What are some of the more common questions pertaining to Symantec Endpoint Protection for Mac?
Q. Which operating systems are supported?
A. Symantec Endpoint Protection (SEP) for Mac is supported on Mac OS X 10.5 - macOS 10.12. Please see Compatibility between Symantec Endpoint Protection for Mac and versions of Mac OS X for specific Symantec Endpoint Protection version requirements.
Q. What if I wish to perform a major upgrade to Mac OS X with Symantec Endpoint Protection installed?
A. For minor updates to Mac OS X, such as 10.12 to 10.12.2, the Symantec Endpoint Protection client can remain in place.
For a major update to Mac OS X on a client system (from OS X 10.11 to OS X 10.12, for example), upgrade the Symantec Endpoint Protection client to the version that is compatible with the newer operating system, and then upgrade the operating system. Otherwise, uninstall the Symantec Endpoint Protection client and cleanly reinstall the compatible version after upgrade to avoid possible corruption to logs and other Symantec Endpoint Protection components.
Q. What about Mac OS X Server?
Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; Symantec Endpoint Protection for Mac will function and scan for threats as expected. For guidance on best practices, please see Recommendations for installing Symantec Endpoint Protection for Macintosh on Mac OS X Server.
Q. How do I install Symantec Endpoint Protection for Mac?
A. Installing the Symantec Endpoint Protection client for Mac covers both managed and unmanaged installations. Push deployment from the Symantec Endpoint Protection Manager (using the Client Deployment Wizard) is supported as of Symantec Endpoint Protection 12.1.5.
Q. I already have a Symantec antivirus / security product on my Mac. Do I have to uninstall it first before installing Symantec Endpoint Protection for Mac?
A. Endpoint Protection client for Mac versions earlier than 12.1.4 must be uninstalled before you upgrade to version 14. You do not need to uninstall later versions first. See Supported upgrade paths to Symantec Endpoint Protection.
If you upgrade to a version of 12.1.x from a legacy Symantec Endpoint Protection 11 installations (managed or unmanaged), you do not need uninstall version 11 first. Symantec AntiVirus for Macintosh and consumer products Norton AntiVirus and Norton Internet Security for Macintosh must be uninstalled first. See Supported upgrade and migration paths to Symantec Endpoint Protection 12.1.x.
Q. What about upgrading Symantec Endpoint Protection for Mac to a newer version? Can I use Upgrade Groups with Package (auto-upgrade)?
A. Auto-Upgrade is supported as of 14, but cannot be used to upgrade from 12.1. You must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a later client version. However, you can usually install the new version directly over the old without uninstalling first; see the previous question.
Q. There's no Add or Remove programs for Mac. How do I uninstall?
A. As of version 14, you can uninstall through the menu. Click on the shield icon, and then click Uninstall. Enter an administrative password when prompted. Since a restart is required to complete uninstallation, you should save all open work before you begin. For a managed client, if you set a password to uninstall the client (through Clients > Policies > Location-independent Policies and Settings > Settings > Password), it does not apply to Mac clients.
Otherwise, for version 12.1, there is an uninstaller included on the article How to uninstall Symantec Endpoint Protection for Macintosh. The uninstaller is also included with the Symantec Endpoint Protection installation media; look under SEP_MAC. The uninstaller also works with version 14.
Q. How can I configure the Symantec Endpoint Protection Manager to supply definitions to Symantec Endpoint Protection for Mac clients?
A. The Symantec Endpoint Protection Manager cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of Symantec Endpoint Protection version 12.1 RU4 the Symantec Endpoint Protection Manager can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through LiveUpdate, either from Symantec's servers or from an internal LiveUpdate server using LiveUpdate Administrator (LUA). Please see Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Macintosh for information on how to configure LUA for this content. Note: it is not recommended or supported for LiveUpdate Administrator and Symantec Endpoint Protection Manager to be on the same physical server.
Q. Can a Symantec Endpoint Protection for Mac client get updates from a Group Update Provider (GUP)?
A. No, for the same reasons outlined above.
Q. Can a Symantec Endpoint Protection for Mac client act as a GUP?
Q. How do I get Rapid Release definitions onto my Symantec Endpoint Protection for Mac client?
A. Rapid Release definitions are not available for Mac security products.
Q. How often are updates for Symantec Endpoint Protection for Mac released?
A. Daily, usually in the morning Pacific time (west coast, USA).
Q. How do I know whether or not the Symantec Endpoint Protection for Mac client is managed?
A. Connection Status: Connected appears under Management on the Symantec QuickMenu.
For Symantec Endpoint Protection 12.1.5 (RU5):
For Symantec Endpoint Protection 12.1.4 (RU4) - 126.96.36.199 (RU4 MP1):
For earlier builds, the green dot next to Symantec Endpoint Protection indicates Auto-Protect is Enabled, not that communication is established:
Q. Is it possible to convert an unmanaged Symantec Endpoint Protection for Mac client to a managed client?
Q. How do I prevent Windows policies from applying to Macs?
A. Windows-specific policies will not apply to Macs; only the LiveUpdate policy and the Mac Settings in the Virus and Spyware Protection and the Exceptions policy (if configured for a security risk exception for a file or folder) will apply. Intrusion Protection policies apply to Symantec Endpoint Protection for Mac 12.1 RU4 or later. The Firewall policy will not apply because this component does not exist on the Symantec Endpoint Protection for Mac client.
Q. What about Device Control?
A. Version 14 introduces Device Control for the Mac client. You can enable Device Control on managed clients only. See Allowing or blocking devices on client computers and Mac Device Control.
Q. Is Active Directory integration supported for Mac clients?
A. It is not tested or supported.
Q. I can send Mac clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?
A. Even though the command can be sent, these features are not supported for Symantec Endpoint Protection for Mac clients.
Q. How can I quickly disable the Symantec Endpoint Protection client on Macintosh, e.g. for troubleshooting purposes?
A. In latest version of Symantec Endpoint Protection, Virus and Spyware Protection and Network Threat Protection can be disabled/re-enabled by unloading/loading the SymDaemon service:
sudo launchctl unload /Library/LaunchDaemons/com.symantec.symdaemon.*plist
sudo launchctl load /Library/LaunchDaemons/com.symantec.symdaemon.*plist
# the asterisk in daemon pathnames will accommodate suffix variations - SEP 12.1.x uses .plist and SEP 14.0 uses .NFM.plist
Q. Is Location Awareness supported for Symantec Endpoint Protection for Mac?
A. Location Awareness was introduced for Symantec Endpoint Protection for Mac clients in version 12.1.
Q. Symantec Endpoint Protection for Mac clients: User Mode or Computer Mode?
A. Computer Mode. It is not possible to convert a Symantec Endpoint Protection for Mac client to User Mode.
Q. How can I lock down settings for Symantec Endpoint Protection for Mac clients?
A. There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect or Network Threat Protection (intrusion prevention), make sure their group is set to Server Control:
In the Virus and Spyware policy, under Mac Settings, for File System Auto-Protect, click on the padlock to lock it.
In the Intrusion Prevention policy, click Intrusion Prevention, and then click the padlock to lock the settings. Note that this affects all clients using this policy, not just Macs:
With these selections made, even if a user has administrative rights on their Mac, they will be unable to adjust these settings via the Symantec Endpoint Protection client interface:
Without the padlock clicked and locked in policy, an administrator-level account would be able to make changes to settings:
Q. I don't see a LiveUpdate or scan schedule in the Mac's Symantec Scheduler. How can I verify the schedule given through the Symantec Endpoint Protection Manager is really there?
A. As of Symantec Endpoint Protection 12.1 RU4 for Mac, there is no longer a Symantec Scheduler, symsched, or integration with the OS X crontab: Scan schedules can be verified through the client GUI but the LiveUpdate schedule is visible in the newer client only when it is unmanaged. On a managed client you can verify that LiveUpdate is running on schedule by checking /Library/Application Support/Symantec/LiveUpdate/liveupdt.log
Symantec Endpoint Protection for Mac versions earlier than 12.1 RU4 use the Symantec Scheduler application together with symsched command line and integration with the OS X crontab function: LiveUpdate or scan schedules that are configured through Symantec Endpoint Protection Manager policy are entered into the OS X crontab for the root user so that the scheduled event will launch regardless of which user is logged in (and the root user account does not need to be enabled for the schedule to apply). These events will therefore not appear in the symsched or Symantec Scheduler user interface unless those are run with root credentials. To verify scheduled events, open the Terminal application on the client computer and type in the following: sudo symsched -l (that is a lowercase L). Enter your administrator password when prompted (it will not echo in the window). You should then see your Symantec Endpoint Protection Manager-created schedule/s.
If you have unmanaged clients, a default schedule will be set for all users on the machine (i.e. for the root user). This schedule is set to show progress (i.e. it is not set to -quiet), and can be removed using command-line symsched with superuser privileges (sudo). Users can set their own schedules via the Symantec Scheduler; sudo symsched in the Terminal application can be used to set a schedule for all users on an individual machine, or use Apple Remote Desktop to send out a LiveUpdate schedule.
Q. How can I prevent Symantec Endpoint Protection for Mac users from manually launching LiveUpdate?
A. The Mac OS X Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrator and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.
Q. Does Symantec Endpoint Protection for Mac do email scanning?
A. No. Symantec Endpoint Protection for Mac only performs file system virus/spyware scanning. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of Symantec Endpoint Protection for Windows. Symantec Endpoint Protection for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if Symantec Endpoint Protection scans mail folders under the user profile directories. As a best practice, those directories should be excluded from Symantec Endpoint Protection scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.
Q. Where can I find LiveUpdate/installation/other logs for troubleshooting?
A. The Symantec Endpoint Protection Support Tool does not currently function on the Mac OS, so an alternate tool GatherSymantecInfo is recommended. An exported System Profiler report will often also provide a lot of information about the system in question.
For SEP 12.1.x:
- LiveUpdate log: /Library/Application Support/Symantec/LiveUpdate/liveupdt.log
- LiveUpdate configuration settings: /etc/liveupdate.conf -- edit this file if necessary.
For SEP 14.x:
- LiveUpdate log: /Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/LiveUpdateLog (not human readable)
- LiveUpdate lux log: /Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/lux.log
There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Mac OS Network settings.
For the installation, no separate log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing. Click to expand Files, click to expand /private/var/log, and then look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" appears at the beginning of the installation cycle.
Q. What about Sylink debugging?
A. This document can be used to enable Sylink debugging for client communication problems with the Symantec Endpoint Protection Manager.
When using System Information / System Profiler, instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.
About System Information and System Profiler
Imported Document Id