When DLP Agents with mobile device management (MDM) profiles are installed on macOS 10.13.2 or later systems, the Agent may not start; or, if the DLP Agent is on a system that is updated to macOS 10.13.2 or later, the DLP Agents may stop running. The reason is related to the new feature introduced with macOS 10.13 (High Sierra), User-Approved Kernel Extension Loading. Beginning with macOS 10.13.2, the kernel extension loading by default is not applied to endpoints deployed with MDM. Users of these endpoints are required to approve loading any kernel extensions, and the users may not approve loading the DLP Agent.
Update the MDM profile to allow kernel extensions to load the DLP Agent by adding a Team Identifier.
Complete the following steps to add a Team Identifier:
Configure a payload for Kernel Extensions.
Enable Allow User Overrides to allow users to approve kernel extensions.
Add the Team Identifier 9PTGMPNXZ2 as an Allowed Kernel Extension to the payload.
Save the payload.
Set the payload to deploy to all clients where the DLP Agent is installed.
Confirm that the agent is running
After you update your MDM profile and the payload is pushed to endpoints, confirm that DLP Agents are running.
Run the following script to confirm that DLP Agents are running:
agent_running=$(ps cax | grep -ic "edpa")
kext_running=$(kextstat | grep -ic "dlp.fsd")
if [ $agent_running -eq 0 ]
echo "The DLP Agent is not running. Refer to edpa_ext logs for details."
if [ $kext_running -eq 0 ]
echo "The endpoint user must approve the KEXT for the DLP Agent to run. To approve the KEXT and start the EDPA service, the user goes to the General tab on System Preferences > Security and Privacy, and clicks Allow."
echo "The DLP Agent is running and KEXT is approved."
NOTE: Prevent the agent from stopping in the future by preventing endpoint users from making changes to the profile on the endpoint.
Subscribing will provide email updates when this Article is updated. Login is required.