Supported Upgrade Paths To Endpoint Protection For Mac
Mirsad Langlais
Please see Compatibility between Symantec Endpoint Protection for Mac and versions of Mac OS X for specific Symantec Endpoint Protection version requirements. Note: You may see "System Extension Blocked" when installing SEP on macOS version 10.13, or newer -- this may be resolved by authorizing Symantec kernel extensions by using the macOS Security & Privacy system preference pane.
To authorize the system extension for Symantec Endpoint Protection, during the setup of your Symantec Endpoint Protection client, in the Security & Privacy dialog box, on the General tab, at System software from application "Symantec Endpoint Protection" was blocked from loading, click Allow:
For a major update to Mac OS X on a client system (from OS X 10.13 to OS X 10.14, for example), upgrade the Symantec Endpoint Protection client to the version that is compatible with the newer operating system, and then upgrade the operating system. Otherwise, uninstall the Symantec Endpoint Protection client and cleanly reinstall the compatible version after upgrade to avoid possible corruption to logs and other Symantec Endpoint Protection components.
Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; Symantec Endpoint Protection for Mac will function and scan for threats as expected. For guidance on best practices, please see Recommendations for installing Symantec Endpoint Protection for Macintosh on Mac OS X Server.
Installing the Symantec Endpoint Protection client for Mac covers both managed and unmanaged installations. Push deployment from the Symantec Endpoint Protection Manager (using the Client Deployment Wizard) is supported as of Symantec Endpoint Protection 12.1.5.
Endpoint Protection client for Mac versions earlier than 12.1.4 must be uninstalled before you upgrade to version 14. You do not need to uninstall later versions first. See Supported upgrade paths to Symantec Endpoint Protection.
Auto-Upgrade is supported as of 14, but cannot be used to upgrade from 12.1. You must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a later client version. However, you can usually install the new version directly over the old without uninstalling first; see the previous question.
The Symantec Endpoint Protection Manager cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of Symantec Endpoint Protection version 12.1 RU4 the Symantec Endpoint Protection Manager can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through Symantec LiveUpdate or from an internal LiveUpdate Administrator (LUA) server. Please see Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Macintosh for information on how to configure LUA for this content.
Note: it is not recommended or supported for LiveUpdate Administrator and Symantec Endpoint Protection Manager to be on the same physical server. If you are looking for the standalone definitions updater, Intelligent Updater, for the Symantec Endpoint Protection (SEP) client for Mac, please refer to "Intelligent Updater and Endpoint Protection for Macintosh".
Location Awareness was introduced for Symantec Endpoint Protection for Mac clients in version 12.1. Supported conditions for ALS and Mac clients:
- Computer IP Address
- Gateway Address
- DNS Server address
- DHCP server address
- Network connection Type
- Management Server connection
- DNS Lookup
- Wireless SSID
- DHCP connection DNS suffix
- ICMP request (ping)
There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect or Network Threat Protection (intrusion prevention), make sure their group is set to Server Control and unlock the padlock icon within the appropriate policy types.
When the policy types are locked and/or the group is set to Server Control, SEP for Mac UI options will be disabled and grey. When unlocked, they will be green and changeable for an admin-level account.
The macOS Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrators and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.
No. SEP for Mac only performs file system virus/spyware scanning. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of SEP for Windows. SEP for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if SEP scans mail folders under the user profile directories. As a best practice, those directories should be excluded from SEP scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.
There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Mac OS Network settings.
For the installation, no separate log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing. Click to expand Files, click to expand /private/var/log, and then look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" appears at the beginning of the installation cycle.
When using System Information / System Profiler, instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.
About System Information and System Profiler
Microsoft Defender for Cloud provides health assessments of supported versions of Endpoint protection solutions. This article explains the scenarios that lead Defender for Cloud to generate the following two recommendations:
As the Log Analytics agent (also known as MMA) is set to retire in August 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.
At the end of 2021, we revised the recommendation that installs endpoint protection. One of the changes affects how the recommendation displays machines that are powered off. In the previous version, machines that were turned off appeared in the 'Not applicable' list. In the newer recommendation, they don't appear in any of the resources lists (healthy, unhealthy, or not applicable).
For more help, contact the Azure experts in Azure Community Support. Or file an Azure support incident. Go to the Azure support site and select Get support. For information about using Azure Support, read the Microsoft Azure support common questions.
This issue is only present when these upgrade paths are attempted using the Defendpoint ePO Extension. Defendpoint ePO Extension customers who have successfully deployed 5.3.216.0 GA, 5.3.219.0 SR1 or 5.3.229.0 SR2 do not need to upgrade to this release; these builds are still fully supported. This issue is not present if you are upgrading from any version of Windows Client 5.2 to any version of Windows Client 5.3 using the Defendpoint ePO Extension.
BeyondTrust is the worldwide leader in intelligent identity and access security, enabling organizations to protect identities, stop threats, and deliver dynamic access. We offer the only platform with both intelligent identity threat detection and a privilege control plane that delivers zero-trust based least privilege to shrink your attack surface and eliminate security blind spots.
How can I turn off this notification? I understand that Windows 10 Version 21H2 or higher needs to be installed. However, I have zero intention of updating my Windows OS at this point in time.
Could you please allow this status to be disabled in the "Application Status" under Advance setup.
Thank you.
Hello,
Thanks for your reply.
But there are millions of users who are still on Windows 10. And some of use may not be on 21H2.
I also understand that ESET won't be able to update to newer versions after Dec 2023 and the notification cannot be disabled in home products at the moment.
Could you please release an update where the users can at least hide the notification? It is annoying at the moment.
Thank you.
In home products it won't be possible. With Microsoft ending support for Windows 10 21H1 and older, you won't receive any security updates which will make your Windows more vulnerable as time goes. It is crucial to keep the operating system as well as applications up to date all the time.
7fc3f7cf58