Managing kernel extension authorization when deploying the Symantec Endpoint Protection client for Mac
Symantec Endpoint Protectionclient for Mac
If you mass-deploy the
Symantec Endpoint Protectionclient for Mac, you may need to take additional steps to ensure that the kernel extensions are authorized. This requirement applies as of macOS 10.13 (High Sierra). The operating system dictates that the authorization must be made at the local computer. You cannot authorize the kernel extension through remote access, nor can you save the kernel authorization through a preconfigured disk image.
To ensure that kernel extensions are properly authorized on Macs, do one of the following:
- Instruct the Mac users to approve the required extension. Any user can approve a kernel extension through the Security & Privacy preference pane, even if they do not have administrator privileges. See:
- Enroll your Macs in a mobile device management (MDM) solution. Even if you do not actively manage Macs with this solution, kernel extension authorization reverts to the way it was enforced before macOS 10.13.
- As of macOS 10.13.2, authorize the kernel extensions through mobile device management (MDM) with the use of a team identifier. To authorize the kernel extensions forSymantec Endpoint Protectionon macOS, use the team identifier9PTGMPNXZ2. Consult the documentation for your MDM suite for guidance on how to use this team identifier.Starting from Symantec Endpoint Protection client for Mac 14.3, the team identifier isY2CCP3S9W7and the system extension name iscom.broadcom.mes.systemextension
- If you useNetBoot,NetInstall, orNetRestore, use the following command while preparing disk images for deployment:spctl kext-consent add 9PTGMPNXZ2This command uses the Symantec team identifier to pre-approve Symantec kernel extensions on Mac.Team identifiers that are set through this command are stored in non-volatile random-access memory (NVRAM), which persists even when the Mac powers off. If you reset the NVRAM, the kernel extensions require reapproval. If the user also approved the kernel extension through the Security & Privacy pane, then reapproval is not needed.
For more information on kernel extension loading, see the following Apple documentation: