Endpoint Protection

Currently testing SEPM 14.2 RU2 (14.2.5323.2000) on a Macintosh with macOS Catalina(10.15). upgraded from macOS High-Sierra(10.13). It's definitely Broken...

• The device has macOS High-Sierra(10.13) installed (New out of the box Mac Air (3 separate test units)
• Installed SEPM 14.2 RU2 via the SEPM console upgrade assignment (previously 14.2 RU1-MP1 on each device), verified that SEPM is functional after the upgrade.
• Upgraded each device to macOS Catalina(10.15).
• SEPM 14.2 RU2 agent now shows that "System Extensions need authorization" and a "Fix" button is displayed.
• There's no extension available to be re-authorized.

I've opened up an incident with Symantec yesterday, I have yet to hear back after placing a followup call.

Is anyone else seeing a similar issue?

I asume you have followed this steps:

https://support.symantec.com/us/en/article.howto127190.html

And you have found that it's still not resolved/broken?

Yes, of course, the issue is that there's nothing listed to allow in the "Security & Privacy" preferences dialogue. (It's not my first rodeo with Mac's and SEPM).

Also,

under the "Privacy" tab, Symantec isn't even listed in "Full Disk Access" which it would be when you install SEPM 14.2 RU2 on a device that already has macOS Catalina(10.15).

Note: For manual installs, you actually have to build a package specifically for Catalina(10.15) and a different package for Sierra(10.12), High-Sierra(10.13) or Mojave(10.14).

It's like nobody tested the OS upgrade process to macOS Catalina(10.15) with SEPM 14.2 RU2 already installed before releasing it.

It's now been over a day since I placed the call and have yet to talk to an analyst despite leaving a message with the call routing people. Will be calling again shortly.

As a quick test, using the same installer, does this work when you install it on a clean Catalina? (i.e. no upgrade route)

Hello Tom,

We have upgraded SEPMs to 14.2 RU2, and we are also encountering issues with MAC, when "Configuring the package for remote deployment" , using Tools > Create remote deployment package
https://support.symantec.com/us/en/article.howto92266.html

Issue is:  Symantec Endpoint Protection Installer can't be opened 

is anyone experiencing this issue?

Regards.

I was able to verify with Symantec Support the following after playing Telephone Tag for the last few days.

Even if a Macintosh device has SEPM 14.2-RU2 (14.2.5323.2000) currently installed and is macOS Sierra(10.12), macOS High-Sierra(10.13) or macOS Mojave(10.14), the SEPM agent must be removed prior to upgrading the device to macOS Catalina(10.15).

The SEPM 14.2-RU2 (14.2.5323.2000) agent required for macOS Catalina(10.15) has additional required components due to the significant changes to the OS, the existing agent can't be updated. The agent specifically built for macOS Catalina(10.15) must be installed post-upgrade.

That's going to suck for all the companies that have 100's or even 1000's of Macs that need to be upgraded to macOS Catalina(10.15) with SEPM 14.2-RU2.

Somebody in Symantec Product Management dropped the ball. The agent, if it was designed correctly should automatically install the updated services after an upgrade to macOS Catalina(10.15). This is just shoddy work.

Thank you for sharing, Tom.

Devastating for large environments...

Hello,

Tom, any other finding? there is no other way that uninstalling any SEP client, then, installing fresh latest 14.2-RU2 (14.2.5323.2000) , regardless MAC OS X version. right?

Thank you.

Hi all,

We are a large University and our Mac Fleet is managed by JAMF. The issue people have noted here we are also experiencing in a BIG way (thanks again Apple). Our internal SEPM Server has always been used to Upgrade Mac (and Windows of course) EndPoints successfully with very minimum mess or issues. Since Catalina this has all changed.....for the worse.

Since Apple decided to be "difficult" (uglier words do come to mind to describe Apple) and made Catalina (MacOS 10.15.x) so "user/security/GDPR" centric for EVERYTHING bit of software installed it has made upgrading SEP (and other software) extremely difficult.

The issue we are facing:
- During the enrol process for JAMF installing 14.2 RU2 under Catalina causes issues where the end-user now has to re-authorise the KEXT for Symantec EndPoint AND the end-user also has to authorise "Full Disk Access" for the SEP client to Catalina for Symantec EndPoint to even work properly
- Trying to use JAMF or the SEPM to upgrade Mac SEP Clients prior to 14.2 RU2 and the same issues as above for KEXT's and Full Disk Access which the end-user generally has no idea needs approval etc.

The end-user will not know they have to approve anything unless they actually open the SEP client on their Mac - which the general user NEVER has the inclination or need to do. So any install/upgrade to 14.2 RU2 will generally be left in a state of near-finalised installation as KEXTS etc. have not been "Approved".

I understand that Symantec has their hands tied due to Apple being so increasingly difficult (especially under Catalina) but there has to be something Symantec and Apple can do to alleviate the massive headaches and issues Administrators in large organisations are having managing their Mac Fleet.

I have heard whispers that JAMF have an update for the JAMF Server that may assist in these KEXTS approvals for "known" Software Developers (such as Symantec) - my colleague and I will be updating our JAMF environment real soon so fingers crossed.

In the meantime, we will be taking our existing Mac Fleet to SEP 14.2 RU1 MP1 (the last version prior to 14.2 RU2) and updating the Fleet via the SEPM Server - at least this seems to "work" most of the time with Catalina installs out there - further testing required lol

I will endeavour to report back here with how things progress.....

Cheers - Paul

Thank you Paul for your feedback,

We are also doing some tests with SEP 14.2 RU1 MP1 (14.2.4814.1101),
to see if 10.14 or lower Mac OS setting installer check, does fit with Mojave and prev. versions, and 10.15 or up, works with Catalina.

I will also report back later,

Regards

Hooroo all,

Tested 14.2 RU2 using either the exported SEP client from the SEPM as a manual install under Catalina, or by using the SEPM to push the new version to a Mac computer running Catalina and the same issues - KEXT needs re-approving and Full Disk Access needs approving. Pathetic..!!

This morning I am going to add in the KEXT for the 14.2 RU2 into our JAMF environment and see if the extensions re-approval goes away. BUT, the Full Disk Access is a Catalina thing so I do not know how that affects the SEP CLient if it is not Approved by the end-user. I will log a support case with Symantec to see what they say.

On a side note - pushing from the SEPM, or manual install, or deploying from JAMF (with KEXT info already in JAMF to allow and approve), with 14.2 RU1 MP1 (14.2.4814.1101) and all worked fine. So it is obvious a combination of major changes in 14.2 RU2 and Catalina is causing all the bloody headaches here.

I will update here when I have added KEXT approvals for 14.2 RU2 in JAMF to see what happens.

Cheers - Paul

New Support case logged with Symantec - details below:

"Whether using the SEPM to PUSH the new client to a Mac running MacOS Catalina 10.15.x, or manually installing 14.2 RU2 on a Mac running MacOS 10.15.x, or whether using an MDM (JAMF) to deploy to a Mac running MacOS 10.15.x - the KEXT for Symantec EndPoint Protection needs to be re-authorised by the end-user AND Full Disk Access also needs to be Allowed by the end-user. In our large environment, this is causing issues as the client will not know to approve the KEXTs and the Full Disk Access on their Mac running MacOS 10.15.x. Does the SEP client still protect the machine if these two issues are not Approved/Allowed by the end-user? or is the SEP client in a suspended state until Approved/Allowed? When is Symantec going to solve these issues moving forward? Your assistance is required urgently."

Will be interesting to hear what they come back with :)

Cheers - Paul

OK some more clarity on the issue :)

Once the SEPM is upgraded to 14.2 RU2 there are two different versions of the exported SEP client for Mac. This information is detailed here -> https://support.symantec.com/us/en/article.TECH256916.html

I also had to add into JAMF further Profile Information to configure SEP when installed via JAMF (where required), info here - https://support.symantec.com/us/en/article.TECH256631.html

I have had minimal success still though. I have been able to remove the "Full Disk Access" crap when SEP 14.2 RU2 is installed on Catalina - but the System Extension (not kernel extension as first thought) still asks for Approval. Seems now I have to upgrade the JAMF Server as System Extensions (added with Catalina release) now also require Approvals and upgrading JAMF will give the function (hopefully) as pictured below:

So I now have to upgrade the SEPM (instead of using the imported SEP client from the SEPM installer into our current SEPM running on 14.2 RU1 MP1) as well as upgrade the JAMF Server to allow System Extension Approvals - what a bloody nightmare....thanks Apple lol

I will keep all posted on how I progress......

Thank you Paul,

Much appreciated.
We have also escalated some tickets to Symantec, but it seems everything is related to your last comments,
 

• Permission to install Kernel Extensions (required as of macOS 10.13)
• Permission to install System Extensions (new in macOS 10.15)
• Enable Full Disk Access or FDA (new in macOS 10.15)

We are running into the same problems upgrading from Mojave to Catalina (using the installer specifically for Mojave and insuring all PPPT and KEXT line up as documented) and are currently testing out the release from today 14.2 RU2 MP1 to see if the prompts go away. I've had a ticket in with backline for quite some time now with no one getting assigned to it just yet.

Installing the version with the same configuration other than being the installer for 10.15 seems to work without issue but the upgrade from one OS to another poses us with the issues you discribe. 

Do you have any updates on your side from the testing you've done or from the tickets you have in with support?

Just an update for all :)

I will also check out this 14.2 RU2 MP1 and see how it goes.

Currently the SEXT and KEXT are being "Approved" using the JAMF Profile policy BUT the FDA issue still remains, even though the SEP SEXT is set to be allowed under the JAMF Profile policy - so I will also open a support case with JAMF I think.

Symantec have got back to me on the Support Case with them and advised that if the FDA issue is not corrected on the Mac the SEP client software is not working as normal - it's kind of in a limbo environment when it's installed successfully but does not have all the permissions it needs to work properly. This is exceptionally frusrating as the JAMF part is suppose to take care of this but only does half of the approvals and not the FDA part.

Symantec are saying to just click Fix in the SEP Client and change the settings in the Security & Privacy area on the Mac - all well and good and YES it does fix the issue. But the normal Mac user in our LARGE environment will not EVER have a need to open the SEP Client and therefore will not ever see that the FIX button needs to be clicked AND they need to change System settings for the SEP client to work properly. So it really defeats Symantecs so called "Fix".

Us as technical experts "know" the settings need to be manually changed yet the end-user dosen't and should not have to when the SEP client is installed and/or deployed from the SEPM - it should just bloody work.

As usual Apple like to make things difficult - another reason why Mac computers have no place in the managed Corporate environment - Apple just need to stick with the at home market lol

I will chase JAMF on this issue as well as update Symantec and get back to this Forum soon with an update :)

Cheers - Paul

Back again,

Info for 14.2 RU2 MP1 as follows:

What's new in this version - https://support.symantec.com/us/en/article.howto124730.html

New fixes - https://support.symantec.com/us/en/article.INFO5618.html

Release Notes (attached) - https://support.symantec.com/us/en/article.doc11636.html

There does not seems to be anything that addresses this FDA issues under Catalina though :(

I am downloading the latest 14.2RU2 MP1 and will test the SEPM and SEP client out and update here soon....

Cheers - Paul

Attachment(s)

Release_Notes_SEP14.2.2.1.pdf   296 KB 1 version

Release_Notes_SEP14.2.2.1_0.pdf   296 KB 1 version

Hooroo all,

I have only got a little info back from Symantec - manually fixing the settings works but is not really good enough as the end-user really would not have a need to open the SEP client to see that it needs manual intervention for FDA. JAMF is suppose to take care of this so I will also open a Support Case with JAMF on this.

There is a new version on SEP which I will test out and see if this corrects the FDA issue (I doubt it).

Info for 14.2 RU2 MP1 as follows:

What's new in this version - https://support.symantec.com/us/en/article.howto124730.html

New fixes - https://support.symantec.com/us/en/article.INFO5618.html

Release Notes (attached) - https://support.symantec.com/us/en/article.doc11636.html

There does not seems to be anything that addresses this FDA issues under Catalina though :(

I am downloading the latest 14.2RU2 MP1 and will test the SEPM and SEP client out and update here soon....Apple really should just stick to the Home Market and stay out of the managed Corporate scene lol - makes it bloody hard to manage Macs when Apple changes things every OS update/upgrade.

I will put an update here soon....

Cheers - Paul

Attachment(s)

Release_Notes_SEP14.2.2.1_1.pdf   296 KB 1 version

Thanks for the info guys. We've validated all FDA/KEXT/SEXT configurations are set up properly but the 14.2 RU2 client did not resolve the issue. Ours just got assigned to back line support but from what I'm hearing from our TAM, response is slow due to the whole Mac development team being out of India. I will also update with any new information we find out.

Hooroo all,

I have uncovered some more weird stuff with all this 14.2RU2 and MacOS Catalina. If I install the SEP client it appears that all KEXTS and SEXTS are "approved" by the JAMF policies assigned to the Mac I am installing onto. If I open up the SEP client on the machine it all looks fine. But as soon as you manually or when the SEP client initiates a LiveUpdate thats when the FDA error in the SEP client appears asking to be "fixed".

I have let Symantec know this as well as JAMF - I believe there is another bloody KEXT or SEXT that needs to be setup in the JAMF policy to "approve". Symantec are investigating and so is JAMF.

The Crapple Mac saga continues......will update when I know more :)

Cheers - Paul

Paul,

Thanks for the info and progress! Are you using your method with that config profile and going from mojave to Catalina with the mojave build of the SEP client? This is where we are seeing the issues without completely running an uninstall/reinstall of the client from the system and maybe we are missing something but it hasn't resolved our issues.

Hi there,

Can you clarify a bit more about what you mean? I am reading your comments as a Mac running Mojave with the SEP client exported from the SEPM with the NON-Catalina build and you are upgrading the MacOS to Catalina? Is that correct in my understanding?

If this is the case you will definitely need to uninstall/reinstall the SEP client. So you need to uninstall the non-Catalina version of the SEP client and then install the Catalina version of the SEP client. This is normal and expected behaviour with SEP 14.2 RU2 and above when exported initially as a non-Catalia SEP client build and installed on Mojave or less. However, if you have the older SEP client 14.2 RU1 MP1 (14.2.4814.1101) and have that installed on Mojave and then take the Mac to Catalina it will continue to work.

Currently, our Mac fleet is about 95% Mojave and we have installed under that SEP client 14.2 RU1 MP1 (14.2.4814.1101). If an end-user self-updates to Catalina the SEP client still works as expected. When we get a new Mac out of the box running Catalina we install (through the JAMF enrollment) the Catalina build of the latest SEP client (14.2RU2 14.2.5323.2000). If we have a Mojave (or less) build JAMF will enrollment and install the non-Catalina build of the SEP client.

It's all a bit tricky - thanks to Apple changing the rules every 5 minutes and Symantec (and other Vendors) have to play catch-up. I would also like to point out the latest SEP version is 14.2 RU2 MP1 (14.2.5569.2100) of which I am currently testing on the SEPM and the end-point for the SEP client.

If you ever need to know that build/version details of SEP clients go here -> https://support.symantec.com/us/en/article.tech154475.html#SEP14

I will update here when I have completed my current testing on 14.2 RU2 and Catalina and JAMF - fun fun fun lol

Cheers - Paul

To answer your questions:

Can you clarify a bit more about what you mean? I am reading your comments as a Mac running Mojave with the SEP client exported from the SEPM with the NON-Catalina build and you are upgrading the MacOS to Catalina? Is that correct in my understanding?

This is correct, we export either the 14.2.5323.2000 or the 14.2.5569.2100 client as a "macOS 10.14 or lower" client to be installed on Mojave machines as the majority of our Mac endpoints are on Mojave or lower. Once installed with the proper KEXT and SEXT rules in place, it functions as expected. However, when upgraded to Catalina, we see the errors asking for permissions to run. Both clients provide the same result after the OS upgrade.

If this is the case you will definitely need to uninstall/reinstall the SEP client. So you need to uninstall the non-Catalina version of the SEP client and then install the Catalina version of the SEP client. This is normal and expected behaviour with SEP 14.2 RU2 and above when exported initially as a non-Catalia SEP client build and installed on Mojave or less. However, if you have the older SEP client 14.2 RU1 MP1 (14.2.4814.1101) and have that installed on Mojave and then take the Mac to Catalina it will continue to work.

Are you saying we need to uninstall the Mojave version (while still on Mojave) and install the Catalina version (still on mojave) before upgrading to Catalina? If so, why would we ever install the 10.14 or lower version on any machine? I do believe we've tested this as well and saw the same results but I'll run it by our other engineers. Seems odd that the older versions would work all the way through but the latest two revisions wont though... We'll test that older version as well and see if we get the same results but don't hold your breath on 14.2RU2 working as we've not seen anything positive on our side.

The latest we've heard from our solutions architect is the following which sounds promising: 

My understanding on dev resources is that they are actively working to get a hotfix out for SEP Catalina issues next week.

This was what we received last week so maybe something comes out this week.

I'll update as I hear more.

The following issues are resolved with the Hotfix available now. Please contact support to get the hotfix.

ESCRT-2126 No logging or retry code for failures to open port 2968
ESCRT-2705 Mac Auto-upgrade Notification Message never happen again if system restarted.
ESCRT-2877 Mac 14.2RU2, Japanese Scheduled Scan name Garbled
ESCRT-2892 SEP 14.2 RU2 for Mac is displaying "Norton" popups for application network traffic
ESCRT-2961 High CPU Usage by SymDaemon causing battery drain
ESCRT-2819 High CPU due to system extension

Hello John,

Thank you for updating with those "issues" being resolved in version: 14.2.2.1 (14.2 RU2 MP1). 14.2.5569.2100 , but they are not talking about the critical issue we are all discussing here and suffering since a time ago, 

I have not seen any Symantec engineer or thread/article discussing about this important stuff about MAC OS X interoperability with SEP versions, affecting large environments.

Sincerily, it's a pity, all the efforts dedicated to this important matter are done by kroeb, rcahall07, and particular people in these posts, 

Regards.