Symantec Endpoint Protection for Macintosh Frequently Asked Questions (SEP for Mac FAQ)

Article:TECH134203  |  Created: 2010-01-24  |  Updated: 2014-10-31  |  Article URL
Article Type
Technical Solution




What are some of the more common questions pertaining to Symantec Endpoint Protection for Mac?


Q. Which operating systems are supported?
A. Symantec Endpoint Protection (SEP) for Mac is supported on Mac OS X 10.5 - 10.10.
Please see the following page for specific SEP version requirements: 
Compatibility between Symantec Endpoint Protection for Mac and versions of Mac OS X

SEP 12.1 dropped support for PowerPC and OS X 10.4.

Q. What if I wish to perform a major upgrade to Mac OS X with SEP installed?
A. For minor updates to Mac OS X, such as 10.8.0 to 10.8.2, the SEP client can remain in place. 

However, for a major update to Mac OS X on a client system (from OS X 10.8.x  to OS X 10.9.x (Mavericks) for example), we require temporarily removing the SEP client with the removal tool and cleanly reinstalling the compatible version after upgrade to avoid possible corruption to logs and other SEP components.

Q. What about Mac OS X Server?
Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; SEP for Mac will function and scan for threats as expected. For guidance on best practices, please see Recommendations for installing Symantec Endpoint Protection for Macintosh on Mac OS X Server

Q. How do I install SEP for Mac?
A. Installing the Symantec Endpoint Protection client for Mac covers both managed and unmanaged installations. Push deployment from the SEPM (using the Client Deployment Wizard) is supported as of Symantec Endpoint Protection 12.1.5. 

Q. I already have a Symantec antivirus / security product on my Mac. Do I have to uninstall it first before installing SEP for Mac?
A. Legacy SEP 11 installations, managed or unmanaged, do not need to be uninstalled first unless your are also updating your version of OSX (see "What if I wish to perform a major upgrade to Mac OS X with SEP installed?" above). Symantec AntiVirus for Macintosh and consumer products Norton AntiVirus and Norton Internet Security for Macintosh must be uninstalled first. Please see the following document for details: Supported upgrade and migration paths to Symantec Endpoint Protection 12.1.x.

Q. What about upgrading SEP for Mac to a newer version? Can I use Upgrade Groups with Package (auto-upgrade)?
A. Unfortunately, you must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a later client version. However, you can install the new version directly over the old without uninstalling first.

Q. There's no Add or Remove programs for Mac. How do I uninstall?
A. There is an uninstaller included on the SEP installation media; look under SEP_MAC, for SymantecUninstaller.English.tgz. Copy this file to the local Mac client and double-click on it to expand. Inside are two items: Symantec Uninstaller (which is the actual uninstaller), and SymantecUninstaller.pkg (which will actually install the Uninstaller to your hard drive; installing the Uninstaller is not necessary). The Uninstaller is intended for all Symantec products on the Mac, not just SEP. For more information, please see this document: How to uninstall Symantec Endpoint Protection for Macintosh

Q. How can I configure the SEPM to supply definitions to SEP for Mac clients?
A. The SEPM cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of SEP version 12.1 RU4 the SEPM can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through LiveUpdate, either from Symantec's servers or from an internal LiveUpdate server using LiveUpdate Administrator (LUA). Please see Using the LiveUpdate Administrator 2.x to download updates for Symantec Endpoint Protection for Macintosh for information on how to configure LUA for this content. Note: it is not recommended or supported for LUA and SEPM to be on the same physical server.

Q. Can a SEP for Mac client get updates from a Group Update Provider (GUP)?
A. No, for the same reasons outlined above.

Q. Can a SEP for Mac client act as a GUP?
A. No.

Q. How do I get Rapid Release definitions onto my SEP for Mac client?
A. Rapid Release definitions are not available for Mac security products. 

Q. How often are updates for SEP for Mac released?
A. Daily, usually in the morning Pacific time (west coast, USA).

Q. How do I know whether or not the SEP for Mac client is managed?
A. Connection Status: Connected appears under Management on the Symantec QuickMenu.

    For Symantec Endpoint Protection 12.1.5 (RU5):


    For Symantec Endpoint Protection 12.1.4 (RU4) - (RU4 MP1):

    For earlier builds, the green dot next to Symantec Endpoint Protection indicates Auto-Protect is Enabled, not that communication is established:


Q. Is it possible to convert an unmanaged SEP for Mac client to a managed client?
A. Yes.

Q. I don't see a LiveUpdate or scan schedule in the Mac's Symantec Scheduler. How can I verify the schedule given through the SEPM is really there?
A. As of SEP 12.1 RU4 for Mac, there is no longer a Symantec Scheduler, symsched, or integration with the OS X crontab: Scan schedules can be verified through the client GUI but the LiveUpdate schedule is visible in the newer client only when it is unmanaged. On a managed client you can verify that LiveUpdate is running on schedule by checking /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

SEP for Mac versions earlier than 12.1 RU4 use the Symantec Scheduler application together with symsched command line and integration with the OS X crontab function: LiveUpdate or scan schedules that are configured through SEPM policy are entered into the OS X crontab for the root user so that the scheduled event will launch regardless of which user is logged in (and the root user account does not need to be enabled for the schedule to apply). These events will therefore not appear in the symsched or Symantec Scheduler user interface unless those are run with root credentials. To verify scheduled events, open the Terminal application on the client computer and type in the following: sudo symsched -l (that is a lowercase L). Enter your administrator password when prompted (it will not echo in the window). You should then see your SEPM-created schedule/s.

If you have unmanaged clients, a default schedule will be set for all users on the machine (i.e. for the root user).  This schedule is set to show progress (i.e. it is not set to -quiet), and can be removed using command-line symsched with superuser privileges (sudo).  Users can set their own schedules via the Symantec Scheduler; sudo symsched in the Terminal application can be used to set a schedule for all users on an individual machine, or use Apple Remote Desktop to send out a LiveUpdate schedule.

Q. How do I prevent Windows policies from applying to Macs?
A. Windows-specific policies will not apply to Macs; only the LiveUpdate policy and the Mac Settings in the Virus and Spyware Protection and the Exceptions policy (if configured for a security risk exception for a file or folder) will apply. Intrusion Protection policies apply to SEP for Mac 12.1 RU4 or later. Policies for Firewall and Application & Device Control will not apply because these components do not exist on the SEP for Mac client.

Q. Is Active Directory integration supported for Mac clients?
A. It is not tested or supported.

Q. I can send Mac clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?
A. Even though the command can be sent, these features are not supported for SEP for Mac clients.

Q. How can I quickly disable the SEP client on Macintosh, e.g. for troubleshooting purposes?
A. In latest version of SEP, Virus and Spyware Protection and Network Threat Protection can be disabled/re-enabled by unloading/loading the SymDaemon service:

sudo launchctl unload /Library/LaunchDaemons/

sudo launchctl load /Library/LaunchDaemons/

Q. Is Location Awareness supported for SEP for Mac?
A. Location Awareness was introduced for SEP for Mac clients in version 12.1.

Q. SEP for Mac clients: User Mode or Computer Mode?
A. Computer Mode. It is not possible to convert a SEP for Mac client to User Mode.

Q. How can I lock down settings for SEP for Mac clients?
A. There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect (for example), make sure their group is set to Server Control:

In the Antivirus and Antispyware policy, under Mac Settings, for File System Auto-Protect, click on the padlock to lock it.

With these selections made, even if a user has administrative rights on their Mac, they will be unable to adjust these settings via the Auto-Protect preference pane:

Without the padlock clicked and locked in policy, an administrator-level account would be able to authenticate to make changes to settings:

Q. How can I prevent SEP for Mac users from manually launching LiveUpdate?
A. The Mac OS X Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrator and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.

Q. Does SEP for Mac do email scanning?
A. No. SEP for Mac is only a file system AntiVirus/AntiSpyware solution. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of SEP for Windows. SEP for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if SEP scans mail folders under the user profile directories. As a best practice, those directories should be excluded from SEP scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.

Q. Where can I find LiveUpdate/installation/other logs for troubleshooting?
A. The Symantec Endpoint Protection Support Tool does not currently function on the Macintosh OS, so an alternate tool GatherSymantecInfo is recommended. An exported System Profiler report will often also provide a lot of information about the system in question.

LiveUpdate log: /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

LiveUpdate configuration settings: /etc/liveupdate.conf -- edit this file if necessary.

There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Macintosh OS Network settings.

Installation: no separate installation log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing; expand Files, then expand /private/var/log, and look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" will appear at the beginning of the installation cycle.

Q. What about Sylink debugging?
A. This document can be used to enable Sylink debugging for client communication problems with the SEPM.


Technical Information
SEPM screenshots taken via the web console on a Mac.

From Apple: "Using the System Profiler". Instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices