How to System Extension in macOS

@Hugonaut Is systemextensionsctl something new in 10.15 only? I am unable to run it on a 10.14.6 Mac, so I'm assuming it's a new tool shipped with Catalina.

@mm2270 yes it is.

I'm curious about the systemextensctl reset, it says it will reset the System Extension state. Does this mean the state when it was installed (assuming enabled)?

@larry_barrett not yet an available feature so who knows, this is what I get when I run it with sip enabled. I will test with SIP disabled and follow up.

Hugonaut$ systemextensionsctl reset
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!

@Hugonaut Same. Guess we'll find out more once the limitation is removed.

@larry_barrett with SIP Disabled it completely wipes any system extensions approved or not.

Hugonaut$ systemextensionsctl reset

This Popup requests Authentication

& Then Terminal Reads

Database reset successfully.
Hugonaut$ systemextensionsctl list
0 extension(s)

@Hugonaut Interesting. Thank you.

@Hugonaut did you use a Jamf System Extension payload to get SEP enabled? We just got the new SEP client and with the payload it puts the system extension in an 'activated waiting for user' state...

systemextensionsctl list

1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled active  teamID  bundleID (version)  name    [state]
           *    9PTGMPNXZ2  com.symantec.mes.systemextension (10.0.0/10.0.0Symantec System Extension    [activated waiting for user]

The System Extension payload (at least in 10.16.1) has 3 options:
- Allowed System Extensions
- Allowed Team Identifiers
- Allowed System Extension Types

For me, "Allowed Team Identifiers" provides the best balance between security and admin overhead. But (at least in 10.16.1) it doesn't appear to work. If I download the profile and remove the signing, there is no mention of the Team ID I entered in the GUI. "Allowed System Extensions" does appear to work, but is more restrictive. The settings you need are:
Team Identifier: 9PTGMPNXZ2
Allowed System Extensions: com.symantec.mes.systemextension

@mikedowler Just to check that I'm following your workflow properly, I've created the config profile in Jamf, put together the System Extensions payload with "Allowed System Extensions" for the type, populated the team identifier, and explicitly added com.symantec.mes.systemextension as an allowed System Extension.

However, despite scoping that out to a test Mac on 10.15.1 and confirmed it's installed, running sudo systemextensionctl list returns 0 extensions, and when I launch SEP, it still indicates that "System extensions need authorization". Any idea what might be broken in my setup? I've also tried setting Allowed Team Identifier and specifying that identifier, but no luck there either.

@NoahRJ

What does your configuration profile - system extension payload look like, does it look like this? I'm on Jamf Pro 10.16.1 - This works on macOS Catalina 10.15.1.

Also, You need a PPPC Profile to grant the system extension Access to All Files. So if you stick to a Granular Approach, you need 3 profiles.

1. Kernel Extension Configuration Profile
2. System Extension Configuration Profile
3. PPPC - Full Disk Access for Symantecs System Extension

Thanks very much, @Hugonaut! I didn't have the PPPC piece created for the System Extension, so after generating that and a fresh uninstall/reinstall of SEP, things look to be working now. 👍

Great Thread :) @NoahRJ @Hugonaut @mikedowler

I'm still having problems. I have 1 profile with 3 payloads, PPPC, Approved Kernel Extension, System Extension

PPPC to allow Full Disk Access:

Approved Kernel Extension

System Extension

I removed Symantec, restarted, ensured Profile is in place, install Symantec, restart, but still I get:

Could someone please provide screen shots of all 3 items?....I must be doing something wrong here.

@MatG no need to create a PPPC payload for mainapp. Your System Extension Payload profile is correct, have you given it time to load?

Also, (PPPC) grant it access to EVERYTHING, your PPPC profile looks a little light unless im missing something. Remember, when the systemextension is fully utilized (i dont believe symantec is fully utilizing it yet) its doing a full system scan, I wanted mine to include all possible avenues of data, external & internal. (This is COMPLETE overkill, you only need SystemPolicyAllFiles)

for kernel extensions payload, it's also best to give access to the following 4 Kexts explicitly.

Great help as usual thanks all.

Hello @NoahRJ , @Hugonaut , @MatG
After following your workflow correctly, I always have the message in sep for system extensions need authorization :( have you been able to find a solution to this?

@leobrt Are you doing this upgrading from Mojave to Catalina? Or on a fresh Catalina build? I've found that the configuration profile needs to be applied only after the machine is on Catalina - it's hit or miss whether the system will respect it if it's applied on 10.14 and then upgraded to 10.15. Once the PPPC/kext/sysext pieces are in place on a Catalina machine, then you install SEP, launch it, and it should get whitelisted properly.

@NoahRJ
Hi,
Indeed, the Mac were under Mojave and migrated to Catalina. I test with a new Catalina installation and I say again. If this is the cause it is a real problem because all our Mac are in this case ..

@NoahRJ
Thank's a lot, it's working !

great thread, anyone else seeing the systemextension chew up the CPU?

Just add a quick comment to this, that cause me to pull my hair out. With SEP 14.2.2 It was complaining about the System Extension not working, when in fact it was just missing the virus definitions, never once said this. Once I ran a Live-Update the System Extension was approved and the extensions changed from waiting "user approval" to "activated enabled". So make sure to run live update before re-creating the profiles. :P

@mapurcel Yes. On my own machine it was causing the fans to spin up at idle. I actually deleted the systemextension file from within the Endpoint Protection.app bundle just to see what would happen, and SEP still seems to work fine on 10.15.2 without it eating up 1/8th of my CPU 24/7.

Yes, high CPU usage from the sep systemextension here as well.

came across this article about needing separate builds for 10.14 and 10.15, reached out to Symantec to confirm but haven't heard back yet...

(12/20/19) Update, if your SEPM is 14.2 RU2, there are indeed two options for building the package. In our case, we are unable to update the server so had to use a unconfigured package, followed by a 2nd package, the communications package, to connect the unmanaged install to our server. I've noticed the Catalina flavor of the build isn't as bad on the CPU, but the extension still runs higher that I would like to see..

Having major issues with Symantec EndPoint Protection 14.2 RU2 (14.2.5323.2000) and installing onto MacOS Catalina 10.15.x. The SEP Client installs fine but I am constantly getting the cursed System Extension Blocked even though in JAMF I have done all the required Kernel Extension and System Extension Allows for the Configuration Profile.

I have setup the correct PPPC Settings for com.symantec.mes.systemextension using Bundle ID 9PTGMPNXZ2 for Symantec Corporation using the Code Requirement below:

identifier "com.symantec.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.1.3] / exists / and certificate leaf[subject.OU] = "9PTGMPNXZ2"

And having the App or Service set to Allow SystemPolicyAllFiles

The Approve Kernel Extensions is also configured for Team ID 9PTGMPNXZ2 and Approved Kerenel Extensions as followed:
com.symantec.nfm.kext com.symantec.internetSecurity.kext com.symantec.ips.kext com.symantec.sep.mainapp com.symantec.mes.systemextension

What the hell am I doing wrong? :) Hope to hear back from an expert who has overcome this issue :)

Cheers - Paul