Symantec Endpoint Protection for Macintosh Frequently Asked Questions

Article:TECH134203  |  Created: 2010-01-24  |  Updated: 2014-01-30  |  Article URL http://www.symantec.com/docs/TECH134203
Article Type
Technical Solution


Environment

Subject

Issue



What are some of the more common questions pertaining to Symantec Endpoint Protection for Macintosh (SEP for Mac FAQ)?


Solution



Q. Which OS X operating systems are supported?
A. SEP for Mac is supported on OS X 10.4.x - 10.9.x and PowerPC/Intel CPUs. The minimum CPU requirement is a PowerPC G4.
Please note the following specific SEP version requirements:


Q. What if I wish to perform a major upgrade to Mac OS X with SEP installed?
A. For minor updates to Mac OS X (10.8.0 to 10.8.2 for example), the SEP client can remain in place. However, for a major update to Mac OS X on a client system (from 10.6.8/10.7.x/10.8.x  to OS X 10.9.x (Mavericks) for example), we require temporarily removing the SEP client with the removal tool and cleanly reinstalling the compatible version after upgrade to avoid possible corruption to logs and other SEP components.

Q. What about Mac OS X Server?
Although Symantec does not officially support Mac OS X Server, there are only minor differences between Mac OS X and Mac OS X Server; SEP for Mac will function and scan for threats as expected. For guidance on best practices, please see 'Recommendations for installing Symantec Endpoint Protection for Macintosh 11.0.6 / Symantec Antivirus for Macintosh 10.x on Mac OS X Server'


Q. How do I install SEP for Mac?
A. 'Installing Symantec Endpoint Protection 11 for Macintosh' covers both managed and unmanaged installations. Push deployment from the SEPM (using the Migration and Deployment Wizard, or Find Unmanaged Computers) is not possible. Please see the previously referenced document for more information. 


Q. I already have a Symantec antivirus / security product on my Mac. Do I have to uninstall it first before installing SEP for Mac?
A. Older versions of SEP or Symantec Antivirus (managed or unmanaged) do not need to be uninstalled first unless your are also updating your version of OSX (please see "What if I wish to perform a major upgrade to Mac OS X with SEP installed?" above. Norton Antivirus and Norton Internet Security for Macintosh must be uninstalled first. Please see the following document for details: 'Migrating to Symantec Endpoint Protection 11 for Macintosh'.


Q. What about upgrading SEP for Mac to a newer version?  Can I use Upgrade Groups with Package (auto-upgrade)?
A. Unfortunately, you must export a client package for the new version then install or deploy as you would a new installation; it is not possible to use the Upgrade Groups with Package wizard (auto-upgrade) to migrate Macintosh clients up to a higher build.  However, you can install the new version directly over the old without uninstalling first.  This is also addressed in 'Migrating to Symantec Endpoint Protection 11 for Macintosh'.


Q. There's no Add or Remove programs for Mac. How do I uninstall?
A. There is an uninstaller included on the SEP installation media; look under SEP_MAC, for SymantecUninstaller.English.tgz. Copy this file to the local Mac client and double-click on it to expand. Inside are two items: Symantec Uninstaller (which is the actual uninstaller), and SymantecUninstaller.pkg (which will actually install the Uninstaller to your hard drive; installing the Uninstaller is not necessary). The Uninstaller is intended for all Symantec products on the Mac, not just SEP. For more information, please see this document: 'How to uninstall Symantec Endpoint Protection for Macintosh'. 

 
Q. How can I configure the SEPM to supply definitions to SEP for Mac clients?
A. The SEPM cannot host Macintosh LiveUpdate content the same way as it does for Windows clients. As of SEP version 12.1 RU4 the SEPM can be configured as a reverse proxy for downloading and caching the latest Macintosh LiveUpdate content. All Macintosh updates otherwise must otherwise occur through LiveUpdate, either from Symantec's servers or from an internal LiveUpdate server using LiveUpdate Administrator (LUA). Please see 'Using the LiveUpdate Administrator on a PC to download updates for Symantec Endpoint Protection/Symantec AntiVirus 10 for Macintosh clients' for information on how to configure LUA for this content. Note: it is not recommended or supported for LUA and SEPM to be on the same physical server.


Q. Can a SEP for Mac client get updates from a Group Update Provider (GUP)?
A. No, for the same reasons outlined above.
 

Q. Can a SEP for Mac client act as a GUP?
A. No.


Q. How do I get Rapid Release definitions onto my SEP for Mac client?
A. Rapid Release definitions are not available for Mac security products. There is an Intelligent Updater, however.

 
Q. How often are updates for SEP for Mac released?
A. Daily, usually in the morning Pacific time (west coast, USA).
 

Q. How do I know whether or not the SEP for Mac client is managed?
A. "Connection Status: Connected" will appear under Management on the Symantec QuickMenu.
 


Note: In the case of SEP for Mac, the green dot next to "Symantec Endpoint Protection" indicates Auto-Protect is Enabled, not that communication is established.
 

Q. Is it possible to convert an unmanaged SEP for Mac client to a managed client?
A. Yes

 
Q. I don't see a LiveUpdate or scan schedule in the Mac's Symantec Scheduler. How can I verify the schedule given through the SEPM is really there?
A. As of SEP 12.1 RU4 for Macintosh there is no longer a Symantec Scheduler, symsched, or integration with the OS X crontab: Scan schedules can be verified through the client GUI but the LiveUpdate schedule is visible in the newer client only when it is unmanaged. On a managed client you can verify that LiveUpdate is running on schedule by checking /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

Older SEP for Macintosh (versions 11 RU6 thru 12.1 RU3) use the Symantec Scheduler application together with symsched command line and integration with the OS X crontab function: LiveUpdate or scan schedules that are configured through SEPM policy are entered into the OS X crontab for the root user so that the scheduled event will launch regardless of which user is logged in (and the root user account does not need to be enabled for the schedule to apply). These events will therefore not appear in the symsched or Symantec Scheduler user interface unless those are run with root credentials. To verify scheduled events, open the Terminal application on the client computer and type in the following: sudo symsched -l (that is a lowercase L). Enter your administrator password when prompted (it will not echo in the window). You should then see your SEPM-created schedule/s.



If you have unmanaged clients, a default schedule will be set for all users on the machine (i.e. for the root user).  This schedule is set to show progress (i.e. it is not set to -quiet), and can be removed using command-line symsched with superuser privileges (sudo).  Users can set their own schedules via the Symantec Scheduler; sudo symsched in the Terminal application can be used to set a schedule for all users on an individual machine, or use Apple Remote Desktop to send out a LiveUpdate schedule.


Q. How do I prevent Windows policies from applying to Macs?
A. Windows-specific policies will not apply to Macs; only the LiveUpdate policy and the Mac Settings in the Antivirus and Antispyware policy and the Centralized Exceptions policy (if configured for a security risk exception for a file or folder) will apply. Policies for Firewall, Intrusion Prevention, Application & Device Control will not apply because these components do not exist on the SEP for Mac client.

 
Q. Is Active Directory integration supported for Mac clients?
A. It is not tested or supported.

 
Q. I can send Mac clients a command to become an Unmanaged Detector or to enable or disable Network Threat Protection, but nothing happens. Why?
A. Even though the command can be sent, these features are not supported for SEP for Mac clients.

 
Q. Is Location Awareness supported for SEP for Mac?
A. SEP for Mac clients earlier than 12.1 are not location aware. If multiple locations are configured in the SEPM client group, SEP for Mac 11.x clients in that group will use policy from the default location. Location Awareness was introduced for SEP for Mac clients in version 12.1.

 
Q. SEP for Mac clients: User Mode or Computer Mode?
A. Computer Mode. It is not possible to convert a SEP for Mac client to User Mode.

 
Q. How can I lock down settings for SEP for Mac clients?
A. There are not many changes that the end user can make, but if you want to prevent them from disabling Auto-Protect (for example), make sure their group is set to Server Control:
 


In the Antivirus and Antispyware policy, under Mac Settings, for File System Auto-Protect, click on the padlock to lock it.
 


With these selections made, even if a user has administrative rights on their Mac, they will be unable to adjust these settings via the Auto-Protect preference pane:
 


Without the padlock clicked and locked in policy, an administrator-level account would be able to authenticate to make changes to settings:
 

 
Q. How can I prevent SEP for Mac users from manually launching LiveUpdate?
A. The Mac OS X Parental Controls feature, used to manage users in order to restrict applications that are launched on the system, could be used to restrict the manual launch of LiveUpdate. However, under normal circumstances, Administrator and Standard users alike should be able to launch LiveUpdate manually, whether the LiveUpdate policy is checked allowing clients to manually launch LiveUpdate or not.
 

Q. Does SEP for Mac do email scanning?
A. No. SEP for Mac is only a file system AntiVirus/AntiSpyware solution. There is no proxying of incoming or outgoing messages for email clients like Mail or Entourage, as there is in the optional email component of SEP for Windows. SEP for Mac AutoProtect does monitor and scan everything that is being written to the hard drive, including attachments that a user may attempt to save from an email message. However, email client inboxes and other email archives may become corrupt if SEP scans mail folders under the user profile directories. As a best practice, those directories should be excluded from SEP scans. See How to create a Security Risk Exception for a Mac client and check the documentation for your email client.
 

Q. Where can I find LiveUpdate/installation/other logs for troubleshooting?
A. The Symantec Endpoint Protection Support Tool does not currently function on the Macintosh OS, so an alternate tool GatherSymantecInfo is recommended. An exported System Profiler report will often also provide a lot of information about the system in question.

LiveUpdate log: /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

LiveUpdate configuration settings: /etc/liveupdate.conf -- edit this file if necessary.

There may also be /Library/Application Support/Symantec/LiveUpdate/liveupdate.conf but this location is overwritten every time LiveUpdate runs. Do not edit this file. It is a temporary record of the settings last used and combined from /etc/liveupdate.conf and the Macintosh OS Network settings.

Installation: no separate installation log is written. Instead it is written to the system's installation log, which is most easily viewable via the Console application. With Console open, show the log list if it is not already showing; expand Files, then expand /private/var/log, and look for install.log (see image below). After listing some environmental variables, the phrase "Symantec Endpoint Protection Installation Log" will appear at the beginning of the installation cycle.
 


Q. What about Sylink debugging?
A. This document can be used to enable Sylink debugging for client communication problems with the SEPM.

 


Technical Information
SEPM screenshots taken via the web console on a Macintosh computer.

From Apple: "Using the System Profiler". Instead of printing, however, you will want to save the file. Before saving, under View, ensure "Full Profile" is selected.
http://support.apple.com/kb/PH6823
 




Legacy ID



2010062409301948


Article URL http://www.symantec.com/docs/TECH134203


Terms of use for this information are found in Legal Notices