantec EndPoint Protection 14.2 RU2 (14.2.5323.2000) and installing onto MacOS Catalina 10.15.x. The SEP Client installs fine but I am constantly getting the cursed System Extension Blocked even though in JAMF I have done all the required Kernel Extension and System Extension Allows for the Configuration Profile.

6a34193e76404d47a40e91fc4cd217f7

I have setup the correct PPPC Settings for com.symantec.mes.systemextension using Bundle ID 9PTGMPNXZ2 for Symantec Corporation using the Code Requirement below:

identifier "com.symantec.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.1.3] / exists / and certificate leaf[subject.OU] = "9PTGMPNXZ2"

And having the App or Service set to Allow SystemPolicyAllFiles

The Approve Kernel Extensions is also configured for Team ID 9PTGMPNXZ2 and Approved Kerenel Extensions as followed:
com.symantec.nfm.kext com.symantec.internetSecurity.kext com.symantec.ips.kext com.symantec.sep.mainapp com.symantec.mes.systemextension

What the hell am I doing wrong? :) Hope to hear back from an expert who has overcome this issue :)

Cheers - Paul

P_Featherstonha
New Contributor II

I have the same issue with MacOS 10.15.x Catalina and SEP 14.2 RU2 when installing - System Extension needs Approval and Full Disk Access is not enabled. I have done ALL of the above and no success

blackholemac
Valued Contributor III

I wish I was here to solve this without writing another "me too" post. I have a case open with Symantec Endpoint Protection and a call scheduled here in the next hour.

I'm heartened to see this article by them: https://support.symantec.com/us/en/article.TECH256631.html

Apparently, they tried at some point making this work with Jamf...yay! Upon following it though, it still doesn't work unless I hand authorize that stupid system extension. I'm wondering if something dramatically changed for them in macOS 10.15.2 or something? I'll update this thread if we do anything useful with my case with them.

maurits
Contributor
Contributor

Same here as @blackholemac We have profiles for PPPC, SEXT and KEXT, fresh 10.15.2 install. I install the cloud version of SEP (14.2 RU2 25, in system info version 9.0.1) and this is what we see after deploying the pkg, and reboot:
d25f59a45b0d49e2a243afd99b8ae1a3.
will try the tip from @David_h to run the update first.
Update1:
I tried to update ,but the GUI does not allow to access (see error message above), so I try to update in the background
This command (no need for sudo) can run it manually, but behaviour (error above) is the same:

/Library/Application Support/Symantec/Silo/MES/LiveUpdate/LUTool

Update 2: using the log command from carl ashley/ I see a lot of references to com.symantec.mes and not com.symantec.mes.systemextension so I tried to include both in the PPPC profile.
Not much improvement so far Update 3:
We use the cloud version of SEP, also known as SES. It has different GUI, but shares a lot with the on-prem versions of SEP (that we also use for some internal mac's) Maybe the GUI warning I see is only for the Cloud version?

NoahRJ
Contributor II

So, we're seeing high CPU utilization from the com.symantec.mes.systemextension agent and won't be deploying it in our environment until Symantec sorts out their poorly written sysext, but I did put together a reliable way to install the SEP client and get it authorized:

I have a single config profile with three payloads (PPPC, kext, sysext; screenshot below), scoped out to 10.15 (this is important, because if you apply sysext on 10.14 and then upgrade to 10.15, it doesn't know what to do with this and Catalina will not respect the config).

95ff3f0336894fc8a98cbf447ceb28f9

From there, I have a policy scoped to 10.15 machines that hits on login. I haven't been able to activate the system extension correctly without first launching Symantec Endpoint Protection.app in the user space, so I install the SEP 14.2 RU2 PKG as well as a postinstall script (below) that loads the SEP kexts and launchds, launches SEP in the GUI for five seconds (seems to be long enough to get it to activate the sysext), and then quits. I've tried invoking the binary or figuring out some way to do this separate from the user login, but so far haven't been successful.

#!/bin/bash
#Updated 12/02/19; NRJA

#FOR USE WITH 10.15
#POSTINSTALL SHOULD ONLY BE RUN ON LOGIN

#Load the kexts for SEP
/sbin/kextload /Library/Extensions/{NortonForMac.kext,SymInternetSecurity.kext,SymIPS.kext,SymXIPS.kext}

#Load the LaunchDaemons for SEP
/bin/launchctl load /Library/LaunchDaemons/{com.symantec.SymLUHelper.MES.plist,com.symantec.UninstallerToolHelper.MES.plist,com.symantec.deepsightdownload.MES.plist,com.symantec.liveupdate.daemon.MES.plist,com.symantec.sharedsettings.MES.plist,com.symantec.symdaemon.MES.plist,com.symantec.symqual.detail.MES.plist,com.symantec.symqual.panicreporter.MES.plist,com.symantec.symqual.submit.MES.plist,com.symantec.symseplps.MES.plist}

#Get the shortname of the logged in user
CurUser=$(ls -l /dev/console | awk '{print $3}')

#Launch SEP in the user space in the background and hidden
/usr/bin/su - "${CurUser}" -c "/usr/bin/open -jg '/Applications/Symantec Solutions/Symantec Endpoint Protection.app'"

#Wait for SEP to activate with the SysExt
sleep 5

#Close out of SEP
ps aux | grep -i 'Symantec Endpoint Protection' | grep -v grep | awk '{print $2}' | xargs kill -15

After that completes, you should be able to run systemextensionsctl list and see Symantec's team ID (9PTGMPNXZ2) shows as active and enabled now. This has reliably worked on new Catalina builds as well as upgrades from 10.14 --> 10.15 (we first uninstall SEP before the upgrade and then install the new agent with the instructions above).

blackholemac
Valued Contributor III

@NoahRJ Couple of questions...I notice in your kernel extension payload, you add a line com.symantec.SymXIPS

All of your other kernel extensions in both the label and the identifier have ".kext" at the end. Is there a reason com.symantec.SymXIPS does not?

NoahRJ
Contributor II

@blackholemac I grabbed that kext list from this SEP documentation, where SymXIPS doesn't have .kext appended, but the other three do.

blackholemac
Valued Contributor III

@NoahRJ I must say, I'm impressed with your documentation and script....they worked for me like a champ. Unfortunately, much like you, I am noticing the stupid system extension taking up a high level of CPU utilization. I still have an open case with Symantec at the moment. I'm going change the nature of my case with them to report that your findings solved my installation issue but that now Symantec is using up way too much CPU resources. My call is in 25 min...I'm going to try installing Symantec by hand on an unmanaged Mac, manually enabling the stupid stuff and verify that it occurs in that configuration as well. If it does, I can send them logs and FINALLY get escalated to someone there that speaks Mac.

Bnikel
New Contributor II

We too were getting the "System Extentions require Authorization" message in SEP although we had the correct Configuration Profiles on the machine. We used this KBA

https://support.symantec.com/us/en/article.TECH256631.htm

Opened a case with SEP and they confirmed there were no issues with our configuration. We continued to test and discoverd the System Extention needs to be installed prior to SEP. Not sure if this is the case for everyone however for us pushing out the Config profile prior to the SEP upgrade / install did the trick.

mcternan
New Contributor II

We are hitting a wall with this process and I'm wondering if we are missing some steps. Despite allowing the system and kernel extensions as well as loading the PPPC profile we are unable to get past the "System Extensios require Authorization" step.

Overview of the steps we are taking:

  • Fresh Catalina install (10.15.3) enrolled via DEP
  • Install the three profiles -- Approved Kernel Extensions (Symantec TeamID, 9PTGMPNXZ2, we don't list any kernel bundles) -- Allowed System Extensions (Symantec TeamID, we then specify com.symantec.mes.systemextension) -- Symantec PPPC policy (allow SystemPolicyAllFiles)
  • Install SEP (14.2.5569.2100)
  • Reboot

I can now see that the system extension is loaded, but it is still marked as "activated waiting for user". I tried using the script shared by @NoahRJ but status remains the same (btw, I am unable to execute this at login, but have manually run it, as a test, immediately after login - not sure if this makes much of a difference regarding it's effectiveness). I feel like I'm missing something obvious here, but not sure what. We have users upgrading to Catalina and they may not be running Symantec properly. I'm nearly at the point of manually activating on all systems, but would rather not have to schedule something like that.

Parveen_Virmani
New Contributor II

we have major issues with Symantec EndPoint Protection 14.2 RU2 (14.2.5323.2000) and installing onto MacOS Catalina 10.15.x. The SEP Client installs fine but I am constantly getting System Extension Blocked even though in JAMF I have done all the required PPPC , a1797ceeaa0e40b39ce63e52ecde1b42
Kernel Extension and System Extension Allows for the Configuration Profile.

PLEASE SHARE RESOLUTION IF ANYONE HAVE

ChicagoGuy1984
New Contributor III

I would love someone to post a comprehensive response to this (maybe someone from Symantec .errrr Broadcom) The plot thickens as their support website has been recently migrated to broadcom -- and I cannot find anything.

We are running (trying to run Symantec 14.2.2.1 or 14.2 RU2 MP1 ) and are still having problems. have we have KEX, system extensions and PPPC. - Any help will be appreciated. THanks

Hugonaut
Valued Contributor

so broadcom officially took over symantecs site, all we get is the following - anyone have any newer articles?

https://knowledge.broadcom.com/external/article?legacyId=tech256581

https://knowledge.broadcom.com/external/article?legacyId=TECH256631

rumor has it, broadcoms acquisition incited in one way or another, a brain drain on the end of symantecs endpoint protection team which resulted in us having issues with catalina integration.

@ChicagoGuy1984

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

mariacnlok
New Contributor

This is the most useful thread I have seen on this: https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=dba78d62-9cfe-42fb-ac7e-ba4dab7a3b17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer

joelsenders
New Contributor III

If anyone has any more info on this it would be greatly appreciated...

At this point, I have all three components (kernel extension whitelist, system extension whitelist, PPPC settings), but I am still having issues on machines that upgrade from Mojave to Catalina with SEP 14.2.5569.2100 installed. I have the config profiles for SEP/Catalina scoped to machines with Catalina installed. I am guessing that the configuration profiles are not deploying before the system extension gets installed. From what I understand, the Mojave and below versions of the SEP installer will install the system extension in /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions. It's there in case Catalina is installed, so it can then be copied/installed into /Library/SystemExtensions. If it gets copied/installed BEFORE the config profiles are brought down, the whitelisting does not occur, and the user will have to allow in System Preferences > Security & Privacy. If this happens, it seems there is no way to whitelist the system extension other than clicking allow. Please correct if I am wrong.

So it seems like the real solution is this:

  1. Install a version of SEP that does not "stage" the system extension on Mojave and below (or remove the staged extension prior to upgrading to Catalina somehow)
  2. Upgrade to Catalina
  3. Make sure the config profiles are applied
  4. Install the latest version of SEP

It sounds like you could perform this automatically by:

  1. Remove the "staged" system extension from /Applications/Symantec Solutions/Symantec Endpoint Protection.app/Contents/Library/SystemExtensions on machines running Mojave and older
  2. Scope SEP config profiles to all machines running Catalina
  3. Create a smart group that has criteria matching to Profile Identifiers of your three SEP profiles
  4. Create a policy to install latest SEP Catalina version, scoped to smart group of step 3

This way, when machines upgrade to Catalina, they won't have the System Extension for SEP. They will get their config profiles eventually once they check in and report they are on Catalina. Once they have the Config Profiles, Jamf will push the latest SEP Catalina installer over which will installed the system extension. Upon loading, the whitelist will be present and everything should check out.

Does that sound right? Anyone have something different they are doing?