Deploying SEPM v14.2 clients to more than one Macs (High Sierra) – how to work around Kernel Extension

Starting from macOS v10.13 (High Sierra), with SEP v14.0.1 and onward, you must authorize the kernel extension for Symantec Endpoint Protection for it to fully function. There is a Symantec article about it at https://support.symantec.com/en_US/article.HOWTO127190.html if you wish to read up on this.

While this is fine and easy for a single install, this is a bugbear for mass deployments to more than one Mac as you would have to manually set it for every Macs! Therefore, I am sharing this article with you all as I have come up with a solution to this issue.

Apple has issued this article: Prepare for changes to kernel extensions in macOS High Sierra - https://support.apple.com/en-us/HT208019

It explains what it does, how it works and how you can manage it.

You can achieve this if you have MDM/DEP setup and that all your Macs are enrolled using that. So, bear in mind this deployment method might differ from your environment, but the main aim is to run a scripting to issue a command line on each machine (i.e. DeployStudio, JAMF, etc) and one it has been run, it will work.

This is all achieved using the spctl kext-consent command line - you can find out more about this at https://developer.apple.com/library/archive/technotes/tn2459/_index.html

For my case, I am using DeployStudio. I have Workflows where each workflow will run to do what I want it to do (i.e. joining the domain, installing the SEP client package, etc). Right at the end of the workflow, I have a script that run the spctl kext-consent command to authorise the Symantec software.

The Team Identifer for Symantec is 9PTGMPNXZ2. With that information, this is the script you need to add in a file. In DeployStudio -> Scripts, create a new file and name it i.e. approvesep.sh.Then add these commands:

#!/bin/sh
spctl kext-cosent add 9PTGMPNXZ2
exit 0

That’s it! Save it, put it in the workflow & chain it to the previous workflow and test away. When the deployment has completed, you will find the SEP client has been authorised and you won’t have to do anything further with it. The best thing with this is not having to visit each Mac to manually authorise this!

Do share your experience and your setup of how you do this.