Symantec SEP Finish Setup - You are at risk!

kvnsmn
New Contributor II

Hello all,

we are installing SEP on our Macs and we recently started getting these notifications at the bottom right corner and it says "YOU ARE AT RISK - FINISH SETUP".

daf25de8a66144bfb8707abd5bd9934d

https://knowledge.broadcom.com/external/article/198559

Symantec has a fix/workaround for this, just open the application and it will clear it. Once it has been opened all works fine.

They added a script that we use, but it isn't working every time. Do you have any ideas?

Their script: installer -pkg /path/to/SEPRemote.pkg -target /
open -ja "Symantec Endpoint Protection"
shutdown -r +1

We install the pkg within a policy as a package and run the script afterwards:
open -ja "Symantec Endpoint Protection"
shutdown -r +1
1b9c352ea6bb44668a9522bf8c7b8210

However, in the logs the client sometimes can't find the Symantec to open and comes with this "errors":

Script result: The application /Users/XXX/.Trash/Symantec Endpoint Protection.app cannot be opened for an unexpected reason, error=Error Domain=NSOSStatusErrorDomain Code=-10660 "kLSAppInTrashErr: The app cannot be run when inside a Trash folder" UserInfo={_LSLine=3665, _LSFunction=_LSOpenStuffCallLocal} shutdown: [pid 3188] Shutdown at Thu Mar 18 15:45:02 2021.

OR

Script result: The application /Users/XXX/.Trash/Symantec Endpoint Protection.app cannot be opened because it is in the Trash. shutdown: [pid 2939] Shutdown at Thu Mar 18 15:26:51 2021. shutdown: can't detach from console

How can we adjust the script to open Symantec afterwards without errors?
Thank you!

2 REPLIES 2

mm2270
Legendary Contributor III

How is the app ending up in the user's Trash I wonder? At least that's what the computer seems to think is going on. Are these upgrades to Symantec or new installations? I don't use it and have only minimal experience with it, but if it's upgrading the application their installer may be putting the old version in the Trash before it drops the new one in place.

I would maybe expand a bit on the script they sent you by having it target the application that might be in the main Applications folder. The problem with using just the name of the app is that it seems it's seeing an older version or something that is in the trash. If that's the case then you have to get more explicit and tell it exactly what you want to open.

if [ -d "/Applications/Symantec Endpoint Protection.app" ]; then
      open -ja "/Applications/Symantec Endpoint Protection.app"
fi

You might still have issues with the above, since it would be trying to open the application as root and not as the current user. But you can give that adjustment a try and see if it helps.

isThisThing0n
Contributor

The reason for opening the app at least once is is to apply/activate the system extensions required by SEP.

Are you allowing all System Extensions and PPPC requirements via the GUI or via config profiles?

https://knowledge.broadcom.com/external/article/176222/preapproving-the-macos-permissions-requi.html

If you are deploying the above payload make sure to have it set before you install SEP.

Also - if you are on Big Sur then the only version of SEP that we have had success with is a silent hot fix they released 14.3.3390.1000. Any version prior to this will constantly display the ‘you are at risk’ dialog.