Monterey Upgrade - System Extensions needing approval by user

dlondon
Valued Contributor

Upgraded a test machine to Monterey from Big Sur and it wants the user to approve the system extensions for Microsoft Defender and Cisco AMP that were working fine before and approved with Configuration Profiles.

For Defender, I've tried unscoping and rescoping the Configuration profile as well as uninstalling and reinstalling Defender

Still trying to understand it but has anyone else hit this issue and found a way through the problem?

1 ACCEPTED SOLUTION

dlondon
Valued Contributor

I think I shot myself in the foot on this one.  I had scoped the Configuration Profiles to Catalina and Big Sur machines and so the recently upgraded ones on Monterey went out of scope.  I widened the scope of the group to include Monterey and the machines went back into scope and the Configuration Profiles redeployed. 

I did have to reboot to have the configuration profiles go into affect.

View solution in original post

7 REPLIES 7

andrew_nicholas
Valued Contributor

I haven't had that for Defender as of yet; each of my test upgrades went as expected, though I did need to reapprove a FortiClient extension I'd manually approved rather than deployed via config.

Tlehr
New Contributor II

What does your Cisco Amp PPPC profile look like? I can compare it to mine that is currently working on a Big Sur -> Monterey upgrade test machine.

dlondon
Valued Contributor

Here's the one for System Extensions for Cisco AMP

Screen Shot 2021-11-04 at 4.37.49 pm.png

Screen Shot 2021-11-04 at 4.38.22 pm.png

daworley
Contributor II

Often when doing major version upgrades like that I've found the endpoint experience best when I clone the profile (same payloads) but give it a new name and scoped specifically to that major OS version. So like the PPPC or System Extension payloads could be identical between Big Sur and Monterey, but it's technically a different profile.

This makes sense when you think of MDM as being an event that causes changes on the local system. If the profile existed on the Mac before the OS upgrade then the upgrade would over-write the changes made on the old OS. By removing/reapplying the profile the MDM events reissue the local system events and reestablishes the changes. 

dlondon
Valued Contributor

I think I shot myself in the foot on this one.  I had scoped the Configuration Profiles to Catalina and Big Sur machines and so the recently upgraded ones on Monterey went out of scope.  I widened the scope of the group to include Monterey and the machines went back into scope and the Configuration Profiles redeployed. 

I did have to reboot to have the configuration profiles go into affect.

wds
New Contributor II

I'm dealing with this issue, too. When you say you had to "reboot" the configuration profiles, what do you mean by that? Do you mean you clicked edit, then clicked save, then "Distribute to All"? Or did you have to clone all the profiles and redeploy them as new?

gaoyajing0810
New Contributor II

Description file will pop up when saved after modifying scope. Whether the prompt is for all devices or users/or only for new devices.