End-user experience when installing Endpoint Security for Mac on macOS High Sierra 10.13 and later

Technical Articles ID: KB89728
Last Modified: 9/9/2019

Environment

McAfee Endpoint Security for Mac (ENSM) Adaptive Threat Protection (ATP) 10.6.x, 10.5.x
McAfee ENSM Firewall 10.6.x, 10.5.x, 10.2.3
McAfee ENSM Threat Prevention 10.6.x, 10.5.x, 10.2.3

Apple macOS High Sierra 10.13.x and later

Summary

To improve security on Mac systems, macOS High Sierra 10.13 introduces a new feature, Secure Kernel Extension Loading (SKEL). The feature requires end-user consent to load any third-party kernel extensions that are installed after the installation of macOS High Sierra. This feature required changes to be made in ENSM 10.2.3 and later for a better end-user experience.

Problem

Because of SKEL, the kernel extensions of ENSM Threat Prevention - on-access scan, Firewall, and Self Protection, are not allowed to load without end-user consent.

ENSM Web Control, DAT and Engine updates, and on-demand scans are not impacted by SKEL.

Solution

See the following table for the end-user experience in installation and upgrade scenarios that ENSM supports on macOS High Sierra 10.13 and later:

Configuration	User Experience
Standalone installation on macOS High Sierra and later without a Mobile Device Management (MDM) profile	When you install ENSM on standalone Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation. ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the installation. The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions, from the Security & Privacy System Preferences pane. NOTE: The McAfee Alert appears every 30 minutes, until the user provides consent. After the user gives consent, the user must enable the Threat Prevention - on-access scan and Firewall features. The Self Protection feature is turned on automatically. This video explains how to install ENSM on standalone Mac systems running macOS High Sierra, without an MDM profile: NOTE: The steps covered in the above video require local system access. These steps fail if tried via remote access.
ePolicy Orchestrator (ePO) deployment on macOS High Sierra and later without an MDM profile	When you deploy ENSM on ePO-managed Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation. They are disabled even if the ePO policy is set to enable them. ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the deployment. The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions, from the Security & Privacy System Preferences pane. NOTES: The McAfee Alert appears every 30 minutes, until the user provides consent. These systems have a compliance status of "Non-compliant" for on-access scan, Firewall, and Self Protection until the user gives consent. ePO administrators can use the canned queries for on-access scan, Firewall, and Self Protection compliance that are shipped with the ENS Extensions. They can be used to identify systems where the user has not yet provided consent. After the user gives consent, the next policy enforcement enables the Threat Prevention - on-access scan, Firewall, and Self Protection features based on the policy setting. NOTE: These systems now have a compliance status of "Compliant" for on-access scan, Firewall, and Self Protection. This video explains how to deploy ENSM to Mac systems running macOS High Sierra via ePO, without an MDM profile:
Standalone installation and ePO deployment on macOS High Sierra and later with an MDM profile	Enrollment in MDM automatically disables SKEL with macOS 10.13.3 and earlier. In this case, end-user consent is not required to enable the ENSM Threat Prevention - on-access scan, Firewall, and Self Protection features. Starting with macOS 10.13.4, enrolling in MDM does not automatically disable SKEL. The McAfee kernel extensions have to be added in the Kernel Extension Policy payload, to load without end-user user consent. For more information, see the Apple articles at: https://support.apple.com/en-sg/HT208019 https://support.apple.com/en-us/HT208488 Below are the details for use in the Kernel Extension Policy payload: McAfee Team Identifier: GT8P3H7SPW Bundle Identifiers: com.intelsecurity.FileCore com.McAfee.AVKext com.McAfee.FileCore com.McAfee.FMPSysCore com.McAfee.mfeaac com.McAfee.SFKext
Upgrade from macOS El Capitan and macOS Sierra, running ENSM 10.2.3 and later, to macOS High Sierra or later	If the McAfee kernel extensions are present on the Mac system before you upgrade to macOS High Sierra or later, no end-user consent is required.

Related Information

KB91109 - McAfee product compatibility with Privacy Policy Preference Control (PPPC) on macOS Mojave 10.14 and later
KB84934 - Supported platforms, environments, and operating systems for Endpoint Security for Mac

Affected Products

Endpoint Security for Mac Firewall 10.x
Endpoint Security for Mac Threat Prevention 10.x
Getting Started
Install/Uninstall
Upgrade/Migrate

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Summary

Problem

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Summary

Problem

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title