End-user experience when installing Endpoint Security for Mac on macOS High Sierra 10.13 and later
Technical Articles ID:
KB89728
Last Modified: 1/7/2020
Environment
McAfee Endpoint Security for Mac (ENSM) Adaptive Threat Protection (ATP) 10.6.x, 10.5.x
McAfee ENSM Firewall 10.6.x, 10.5.x, 10.2.3
McAfee ENSM Threat Prevention 10.6.x, 10.5.x, 10.2.3
Apple macOS High Sierra 10.13.x and later
Summary
To improve security on Mac systems, macOS High Sierra 10.13 introduces a new feature, Secure Kernel Extension Loading (SKEL). The feature requires end-user consent to load any third-party kernel extensions that are installed after the installation of macOS High Sierra. This feature required changes to be made in ENSM 10.2.3 and later for a better end-user experience.
Problem
Because of SKEL, the kernel extensions of ENSM Threat Prevention - on-access scan, Firewall, and Self Protection, are not allowed to load without end-user consent.
ENSM Web Control, DAT and Engine updates, and on-demand scans are not impacted by SKEL.
Solution
See the following table for the end-user experience in installation and upgrade scenarios that ENSM supports on macOS High Sierra 10.13 and later:
| Configuration |
User Experience |
| Standalone installation on macOS High Sierra and later without a Mobile Device Management (MDM) profile |
- When you install ENSM on standalone Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation.
- ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the installation.
- The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions, from the Security & Privacy System Preferences pane.
NOTE: The McAfee Alert appears every 30 minutes, until the user provides consent.
- After the user gives consent, the user must enable the Threat Prevention - on-access scan and Firewall features.
- The Self Protection feature is turned on automatically.
This video explains how to install ENSM on standalone Mac systems running macOS Catalina, without an MDM profile:
This video explains how to install ENSM on standalone Mac systems running macOS High Sierra, without an MDM profile:
NOTE: The steps covered in the above videos require local system access. These steps fail if tried via remote access. |
| ePolicy Orchestrator (ePO) deployment on macOS High Sierra and later without an MDM profile |
- When you deploy ENSM on ePO-managed Mac systems, the Threat Prevention - on-access scan and Firewall features are disabled at the time of installation. They are disabled even if the ePO policy is set to enable them.
- ENSM tries to automatically load the McAfee kernel extensions about 10 minutes after the deployment.
- The end user sees a McAfee Alert that prompts whether to allow the McAfee kernel extensions, from the Security & Privacy System Preferences pane.
NOTES:
- The McAfee Alert appears every 30 minutes, until the user provides consent.
- These systems have a compliance status of "Non-compliant" for on-access scan, Firewall, and Self Protection until the user gives consent.
- ePO administrators can use the canned queries for on-access scan, Firewall, and Self Protection compliance that are shipped with the ENS Extensions. They can be used to identify systems where the user has not yet provided consent.
- After the user gives consent, the next policy enforcement enables the Threat Prevention - on-access scan, Firewall, and Self Protection features based on the policy setting.
NOTE: These systems now have a compliance status of "Compliant" for on-access scan, Firewall, and Self Protection.
This video explains how to deploy ENSM to Mac systems running macOS High Sierra via ePO, without an MDM profile:
|
| Standalone installation and ePO deployment on macOS High Sierra and later with an MDM profile |
Enrollment in MDM automatically disables SKEL with macOS 10.13.3 and earlier. In this case, end-user consent is not required to enable the ENSM Threat Prevention - on-access scan, Firewall, and Self Protection features.
Starting with macOS 10.13.4, enrolling in MDM does not automatically disable SKEL. The McAfee kernel extensions have to be added in the Kernel Extension Policy payload, to load without end-user user consent.
For more information, see the Apple articles at:
Below are the details for use in the Kernel Extension Policy payload:
McAfee Team Identifier: GT8P3H7SPW
Bundle Identifiers:
com.intelsecurity.FileCore
com.McAfee.AVKext
com.McAfee.FileCore
com.McAfee.FMPSysCore
com.McAfee.mfeaac
com.McAfee.SFKext |
| Upgrade from macOS El Capitan and macOS Sierra, running ENSM 10.2.3 and later, to macOS High Sierra or later |
If the McAfee kernel extensions are present on the Mac system before you upgrade to macOS High Sierra or later, no end-user consent is required. |
|
