14 Mac OS

Note: Different product versions have specific system requirements.

The Symantec Endpoint Protection client for Mac is managed by a Symantec Endpoint Protection Manager (SEPM) on a Windows server.
The Symantec Endpoint Security (SES) client for Mac is cloud-based and managed by the Integrated Cyber Defense Manager (ICDM) web page.
The SES Mac client is only supported on macOS 10.15.x and 11.x with the SES Mac agent build 14.3 RU1 and newer.

Additional notes

• Big Sur is supported by SEP 14.3 RU1 and 14.3 RU1-MP1 only when running on Intel chip.
  SEP 14.3 RU2, ETA in Spring of 2021, will support Apple Silicon (the Apple M series chip).
• Neither Apple or Symantec support macOS 10.12.x or older
• Mac OS X 64-bit mode is supported.
• PowerPC processors are not supported as of version 12.1.x.
• As of version 12.1.2, case-sensitive formatted volumes are supported.
• Remove legacy Symantec AntiVirus (SAV) for Mac installations before installing Symantec Endpoint Protection.
  See Remove Symantec software for Mac using RemoveSymantecMacFiles.
• Mac clients for Symantec Endpoint Protection Cloud do not support Mac OS X 10.11 (El Capitan).
• As of macOS 10.13, you must authorize the Symantec Endpoint Protection kernel extension after installation for Symantec Endpoint Protection to fully function. You are prompted during the client installation to do it if needed. If you do not do it during the client installation, go to System Preferences > Security & Privacy, and click Allow. Neither Symantec Endpoint Protection nor the Mac operating system continue to remind you that you must do this.
  You only need to authorize the kernel extension once during the life of the computer's operating system. If you uninstall and reinstall the client, you don't need to reauthorize the kernel extension. If you have Symantec Endpoint Protection 14 and then upgrade to macOS 10.13, you don't need to reauthorize the kernel extension. However, if you reinstall the operating system, you need to reauthorize the kernel extension.
  See About authorizing kernel extensions for Symantec Endpoint Protection for macOS 10.13.
• Kext notarization was added in macOS 10.14.5. If you install a client version earlier than 14.2 RU1 (refresh) on macOS 10.14.5, or upgrade the operating system to macOS 10.14.5 with an earlier version of Symantec Endpoint Protection already installed, you may experience issues.
  See Endpoint Protection 14.2 RU1 and kext notarization for macOS 10.14.5.

The macOS Mojave 10.14.1 update improves the stability, compatibility and security of your Mac, and is recommended for all users. This update: Adds support for Group FaceTime video and audio calls, which support up to 32 participants simultaneously, are encrypted end-to-end for privacy, and can be initiated from a group Messages conversation, or joined at any time during an active call. Feb 02, 2021 12.5GB of available storage (OS X El Capitan 10.11.5 or later). Some features require an Apple ID; terms apply. Some features require a compatible Internet service provider; fees may apply. Mac Hardware Requirements. For details about your Mac model, click the Apple icon at the top left of your screen and choose About This Mac.

Intrusion Prevention

Intrusion Prevention (IPS) is available in version 12.1.4 and later.

Device Control

Device Control is available in version 14 and later. You can only enable Device Control for managed clients.

Firewall

Mac client versions earlier than 14.2 do not include a firewall.

IPS was introduced in version 12.1.4, but broader firewall support (e.g. traffic rules) and feature parity with the Windows product was not included until version 14.2 and later. This firewall is only available to managed clients.

Web Traffic Redirection

14.2 introduced basic PAC file management to the SEP for Mac client.

14.2 RU1 expanded this to support full Web Traffic Redirection, including seamless identification with Web Security Service. Note: 14.2 RU1 MP1, or newer, is recommended for WTR on macOS due to numerous fixes introduced with that release.

Symantec Endpoint Protection 12.1.x

The End of Standard Support Life fell on April 3, 2019. See End of Support Life for Endpoint Protection 12.x.

Symantec Endpoint Protection 11.x

Support for version 11.x ended on January 5, 2015. See FAQ: Upgrading Symantec Endpoint Protection 11.x to version 12.1.x.

Last updated June 29, 2020

This article will be continually updated as Apple releases additional information and further clarification of upcoming functionality.

The Apple Worldwide Developer Conference (WWDC) started this week, and Apple has made public the changes coming in both the latest release of iOS 14 and macOS 11 (named “Big Sur”). We will be updating this page as additional information and clarifications are provided by Apple.

True App “Management” for macOS

Current app management in macOS is a far cry from the experience in iOS. For instance, an app can be installed via MDM in macOS today, however there is no mechanism for marking that app as managed or for uninstalling it. Apple indicates that, as of macOS 11, the app management experience will be much more similar to what it is in iOS today.

Apple also indicates that macOS apps can also now include configurations, much as iOS apps can include managed application configurations.

Lights Out Management for Mac Pro

macOS 11 will include a plethora of information and control MDM commands for managing lights-out devices (LOM). Presumably, Apple will include LOM functionality embedded in the hardware of new Mac Pro computers, allowing administrators to initiate remote power-on, restarts, and other out-of-band management activities.

To use LOM, administrators will need to deploy a dedicated macOS machine local to the Mac Pros that are to be managed. LOM will then be available for the Mac Pros via MDM.

Automated Enrollment Improvements

tvOS has supported a feature called auto-advance for some time now. This feature allows an admin to set up an Apple TV without having to click through the Setup Assistant screens. To start this process, the Apple TV is connected to ethernet so that setup may be orchestrated by Apple Configurator running on a computer on the same network.

As of 11.0, macOS will support this setup mode, or something similar, allowing a computer to transition from unboxing and power-on to the sign in screen with no additional interaction. This will work in tandem with Automated Device Enrollment (formerly Device Enrollment Program, or “DEP”), will require an ethernet connection, and appears to not utilize Apple Configurator.

Additionally:

• Administrators can choose whether the user account created at device setup enrolls in the MDM user-channel or just the MDM device-channel
• More setup assistant screens are now skippable

UAMDM And Supervision Consolidation

Previously, UAMDM and Supervision were separate concepts in macOS. Starting with macOS 11, UAMDM devices will now provide the same MDM functionality as supervised devices. For example, the following will become available for UAMDM:

• Activation lock bypass
• Bootstrap tokens
• Scheduled software updates
• Installation of profiles that require supervision

Furthermore, it appears that Apple is consolidating the terminology of enrollment states to simply organization-owned and user-owned. UAMDM/Supervised devices, and as a result, devices enrolled with Automated Enrollment (DEP) will be considered organization-owned. User-enrolled devices will be user-owned.

Managed OS Updates

Mac Os 10.14.0 Download

Big Sur will add the ability for an MDM administrator to force macOS updates, including the reboot process. As is the case with iOS, macOS will also support OS update deferrals by up to 90 days.

Previously, a custom software update catalog URL could be set by the MDM admin. Admins who wished to control OS update availability and/or provide a local software update cache server would often use this feature to point devices to a local Reposado server.

Setup Assistant Skip Screens for Upgrades, Too

Apple Business Manager (ABM) and Apple School Manager (ASM) have long supported skipping setup assistant screens during device enrollment. Moving forward, MDM administrators will be able to configure screens to skip during OS upgrades as well.

Non-Removable iOS Apps

Previously, administrators could prevent users from removing any of their iOS apps on Supervised devices. Now, administrators can granularly select apps that are non-removable.

Content Caching Metrics via MDM

Content caching allows the “sharing” of downloads from Apple (whether they are apps, books, or OS updates) between devices on the same network. This effectively reduces the amount of internet bandwidth consumed for a site and also speeds up the delivery of already-cached downloads to devices.

In the upcoming release, the MDM protocol has been expanded to provide content caching metrics so that admins can determine how well content caching is being utilized by their enrolled devices.

Time Zone Awareness

The latest iOS and macOS releases will support setting the time zone via MDM, as well as retrieving the set value on a device.

Device Information

Devices will begin providing the number of resident users on a device. This relates to Shared iPad functionality.

Encrypted DNS Settings

Administrators can enhance the privacy and security of their users by encrypting DNS traffic between devices and DNS servers. Previously, a VPN connection was required to “wrap” DNS traffic in an encrypted channel.

Profile Changes

VPN-tied Profiles

Apple has added the ability to associate a number of different profile-specific payload types to VPN profiles, causing the OS to send traffic over a VPN connection when interacting with these services.

The new profiles to support this functionality are:

• CalDAV
• CardDAV
• Exchange ActiveSync
• Google Account
• LDAP
• Mail
• Subscribed Calendar

Restrictions

Two functionalities have been added to the restrictions payload. They are:

1. The ability to force delayed app software updates, and
2. allow/disallow App Clips

Notifications

Notification configurations may now optionally specify a preview type.

10.14 Mac Os Download

SSO Kerberos Additions

The Single Sign On Kerberos extension has new configuration options. Namely, the ability to have a custom username label, define a “help” text string, configure the credentials cache and replication time, among other options.

Os X Version 10.14 Download

Deprecated: Media Management Controls

The ability to manage media controls, such as eject, mount, and unmount has been deprecated and will no longer function in future macOS versions (presumably beyond 11.0).

14 Mac OS