Catalina and Symantec EP kernel extension

tcandela
Valued Contributor

I have a confi profile to approve the Symantec EP kernel extension. The software installs and i have no prompt to allow, so all looks good.

After reboot i go to the symantec app and the kernel extension is blocked and i have to allow it, and also i get 'full disk access is not enabled' so i click 'fix' and sys preferences opens up and i have to go into 'privacy' and allow full disk access for the 'symantec system extension'!!!

once i allow 'full disk access' SEP goes green and it says 'your computer is protected'

is anyone else getting the crazy results?

22 REPLIES 22

rqomsiya
Contributor III

Are you whitelisting the actual system extension or just the Team identifier?

52136a8f2c02490195748ffa511642cc

tcandela
Valued Contributor

@rqomsiya i just did the 'team identifier'. So i need to add the system extension also now with Catalina?

rqomsiya
Contributor III

Yep. That’s what fixes it 🙂

tcandela
Valued Contributor

@rqomsiya did i edit this correctly? looks different than yours. maybe because of version
818a9923348c40118c79660268f15fb1

gachowski
Valued Contributor II

I follow the Symantec do and wasn't able to get it working...

Here is the "code" I used for PPPC part, is it correct?

identifier "com.symantec.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]/* exits */ and certificate leaf[field.1.2.840.113635.100.6.1.13]/* exits */ and certificate leaf[subject.OU] ="9PTGMPNXZ2"

rqomsiya
Contributor III

Ping me on slack.. handle is macm

tcandela
Valued Contributor

@rqomsiya @gachowski I just basically created a new Config Profile for macOS 10.15 Catalina using the settings here.

https://support.symantec.com/us/en/article.TECH256631.html

The only difference I see is that @gachowski has 'EXITS' while the URL link has 'EXISTS' I updated mine with 'EXISTS'.
@gachowski did you also grab that line from the URL?

so far macs running 10.14 and earlier i'll just keep using the other Config Profile 'Approved Kernel Extension' with just the TeamID

gonna test it and update you with results

gachowski
Valued Contributor II

@tcandela

Yep but I had to hand type it from the screenshot and obviously I screwed up !! 🙂 Thank you for catching that a few people I had double check missed it too!! : ) I'll update and test and then post here..

C

gachowski
Valued Contributor II

I added the two "s"s, : ( no change still not working )

C

tcandela
Valued Contributor

@gachowski is the config profile applying? What part is not working?

blackholemac
Valued Contributor III

check out @NoahRJ s post here: https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos

I can confirm, that Symantec Endpoint Protection (given the most current build) installs properly given this post. I'm not found of how much CPU it is taking up though.

gachowski
Valued Contributor II

@tcandela I still have to approver the kernel extension manually ..

@blackholemac thanks I'll give that a try..

tcandela
Valued Contributor

@gachowski looks like i got it to work by using the 3 payloads.

1 - PPPC
2 - Approved Kernel Extensions -----> did not enter any kernel extension bundle IDs, just entered the Team ID
3 - System Extensions

going to test again, this time on a 10.14.6 upgraded to 10.15.2. I uninstalled the previous SEP version from 10.14.6, now its upgrading to 10.15.2

Will install the SEP 10_15 Config Profile then run the self service policy that installs 14.2 RU2

gachowski
Valued Contributor II

yep I got it working follow NoahRJ big post at the end of this thread https://www.jamf.com/jamf-nation/discussions/33964/how-to-system-extension-in-macos

Like blackholemac said !!!

Thank you everyone!!!
C

blackholemac
Valued Contributor III

@gachowski it works following that post but I talked to @NoahRJ and he's not comfortable deploying it yet given it's high CPU consumption. I have a case open with support, but I'm still in the "hey I can't run a .exe file on a Mac to help you get what your engineers are asking for" phase. I have a good support contract with them, but the people I get on the other end of their phones are fairly useless. One comment earlier in the case was "don't worry about this article here (https://support.symantec.com/us/en/article.TECH256631.html). Instead, you should use an MDM solution to push the software out to your clients." <Sighs> Anyway, feel free to keep me in the loop with your travels on Symantec. I am going to try to test NoahRJ's technique against 10.15.3 today and hope it either helps or at least didn't break anything. There also is a new build of SEP that dropped two days ago, BUT it didn't list anything in the release notes relevant to the Mac.

gachowski
Valued Contributor II

I am seeing 50% CPU use most of the time and many times closer to 80%

C

blackholemac
Valued Contributor III

I have a case open with Symantec right now on the issue...They had me collect spindumps today... Of course when I go to collect them they aren’t hogging resources until I’m not paying attention and don’t think to open activity monitor and capture. I’ve got one machine that I did capture a good dump on and I’m gonna send them that today. Do you have a case number open on the same issue with them? My case number is 31638747

vanschip-gerard
Contributor

Just curious. Whats the difference between Kernel Extension and System Extension? Tried to google it but not much luck. They seem roughly structured the same way. Or is Kernel before Catalina and System for Catalina?

donmontalvo
Esteemed Contributor II

Classic race condition:

Endpoint Protection re-prompts user to authorize system extensions after macOS upgrade to 10.15

If macOS has already been upgraded to 10.15 with SEP installed, without taking precautions above, then remove and re-apply the JAMF configuration policy for Symantec. You must do this BEFORE the SEP GUI is opened for the first time after the macOS upgrade, otherwise you will get a warning about the extensions and they will be stuck in "awaiting user authorization".

If the SEP client GUI has already been open and the extension warning displayed then removing/re-applying the configuration policy will not help. You will need to uninstall SEP by using the Uninstall command in the client's "Symantec Endpoint Protection" menu. Do not use RemoveSymantecMacfiles—it does not properly remove the new system extensions. Then re-install SEP and the configuration policy should be properly recognized.

--
https://donmontalvo.com

jared_f
Valued Contributor

I must say this thread was super helpful when I deployed Symantec to 70+ Macs. That being said, I was to emphasize how crappy Symantec is. The update required two reboots to get protection working again. Big fan of Malwarebytes + Cylance or Jamf Protect. SEP SUCKS!

donmontalvo
Esteemed Contributor II

@jared_f been looking at jamf|PROTECT for auditing, but curious since you mentioned, are you using it for antivirus/malware?

--
https://donmontalvo.com

bwoods
Contributor III

Adding com.symantec.mes.systemextension in the allowed system extensions field seems to have fixed my issue. 849a6b4741664831af69f0bf895a8889