End-user experience when installing ENSM on macOS High Sierra 10.13 and later
Technical Articles ID:
KB89728
Last Modified: 8/10/2021
Environment
McAfee Endpoint Security for Mac (ENSM) Adaptive Threat Protection (ATP) 10.x
McAfee ENSM Firewall 10.x
McAfee ENSM Threat Prevention 10.x
Apple macOS High Sierra 10.13.x and later
Summary
To improve security on Mac systems, macOS High Sierra 10.13 introduces a new feature, Secure Kernel Extension Loading (SKEL). The feature requires end-user consent to load any third-party kernel extensions that are installed after the installation of macOS High Sierra. This feature needed changes to be made in ENSM 10.2.3 and later for a better end-user experience.
Problem
Because of SKEL, the kernel extensions of ENSM Threat Prevention - on-access scan, Firewall, and Self-Protection, aren’t allowed to load without end-user consent.
SKEL doesn’t impact ENSM Web Control, DAT and Engine updates, and on-demand scans.
Solution
See the following table for the end-user experience in installation and upgrade scenarios that ENSM supports on macOS High Sierra 10.13 and later:
| Configuration |
User Experience |
| Standalone installation on macOS High Sierra and later without a Mobile Device Management (MDM) profile |
- When you install ENSM on standalone Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation.
- ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the installation.
- The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions, from the Security & Privacy System Preferences pane.
NOTE: The McAfee Alert appears every 30 minutes, until the user provides consent.
- After the user gives consent, the user must enable the Threat Prevention - on-access scan and Firewall features.
- The Self-Protection feature is turned on automatically.
This video explains how to install ENSM on standalone Mac systems running macOS Catalina, without an MDM profile:
This video explains how to install ENSM on standalone Mac systems running macOS High Sierra, without an MDM profile:
NOTE: The steps covered in the above videos require local system access. These steps fail if tried using remote access. |
| ePolicy Orchestrator (ePO) deployment on macOS High Sierra and later without an MDM profile |
- When you deploy ENSM on ePO-managed Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation. They’re disabled even if the ePO policy is set to enable them.
- ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the deployment.
- The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions from the Security & Privacy System Preferences pane.
NOTES:
- The McAfee Alert appears every 30 minutes, until the user provides consent.
- These systems have a compliance status of "Non-compliant" for on-access scan, Firewall, and Self-Protection until the user gives consent.
- ePO administrators can use the canned queries for on-access scan, Firewall, and Self-Protection compliance that ship with the ENS Extensions. They can be used to identify systems where the user hasn’t yet provided consent.
- After the user gives consent, the next policy enforcement enables the Threat Prevention - on-access scan, Firewall, and Self-Protection features based on the policy setting.
NOTE: These systems now have a compliance status of "Compliant" for on-access scan, Firewall, and Self-Protection.
This video explains how to deploy ENSM to Mac systems running macOS High Sierra via ePO, without an MDM profile:
|
| Standalone installation and ePO deployment on macOS High Sierra and later with an MDM profile |
Enrollment in MDM automatically disables SKEL with macOS 10.13.3 and earlier. In this case, end-user consent isn’t needed to enable the ENSM Threat Prevention - on-access scan, Firewall, and Self-Protection features.
Starting with macOS 10.13.4, enrolling in MDM doesn’t automatically disable SKEL. The McAfee kernel extensions have to be added in the Kernel Extension Policy payload, to load without end-user user consent.
For more information, see the following Apple articles:
Below are the details for use in the Kernel Extension Policy payload:
McAfee Team Identifier: GT8P3H7SPW
Bundle Identifiers:
com.intelsecurity.FileCore
com.McAfee.AVKext
com.McAfee.FileCore
com.McAfee.FMPSysCore
com.McAfee.mfeaac
com.McAfee.SFKext
You can also download and import the profile configuration file. The file is included in the Attachment section of this article. |
| Upgrade from macOS El Capitan and macOS Sierra, running ENSM 10.2.3 and later, to macOS High Sierra or later |
If the McAfee kernel extensions are present on the Mac system before you upgrade to macOS High Sierra or later, no end-user consent is needed. |
|
