Consent needed to enable or disable McAfee Client Proxy 4.0 and later on macOS 11.2 and later

Technical Articles ID: KB94092
Last Modified: 8/27/2021

Environment

McAfee Client Proxy (MCP) 4.0.0 and later
Apple macOS Big Sur 11.2

Summary

To improve security on Mac systems, macOS Big Sur 11.2 introduces a new feature, which replaces the Secure Kernel Extension with the Network Extension. The feature changes the user consent to load third-party system extensions installed after the installation of macOS Big Sur. This feature needed changes to be made in MCP 4.0.0.

Problem

Products that use a network extension on macOS Big Sur 11.1.x require user consent to load any third-party system extensions.

MCP 4.0.0 uses a network system extension for network events. So, the network extension Transparent Proxy and a Content Filter configuration require approval before MCP can start protecting the system.

Solution

Without Mobile Device Management (MDM):
IMPORTANT: This solution requires manual intervention to configure MCP on Big Sur 11.2:

Configuration	User Experience
Standalone installation on macOS Big Sur without an MDM profile	When you install MCP on standalone Mac systems, if user consent is not available for the McAfee System Extension, MCP can’t apply the policy configured. MCP tries to automatically load the McAfee System Extension extensions every 10 seconds after the installation until user consent is available. User sees a McAfee Alert that prompts whether to allow the McAfee System extensions from the Security and Privacy System Preferences panel. NOTE: MCP status shows ExtAutErr until the user provides consent. After the user gives consent MCP applies the configured policy. On applying policy, the McAfeeSystemExtensions is prompted for user consent in network settings. This consent is also needed.
ePolicy Orchestrator (ePO) deployment on macOS Big Sur without an MDM profile	When you deploy MCP on ePO managed Mac systems, if user consent is not available for the McAfee System Extension, MCP can’t apply the policy configured. MCP tries to automatically load the McAfee system extensions every 10 seconds after the deployment. User sees a McAfee Alert that prompts whether to allow the McAfee system extensions from the Security and Privacy System Preferences pane. NOTE: MCP status shows ExtAutErr until the user provides consent. After the user gives consent MCP applies the configured policy. On applying policy, the McAfeeSystemExtensions is prompted for user consent in network settings. This consent is also needed.
Upgrade from macOS Catalina with MCP 3.x present	Before upgrading macOS Catalina to Big Sur 11.2, uninstalling MCP 3.x is optional. After macOS Big Sur upgrade, the MCP 3.x status displays Driver Error, this status is expected. After the Big Sur upgrade, MCP 4.x can be installed. User consent is needed according to above scenario.

NOTE: If you have already installed ENSM Firewall on a system, user consent is not needed. Because consent would have been provided while activating ENSM Firewall.

Solution

If you want to Install MCP silently (without user intervention) using MDM.

Create the following payloads:
- System Extensions Payload
- Content Filter Payload
- App Proxy Filter(VPN) payload
Push them to the endpoint. For example, using JamF.
Install MCP.
The installation is silent.

You can use the following Management Profile System Extensions Payload settings for installing MCP silently:

Configuration

User Experience

System Extensions Payload

Add System Extensions Payload

Configure following:

Property	Value
Allow users to approve system extensions	Uncheck/disable
System Extension Types	Allowed System Extensions
Team Identifier	GT8P3H7SPW
Allowed system extensions	com.mcafee.CMF.networkextension com.mcafee.endpointsecurity

Content Filter Payload

Add Content Filter Payload

Configure following:

Property	Value
FilterSockets (Socket Filter)	True
FilterDataProviderBundleIdentifier (Socket Filter Bundle Identifier)	com.mcafee.CMF.networkextension
FilterDataProviderDesignatedRequirement (Socket Filter Designated Requirement)	anchor apple generic and identifier "com.mcafee.CMF.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = GT8P3H7SPW)
FilterPackets (Network Filter)	True
FilterPacketProviderBundleIdentifier (Network Filter Bundle Identifier)	com.mcafee.CMF.networkextension
FilterPacketProviderDesignatedRequirement (Network Filter Designated Requirement)	anchor apple generic and identifier "com.mcafee.CMF.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = GT8P3H7SPW)
PluginBundleID (Identifier)	com.mcafee.containerapp
UserDefinedName (Filter Name)	McAfeeSystemExtensions
FilterType	Plug-in

App Proxy Filter Payload

You can use a Proxy payload with the following settings to approve the extension Proxy components (VPN Payload):

Add VPN
Configure following:

Property	Value
Connection Name	McafeeProxyExtension
VPN Type	VPN
Connection Type	Custom SSL
Identifier	com.mcafee.containerapp
Server	localhost
Provider Bundle Identifier	com.mcafee.CMF.networkextension
User Authentication	Certificate
Provider Type	App-Proxy
Include All Networks	False (unchecked)
Exclude Local Networks	False (unchecked)
Provider Designated Requirement	anchor apple generic and identifier "com.mcafee.CMF.networkextension" and (certificate 0.113635.100.6.2.6] /* exists / and certificaleaf[field.1.2.840.113635.100.6.1.9] / exists / or certificate 1[field.1.2.84te leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = GT8P3H7SPW)
Identity Certificate	None

Solution

When uninstalling MCP:

When uninstalling MCP, you are prompted to enter the administrator credentials to uninstall the system extension. This statement applies to both MCP standalone and ePO managed. It does not matter whether the system is MDM-managed. If the user does not provide credentials or provides incorrect credentials, the MCP removal does not continue.

To uninstall MCP successfully, you must try the removal again and provide the correct credentials.

Apple designed the removal of system extensions this way. User intervention can't be avoided even on MDM-managed systems.

Affected Products

Best Practices
Install/Uninstall
McAfee Client Proxy 4.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Consent needed to enable or disable McAfee Client Proxy 4.0 and later on macOS 11.2 and later

Environment

Summary

Problem

Solution

Solution

Solution

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Consent needed to enable or disable McAfee Client Proxy 4.0 and later on macOS 11.2 and later

Environment

Summary

Problem

Solution

Solution

Solution

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title