Symantec Endpoint Protection 14.2.5323.2000 (14.2 RU2) and macOS 10.15.2

blackholemac
Valued Contributor III

So...I took a fresh test machine running Catalina 10.15.2. I installed the latest build of Symantec (listed in the title above) on it. I recognized there was a kernel extension and a system extension to monkey with. Added the Symantec Team ID to the kernel extension profile. That seemed to work for that part.

Followed the following article to add proper support for the system extension and a PPPC profile...that article even has Jamf-specific instructions: (https://support.symantec.com/us/en/article.TECH256631.html)

Turns out after doing all that, when I launch Symantec Endpoint Protection, I am told that I need to authorize a system extension. I thought this PPPC profile and System Extension payload should have already done that.

Given a clean 10.15.2 machine that is unmanaged, if I hand-approve the kernel extensions and System extension, it works fine. Where can I go in the macOS to get precise details and data on what was approved by hand so I can translate that into a working PPPC/System Extension profile?

9 REPLIES 9

davidacland
Honored Contributor II

You might be able to read that from the /var/db/SystemPolicyConfiguration/KextPolicy database.

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy, followed by SELECT * FROM kext_policy;

unknown_err
New Contributor III

You could try uploading a signed manual profile and see if that works. I recall seeing some issues in December where the built-in payload wasn't working correctly (don't remember the exact details though). There's a lot of info the #symantec channel on the macadmins slack.

spalmer
Contributor III

I was also hitting the same road block with the System Extension yesterday. I found another Jamf Nation thread discussing this.

https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos

Basically you have follow Symantec's documentation exactly and select "Allowed System Extensions" and add both the Team Identifer (9PTGMPNXZ2) AND Allowed System Extensions (com.symantec.mes.systemextension). I made the mistake of thinking I could just select "Allowed Team Identifiers" since that is basically the equivalent of what I did with my Kernel Extensions whitelist profile. However, that does not seem to work so there must be a bug with that option in Catalina.

One person even mentioned that you may need to run Live Update to kick it and get the System Extension to load so that it will see that it needs to be whitelisted. I didn't need to do that myself but I have noticed in my environment, where we have a very fast internet connection, that Live Update usually runs and completes a Virus Def update within a few minutes of installing SEP so it may be that LiveUpdate did kick it for me just without me needing to manually run an update.

jkryklywec
New Contributor III

getting it to load, did you happen to open the Symantec app at all, or did you see the com.symantec.mes.systemextension running in your activity monitor prior to opening the app. I have it SEXT com.symantec.mes.systemextension whitelisted and its working, but I do notice that the com.symantec.mes.systemextension is not loaded as a process till I open the Application first, and upon first open I see the SEXT needs approval (FIX) button in Symantec app (warning) upon launch, but then a few seconds later that error in the app (FIX) goes away by itself and THEN the com.symantec.mes.systemextension process is running as well as the SEXT com.symantec.mes.systemextension gets installed at that time.

my point is it does not seem to be actually loading the SEXT until launch even with whitelisting the SEXT. SEP might appear to be running other processes but does not actually do any AV scans till its open and process running one time, anyone else seeing this behavior?

tcandela
Valued Contributor II

this is what i've been getting;

I have a confi profile to approve the Symantec EP kernel extension. The software installs and i have no prompt to allow, so all looks good.

After reboot i go to the symantec app and the kernel extension is blocked and i have to allow it, and also i get 'full disk access is not enabled' so i click 'fix' and sys preferences opens up and i have to go into 'privacy' and allow full disk access for the 'symantec system extension'!!!

once i allow 'full disk access' SEP goes green and it says 'your computer is protected'

is anyone else getting the crazy results?

hstanley
New Contributor III

@jkryklywec Were you able to resolve the issue where the system extension didn't load until after you'd launched the SEP client? I'm seeing the same issue.

jkryklywec
New Contributor III

@hstanley not yet, having random machines with any SEP version for Catalina causing random Kernel Panics, opened a ticket with Broadcom/symantec and getting no where with it, can't get a Mac tech to look at ticket been almost 2 weeks sent many KP logs. This on top of you can't cleanly uninstall the product with a script (the script they have will NOT remove the SEXT) that can only be done from the Symantec app under its menu to uninstall SEP, this is NOT an enterprise way.

hstanley
New Contributor III

@jkryklywec That's a bummer, and I agree with you. I am able to uninstall SEP and the SEXT with the latest version of the SymantecRemovalTool (https://knowledge.broadcom.com/external/article?legacyId=tech103489), but only if I log into the Mac and launch it (i.e. it does nothing when I run it via a policy, which worked great with previous versions). As for the issue where the SEXT doesn't load until SEP is launched, I see that someone else came up with a script to work around this in the thread at https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos. I may give that a shot for lack of any other better ideas.

mhasman
Valued Contributor

Same issue happening with SEP 14.3, mostly on 2017/18-year model macs with macOS 10.14.6 Mojave. Only few kernel panic reports from Macs with Catalina