Managing kernel extension authorization when deploying the
Symantec Endpoint Protection
client for Mac

If you mass-deploy the
Symantec Endpoint Protection
client for Mac, you may need to take additional steps to ensure that the kernel extensions are authorized. This requirement applies as of macOS 10.13 (High Sierra). The operating system dictates that the authorization must be made at the local computer. You cannot authorize the kernel extension through remote access, nor can you save the kernel authorization through a preconfigured disk image.
To ensure that kernel extensions are properly authorized on Macs, do one of the following:
  • Instruct the Mac users to approve the required extension. Any user can approve a kernel extension through the Security & Privacy preference pane, even if they do not have administrator privileges. See:
  • Enroll your Macs in a mobile device management (MDM) solution. Even if you do not actively manage Macs with this solution, kernel extension authorization reverts to the way it was enforced before macOS 10.13.
  • As of macOS 10.13.2, authorize the kernel extensions through mobile device management (MDM) with the use of a team identifier. To authorize the kernel extensions for
    Symantec Endpoint Protection
    on macOS, use the team identifier
    9PTGMPNXZ2
    . Consult the documentation for your MDM suite for guidance on how to use this team identifier.
    Starting from Symantec Endpoint Protection client for Mac 14.3, the team identifier is
    Y2CCP3S9W7
    and the system extension name is
    com.broadcom.mes.systemextension
  • If you use
    NetBoot
    ,
    NetInstall
    , or
    NetRestore
    , use the following command while preparing disk images for deployment:
    spctl kext-consent add 9PTGMPNXZ2
    This command uses the Symantec team identifier to pre-approve Symantec kernel extensions on Mac.
    Team identifiers that are set through this command are stored in non-volatile random-access memory (NVRAM), which persists even when the Mac powers off. If you reset the NVRAM, the kernel extensions require reapproval. If the user also approved the kernel extension through the Security & Privacy pane, then reapproval is not needed.
For more information on kernel extension loading, see the following Apple documentation: