Endpoint Protection

Expand all | Collapse all

SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

kroeb

kroeb02-06-2020 08:12 PM

kroeb

kroeb02-06-2020 10:44 PM

  • 1.  SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 11-28-2019 01:27 PM

    Currently testing SEPM 14.2 RU2 (14.2.5323.2000) on a Macintosh with macOS Catalina(10.15). upgraded from macOS High-Sierra(10.13). It's definitely Broken...

    • The device has macOS High-Sierra(10.13) installed (New out of the box Mac Air (3 separate test units)
    • Installed SEPM 14.2 RU2 via the SEPM console upgrade assignment (previously 14.2 RU1-MP1 on each device), verified that SEPM is functional after the upgrade.
    • Upgraded each device to macOS Catalina(10.15).
    • SEPM 14.2 RU2 agent now shows that "System Extensions need authorization" and a "Fix" button is displayed.
    • There's no extension available to be re-authorized.

    I've opened up an incident with Symantec yesterday, I have yet to hear back after placing a followup call.

    Is anyone else seeing a similar issue?

     

      

     



  • 2.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Trusted Advisor
    Posted 11-28-2019 02:15 PM

    I asume you have followed this steps:

    https://support.symantec.com/us/en/article.howto127190.html

    And you have found that it's still not resolved/broken?



  • 3.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 11-28-2019 02:37 PM

    Yes, of course, the issue is that there's nothing listed to allow in the "Security & Privacy" preferences dialogue. (It's not my first rodeo with Mac's and SEPM).

    Also,

    under the "Privacy" tab, Symantec isn't even listed in "Full Disk Access" which it would be when you install SEPM 14.2 RU2 on a device that already has macOS Catalina(10.15).

    Note: For manual installs, you actually have to build a package specifically for Catalina(10.15) and a different package for Sierra(10.12), High-Sierra(10.13) or Mojave(10.14).

    It's like nobody tested the OS upgrade process to macOS Catalina(10.15) with SEPM 14.2 RU2 already installed before releasing it.

    It's now been over a day since I placed the call and have yet to talk to an analyst despite leaving a message with the call routing people. Will be calling again shortly.

     

     

     

     

     

     

     

     

     

     



  • 4.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Trusted Advisor
    Posted 11-28-2019 04:06 PM

    As a quick test, using the same installer, does this work when you install it on a clean Catalina? (i.e. no upgrade route)



  • 5.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 12-05-2019 12:47 PM

    Hello Tom,

    We have upgraded SEPMs to 14.2 RU2, and we are also encountering issues with MAC, when "Configuring the package for remote deployment" , using Tools > Create remote deployment package
    https://support.symantec.com/us/en/article.howto92266.html

    Issue is:  Symantec Endpoint Protection Installer can't be opened 

    is anyone experiencing this issue?


    Regards.



  • 6.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 12-05-2019 04:56 PM

    I was able to verify with Symantec Support the following after playing Telephone Tag for the last few days.

    Even if a Macintosh device has SEPM 14.2-RU2 (14.2.5323.2000) currently installed and is macOS Sierra(10.12), macOS High-Sierra(10.13) or macOS Mojave(10.14), the SEPM agent must be removed prior to upgrading the device to macOS Catalina(10.15).

    The SEPM 14.2-RU2 (14.2.5323.2000) agent required for macOS Catalina(10.15) has additional required components due to the significant changes to the OS, the existing agent can't be updated. The agent specifically built for macOS Catalina(10.15) must be installed post-upgrade.

    That's going to suck for all the companies that have 100's or even 1000's of Macs that need to be upgraded to macOS Catalina(10.15) with SEPM 14.2-RU2.

    Somebody in Symantec Product Management dropped the ball. The agent, if it was designed correctly should automatically install the updated services after an upgrade to macOS Catalina(10.15). This is just shoddy work.

     

     

     

     

     

     



  • 7.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 12-10-2019 04:46 AM

    Thank you for sharing, Tom.

    Devastating for large environments...



  • 8.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 12-11-2019 12:22 PM

    Hello,

    Tom, any other finding? there is no other way that uninstalling any SEP client, then, installing fresh latest 14.2-RU2 (14.2.5323.2000) , regardless MAC OS X version. right?

    Thank you.



  • 9.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-13-2020 08:32 PM

    Hi all,

    We are a large University and our Mac Fleet is managed by JAMF. The issue people have noted here we are also experiencing in a BIG way (thanks again Apple). Our internal SEPM Server has always been used to Upgrade Mac (and Windows of course) EndPoints successfully with very minimum mess or issues. Since Catalina this has all changed.....for the worse.

    Since Apple decided to be "difficult" (uglier words do come to mind to describe Apple) and made Catalina (MacOS 10.15.x) so "user/security/GDPR" centric for EVERYTHING bit of software installed it has made upgrading SEP (and other software) extremely difficult.

    The issue we are facing:
    - During the enrol process for JAMF installing 14.2 RU2 under Catalina causes issues where the end-user now has to re-authorise the KEXT for Symantec EndPoint AND the end-user also has to authorise "Full Disk Access" for the SEP client to Catalina for Symantec EndPoint to even work properly
    - Trying to use JAMF or the SEPM to upgrade Mac SEP Clients prior to 14.2 RU2 and the same issues as above for KEXT's and Full Disk Access which the end-user generally has no idea needs approval etc.

    The end-user will not know they have to approve anything unless they actually open the SEP client on their Mac - which the general user NEVER has the inclination or need to do. So any install/upgrade to 14.2 RU2 will generally be left in a state of near-finalised installation as KEXTS etc. have not been "Approved".

    I understand that Symantec has their hands tied due to Apple being so increasingly difficult (especially under Catalina) but there has to be something Symantec and Apple can do to alleviate the massive headaches and issues Administrators in large organisations are having managing their Mac Fleet.

    I have heard whispers that JAMF have an update for the JAMF Server that may assist in these KEXTS approvals for "known" Software Developers (such as Symantec) - my colleague and I will be updating our JAMF environment real soon so fingers crossed.

    In the meantime, we will be taking our existing Mac Fleet to SEP 14.2 RU1 MP1 (the last version prior to 14.2 RU2) and updating the Fleet via the SEPM Server - at least this seems to "work" most of the time with Catalina installs out there - further testing required lol

    I will endeavour to report back here with how things progress.....

    Cheers - Paul



  • 10.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-14-2020 04:46 AM
      |   view attached

    Thank you Paul for your feedback,


    We are also doing some tests with SEP 14.2 RU1 MP1 (14.2.4814.1101),
    to see if 10.14 or lower Mac OS setting installer check, does fit with Mojave and prev. versions, and 10.15 or up, works with Catalina.

    I will also report back later,

    Regards



  • 11.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-14-2020 04:31 PM

    Hooroo all,

     

    Tested 14.2 RU2 using either the exported SEP client from the SEPM as a manual install under Catalina, or by using the SEPM to push the new version to a Mac computer running Catalina and the same issues - KEXT needs re-approving and Full Disk Access needs approving. Pathetic..!!

    This morning I am going to add in the KEXT for the 14.2 RU2 into our JAMF environment and see if the extensions re-approval goes away. BUT, the Full Disk Access is a Catalina thing so I do not know how that affects the SEP CLient if it is not Approved by the end-user. I will log a support case with Symantec to see what they say.

    On a side note - pushing from the SEPM, or manual install, or deploying from JAMF (with KEXT info already in JAMF to allow and approve), with 14.2 RU1 MP1 (14.2.4814.1101) and all worked fine. So it is obvious a combination of major changes in 14.2 RU2 and Catalina is causing all the bloody headaches here.

    I will update here when I have added KEXT approvals for 14.2 RU2 in JAMF to see what happens.

    Cheers - Paul



  • 12.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-14-2020 04:45 PM

    New Support case logged with Symantec - details below:

     

    "Whether using the SEPM to PUSH the new client to a Mac running MacOS Catalina 10.15.x, or manually installing 14.2 RU2 on a Mac running MacOS 10.15.x, or whether using an MDM (JAMF) to deploy to a Mac running MacOS 10.15.x - the KEXT for Symantec EndPoint Protection needs to be re-authorised by the end-user AND Full Disk Access also needs to be Allowed by the end-user. In our large environment, this is causing issues as the client will not know to approve the KEXTs and the Full Disk Access on their Mac running MacOS 10.15.x. Does the SEP client still protect the machine if these two issues are not Approved/Allowed by the end-user? or is the SEP client in a suspended state until Approved/Allowed? When is Symantec going to solve these issues moving forward? Your assistance is required urgently."

     

    Will be interesting to hear what they come back with :)

    Cheers - Paul



  • 13.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-14-2020 08:45 PM

    OK some more clarity on the issue :)

    Once the SEPM is upgraded to 14.2 RU2 there are two different versions of the exported SEP client for Mac. This information is detailed here -> https://support.symantec.com/us/en/article.TECH256916.html

    I also had to add into JAMF further Profile Information to configure SEP when installed via JAMF (where required), info here - https://support.symantec.com/us/en/article.TECH256631.html

    I have had minimal success still though. I have been able to remove the "Full Disk Access" crap when SEP 14.2 RU2 is installed on Catalina - but the System Extension (not kernel extension as first thought) still asks for Approval. Seems now I have to upgrade the JAMF Server as System Extensions (added with Catalina release) now also require Approvals and upgrading JAMF will give the function (hopefully) as pictured below:

    So I now have to upgrade the SEPM (instead of using the imported SEP client from the SEPM installer into our current SEPM running on 14.2 RU1 MP1) as well as upgrade the JAMF Server to allow System Extension Approvals - what a bloody nightmare....thanks Apple lol

    I will keep all posted on how I progress......



  • 14.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-16-2020 08:40 AM

    Thank you Paul,

    Much appreciated.
    We have also escalated some tickets to Symantec, but it seems everything is related to your last comments,
     

    • Permission to install Kernel Extensions (required as of macOS 10.13)
    • Permission to install System Extensions (new in macOS 10.15)
    • Enable Full Disk Access or FDA (new in macOS 10.15)


  • 15.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-27-2020 04:03 PM

    We are running into the same problems upgrading from Mojave to Catalina (using the installer specifically for Mojave and insuring all PPPT and KEXT line up as documented) and are currently testing out the release from today 14.2 RU2 MP1 to see if the prompts go away. I've had a ticket in with backline for quite some time now with no one getting assigned to it just yet.

    Installing the version with the same configuration other than being the installer for 10.15 seems to work without issue but the upgrade from one OS to another poses us with the issues you discribe. 

    Do you have any updates on your side from the testing you've done or from the tickets you have in with support?



  • 16.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-28-2020 05:29 PM

    Just an update for all :)

    I will also check out this 14.2 RU2 MP1 and see how it goes.

    Currently the SEXT and KEXT are being "Approved" using the JAMF Profile policy BUT the FDA issue still remains, even though the SEP SEXT is set to be allowed under the JAMF Profile policy - so I will also open a support case with JAMF I think.

    Symantec have got back to me on the Support Case with them and advised that if the FDA issue is not corrected on the Mac the SEP client software is not working as normal - it's kind of in a limbo environment when it's installed successfully but does not have all the permissions it needs to work properly. This is exceptionally frusrating as the JAMF part is suppose to take care of this but only does half of the approvals and not the FDA part.

    Symantec are saying to just click Fix in the SEP Client and change the settings in the Security & Privacy area on the Mac - all well and good and YES it does fix the issue. But the normal Mac user in our LARGE environment will not EVER have a need to open the SEP Client and therefore will not ever see that the FIX button needs to be clicked AND they need to change System settings for the SEP client to work properly. So it really defeats Symantecs so called "Fix".

    Us as technical experts "know" the settings need to be manually changed yet the end-user dosen't and should not have to when the SEP client is installed and/or deployed from the SEPM - it should just bloody work.

    As usual Apple like to make things difficult - another reason why Mac computers have no place in the managed Corporate environment - Apple just need to stick with the at home market lol

    I will chase JAMF on this issue as well as update Symantec and get back to this Forum soon with an update :)

    Cheers - Paul



  • 17.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-28-2020 05:38 PM

    Back again,

     

    Info for 14.2 RU2 MP1 as follows:

    What's new in this version - https://support.symantec.com/us/en/article.howto124730.html

    New fixes - https://support.symantec.com/us/en/article.INFO5618.html

    Release Notes (attached) - https://support.symantec.com/us/en/article.doc11636.html

     

    There does not seems to be anything that addresses this FDA issues under Catalina though :(

    I am downloading the latest 14.2RU2 MP1 and will test the SEPM and SEP client out and update here soon....

     

    Cheers - Paul

    Attachment(s)



  • 18.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-28-2020 05:44 PM
      |   view attached

    Hooroo all,

    I have only got a little info back from Symantec - manually fixing the settings works but is not really good enough as the end-user really would not have a need to open the SEP client to see that it needs manual intervention for FDA. JAMF is suppose to take care of this so I will also open a Support Case with JAMF on this.

    There is a new version on SEP which I will test out and see if this corrects the FDA issue (I doubt it).

    Info for 14.2 RU2 MP1 as follows:

    What's new in this version - https://support.symantec.com/us/en/article.howto124730.html

    New fixes - https://support.symantec.com/us/en/article.INFO5618.html

    Release Notes (attached) - https://support.symantec.com/us/en/article.doc11636.html

    There does not seems to be anything that addresses this FDA issues under Catalina though :(

    I am downloading the latest 14.2RU2 MP1 and will test the SEPM and SEP client out and update here soon....Apple really should just stick to the Home Market and stay out of the managed Corporate scene lol - makes it bloody hard to manage Macs when Apple changes things every OS update/upgrade.

    I will put an update here soon....

    Cheers - Paul

    Attachment(s)



  • 19.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-29-2020 08:12 AM

    Thanks for the info guys. We've validated all FDA/KEXT/SEXT configurations are set up properly but the 14.2 RU2 client did not resolve the issue. Ours just got assigned to back line support but from what I'm hearing from our TAM, response is slow due to the whole Mac development team being out of India. I will also update with any new information we find out.



  • 20.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 01-29-2020 06:31 PM

    Hooroo all,

     

    I have uncovered some more weird stuff with all this 14.2RU2 and MacOS Catalina. If I install the SEP client it appears that all KEXTS and SEXTS are "approved" by the JAMF policies assigned to the Mac I am installing onto. If I open up the SEP client on the machine it all looks fine. But as soon as you manually or when the SEP client initiates a LiveUpdate thats when the FDA error in the SEP client appears asking to be "fixed".

    I have let Symantec know this as well as JAMF - I believe there is another bloody KEXT or SEXT that needs to be setup in the JAMF policy to "approve". Symantec are investigating and so is JAMF.

    The Crapple Mac saga continues......will update when I know more :)

     

    Cheers - Paul



  • 21.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-06-2020 08:12 PM
    Hooroo all,
     
    Apologies for the delayed reply - I have been testing everything from scratch to ensure all working. Details below:
    1. JAMF Rollout of the SEP client to simulate rapid deployment to Macs running Catalina that do not report to the SEPM Server - Tested successfully with the exported SEP client (for Catalina) imported into JAMF and deployed from JAMF. Deployment was for initial enrollment/install as well as deployment to Macs running no SEP or an old SEP that needs to be upgraded
       
    2. SEPM Server rollout of the SEP client to Macs with Catalina - simulate upgrading older versions on Mac's reporting to the SEPM Server - Tested successfully even though by default the deployment default is the Non-Catalina version when deploying from the SEPM (as detailed here https://support.symantec.com/us/en/article.TECH256916.html)
       
    3. Manual installation of the SEP client on a Mac running Catalina (managed & unmanaged client) - tested successfully. Tested the exported SEP for Catalina PKG from the SEPM and also tested the install of an unmanaged SEP client Catalina PKG
       
    4. JAMF Installation when enrolling a new Mac - tested successfully with the SEP for Catalina PKG being used (see point 1. on this too)
    In all instances above the Mac running Catalina had the correct JAMF Enrollment and JAMF Policies in place to "trust" and "approve" Symantec and the SEPM client SEXT's and KEXT's. Interestingly I found an additional SEP KEXT that only "ran" when the SEP client-initiated LiveUpdate. Once this was added to the JAMF Policy to "approve & trust" the FDA issues went away. All Mac testing was done on MacOS Catalina 10.15.1 to 10.15.3. Any additional testing pertinent to Mojave was done with MacOS 10.14.6.
     
    PLEASE NOTE - When manually installing the unmanaged SEP client onto a Vanilla Mac (no JAMF Policies) running Catalina (and also Mojave) the usual KEXT's and SEXT's required approval by the end-user. This is expected behaviour so all fine. This installation scenario would only be used under our Site License to make available the unmanaged SEP client for installs for Staff/Student personal devices. These Macs would not be enrolled in our JAMF Management System so therefore not get the JAMF Policies that "trust & approve" extensions. 
     
    So all things considered, it appears that everything now works with MacOS Catalina, JAMF, and SEP client 14.2RU2. In the near future, I will be taking the SEPM servers here to 14.2 RU2 MP1 and so the testing will start again for the new SEP client also - hopefully no issues now that all the KEXT's and SEXT's have been sorted out.
     
    I will post the JAMF Policy settings very soon so folks can try in their specific situations. I will also be communicating what I have done to JAMF & Symantec for their support records.
     
    Chat soon.....
     
    Cheers - Paul


  • 22.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-06-2020 10:44 PM
    Hooroo everyone,
     
    Here is all the Config Profile info from JAMF that I have and that works. I may have approved more than is required in the PPPC part but IT WORKS so I am not changing a thing lol
     
    From an install/deployment POV of the SEP client to a JAMF enrolled Mac running Catalina (macOS 10.15.x) that has the correct Config Profile applied, the following is now working:
    1. SEP Client Kernel extensions are now automatically approved upon install and upon SEP running - no popups in the MacOS
    2. Symantec System extensions are now automatically approved upon install and upon SEP running (only for Team ID 9PTGMPNXZ2) - no popups in the macOS
    3. Full Disk Access is now automatically approved & trusted - no error messages or popups in the macOS
    4. The SEP Client application is now trusted by MacOS (only for Team ID 9PTGMPNXZ2 and the currently installed SEP app/kext's/sext's) - no popups in the macOS
    It is important to note - the entire JAMF Config Policy for SEP will need to be re-tested with every new iteration of the SEP Client to ensure Symantec have not added/removed/changed anything that the Policy currently approves & trusts.
     
    It will be interesting to see if the new 14.2 RU2 MP1 SEP client behaves when I start testing that after the SEPM upgrade. This won't be until the end of the month at this stage but I will keep you posted.
     
    JAMF Settings for Configuration Profile to allow/approve SEP Client under Catalina (and also applies to Mojave in some instances) are attached.
     
    Please Note - Please ignore this distribution method. Once all is tested 100% this will be changed to Install Automatically so all JAMF enrolled Macs have it
     
    Here is the Code Requirements in plain text for the PPPC App Access parts:
     
    identifier "com.symantec.mes.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2"
     
    identifier "com.symantec.sep.mainapp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2"
     
    identifier "com.symantec.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2"
     
    identifier "com.symantec.SymLUHelper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "9PTGMPNXZ2"
     
    I will be finishing my testing now and will report back to you early next week to let you know how all is going.
     
     
    Chat soon...
     
    Cheers - Paul
     
     

    Attachment(s)

    txt
    Code Requirement.txt   988 B 1 version


  • 23.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-07-2020 10:03 AM

    Paul,

     

    Thanks for the info and progress! Are you using your method with that config profile and going from mojave to Catalina with the mojave build of the SEP client? This is where we are seeing the issues without completely running an uninstall/reinstall of the client from the system and maybe we are missing something but it hasn't resolved our issues.



  • 24.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-09-2020 05:09 PM

    Hi there,

    Can you clarify a bit more about what you mean? I am reading your comments as a Mac running Mojave with the SEP client exported from the SEPM with the NON-Catalina build and you are upgrading the MacOS to Catalina? Is that correct in my understanding?

    If this is the case you will definitely need to uninstall/reinstall the SEP client. So you need to uninstall the non-Catalina version of the SEP client and then install the Catalina version of the SEP client. This is normal and expected behaviour with SEP 14.2 RU2 and above when exported initially as a non-Catalia SEP client build and installed on Mojave or less. However, if you have the older SEP client 14.2 RU1 MP1 (14.2.4814.1101) and have that installed on Mojave and then take the Mac to Catalina it will continue to work.

    Currently, our Mac fleet is about 95% Mojave and we have installed under that SEP client 14.2 RU1 MP1 (14.2.4814.1101). If an end-user self-updates to Catalina the SEP client still works as expected. When we get a new Mac out of the box running Catalina we install (through the JAMF enrollment) the Catalina build of the latest SEP client (14.2RU2 14.2.5323.2000). If we have a Mojave (or less) build JAMF will enrollment and install the non-Catalina build of the SEP client.

    It's all a bit tricky - thanks to Apple changing the rules every 5 minutes and Symantec (and other Vendors) have to play catch-up. I would also like to point out the latest SEP version is 14.2 RU2 MP1 (14.2.5569.2100) of which I am currently testing on the SEPM and the end-point for the SEP client.

    If you ever need to know that build/version details of SEP clients go here -> https://support.symantec.com/us/en/article.tech154475.html#SEP14

    I will update here when I have completed my current testing on 14.2 RU2 and Catalina and JAMF - fun fun fun lol

    Cheers - Paul



  • 25.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-10-2020 08:21 AM

    To answer your questions:

    Can you clarify a bit more about what you mean? I am reading your comments as a Mac running Mojave with the SEP client exported from the SEPM with the NON-Catalina build and you are upgrading the MacOS to Catalina? Is that correct in my understanding?

    This is correct, we export either the 14.2.5323.2000 or the 14.2.5569.2100 client as a "macOS 10.14 or lower" client to be installed on Mojave machines as the majority of our Mac endpoints are on Mojave or lower. Once installed with the proper KEXT and SEXT rules in place, it functions as expected. However, when upgraded to Catalina, we see the errors asking for permissions to run. Both clients provide the same result after the OS upgrade.

    If this is the case you will definitely need to uninstall/reinstall the SEP client. So you need to uninstall the non-Catalina version of the SEP client and then install the Catalina version of the SEP client. This is normal and expected behaviour with SEP 14.2 RU2 and above when exported initially as a non-Catalia SEP client build and installed on Mojave or less. However, if you have the older SEP client 14.2 RU1 MP1 (14.2.4814.1101) and have that installed on Mojave and then take the Mac to Catalina it will continue to work.

    Are you saying we need to uninstall the Mojave version (while still on Mojave) and install the Catalina version (still on mojave) before upgrading to Catalina? If so, why would we ever install the 10.14 or lower version on any machine? I do believe we've tested this as well and saw the same results but I'll run it by our other engineers. Seems odd that the older versions would work all the way through but the latest two revisions wont though... We'll test that older version as well and see if we get the same results but don't hold your breath on 14.2RU2 working as we've not seen anything positive on our side.

    The latest we've heard from our solutions architect is the following which sounds promising: 

    My understanding on dev resources is that they are actively working to get a hotfix out for SEP Catalina issues next week.

    This was what we received last week so maybe something comes out this week.

     

    I'll update as I hear more.



  • 26.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Broadcom Employee
    Posted 02-11-2020 12:00 PM

    The following issues are resolved with the Hotfix available now. Please contact support to get the hotfix.

    ESCRT-2126 No logging or retry code for failures to open port 2968
    ESCRT-2705 Mac Auto-upgrade Notification Message never happen again if system restarted.
    ESCRT-2877 Mac 14.2RU2, Japanese Scheduled Scan name Garbled
    ESCRT-2892 SEP 14.2 RU2 for Mac is displaying "Norton" popups for application network traffic
    ESCRT-2961 High CPU Usage by SymDaemon causing battery drain
    ESCRT-2819 High CPU due to system extension



  • 27.  RE: SEPM 14.2 RU2 (14.2.5323.2000) Mac Agent Upgrade Broken?

    Posted 02-11-2020 02:29 PM

    Hello John,


    Thank you for updating with those "issues" being resolved in version: 14.2.2.1 (14.2 RU2 MP1). 14.2.5569.2100 , but they are not talking about the critical issue we are all discussing here and suffering since a time ago, 

    I have not seen any Symantec engineer or thread/article discussing about this important stuff about MAC OS X interoperability with SEP versions, affecting large environments.

    Sincerily, it's a pity, all the efforts dedicated to this important matter are done by kroeb, rcahall07, and particular people in these posts, 

    Regards.