Endpoint For Mac Client

admin

FortiClient Endpoint Management Server (EMS) FortiClient Endpoint Management Server FortiClient EMS helps centrally manage, monitor, provision, patch, quarantine, dynamically categorize and provide deep real-time endpoint. MacOS Catalina requires approval from the users to run the Installer for Endpoint Security for Mac, when tar file is extracted on Desktop/Downloads folder. 1While installing EPS CLOUD Mac client, a prompt appears to ask permission to access Desktop/Downloads/Documents folder where MCCLAGNT.TAR/MCCLAGAV.TAR file is extracted.

Table of Contents:

  • Endpoint Security Clients Downloads
  • Utilities/Services Downloads
  • Management Console Downloads
  • Documentation and Related SecureKnowledge Articles
  • Use either of the following methods to install the client software: Use Apple Remote Desktop to deploy the file to other Mac clients. Double-click the downloaded endpoint package to launch the installer. Administrator permissions are required to install the endpoint client software.
  • ESET Endpoint Security for macOS ESET Endpoint Antivirus for macOS. The install package will appear in your Downloads folder or the default folder set by your browser. Double-click the installer file to open it. Double-click Install ESET Endpoint Security. When prompted, click Continue to launch the Installation Wizard.
  • It is strongly recommended that you read the E84.30 Endpoint Security Client for macOS Release Notes and Known Limitations section, before installing this release.

Endpoint Security Homepage is now available.

Symantec

Notes:

  • The relevant links to downloads are located in the relevant section, i.e. Standalone Clients, Utilities/Services.
  • The relevant links to documentation are located in the 'Documentation' section.
  • It is strongly recommended that you read the E84.30 Endpoint Security Client for macOS Release Notes and Known Limitations section, before installing this release.
  • Also refer to:
For

Endpoint Security Homepage is now available.

Notes:

  • The relevant links to downloads are located in the relevant section, i.e., Standalone Clients, Utilities/Services.
  • The relevant links to documentation are located in the 'Documentation' section.
  • It is strongly recommended that you read the E83.20 Endpoint Security Client for macOS Release Notes
  • Also refer to:

What's New in E84.30 for macOS

Show / Hide this section

New Features

  • Support for the Endpoint Security Clients on macOS Big Sur (11).
  • Machine Authentication for the VPN client. It allows to perform VPN authentication with a machine certificate from the system keychain of the macOS. Machine Authentication works in user and machine authentication mode, which is a combination of a machine certificate and the selected user authentication method.
  • Post-connect message for the VPN client. It allows to display a message to the end user upon every VPN connection. Now available for Windows clients as well. See sk75221 for configuration details.
  • The E84.30 release introduces a self-protection feature which prevents the deletion of Check Point files and the termination of Check Point processes by end-users. In this release, the self-protection feature is intended for specific customers only. If you wish to use the feature, contact Check Point Support.

Enhancements

  • This release includes stability, quality and performance fixes.

Endpoint Security Clients Downloads

Symantec Endpoint Mac

Show / Hide this section
Client

Endpoint Security E84.30 Clients for macOS


PlatformPackageLink
macOSE84.30 Check Point Endpoint Security Client for macOS (ZIP)
macOSE84.30 Check Point Endpoint Security Client for macOS (without Capsule Docs and SandBlast Agent) (ZIP)

Standalone Clients Downloads

Show / Hide this section
Note: These Standalone clients do not require Endpoint Security Server installation as part of their deployment.

E84.30 Standalone Clients for macOS

Endpoint
PlatformPackageLink
macOSE84.30 Endpoint Security VPN for macOS - Disc Image (DMG) (DMG)
E84.30 Endpoint Security VPN for macOS - Automatic Upgrade package (PKG) (PKG)
E84.30 Endpoint Security VPN for macOS - Signature for automatic upgrade (signature)

Capsule Docs E84.30 Clients

PlatformPackageLink
macOSE84.30 Capsule Docs Mac Editor

Utilities/Services Downloads

Show / Hide this section

Endpoint For Mac Client Download

Media Encryption Offline Access Tool E83.xx for macOS

PlatformPackageLink
macOSE83.xx Media Encryption Offline Access Tool

Native Encryption Management Hotfix Downloads

Show / Hide this sectionIf you want to use the new Native Encryption Management, download the relevant hotfix.

Note: In order to download some of the packages you will need to have a Software Subscription or Active Support plan.
The packages provided below are Legacy CLI packages (not CPUSE packages).

Endpoint Security ServerPackageLink
R77.30.03R77.30.03 Server Hotfix for Native Encryption Management (TGZ)
R77.20 EP6.2R77.20 EP6.2 Server Hotfix for Native Encryption Management (TGZ)
Important: The Native Encryption Management Hotfix is integrated into R80.20

Management Console Downloads

Show / Hide this section

Management Console for Endpoint Security Server

The SmartConsole for Endpoint Security Server allows the Administrator to connect to the Endpoint Security Server and to manage the new Endpoint Security Software Blades.

Endpoint Security ServerPackageLink
R77.30.03SmartConsole for Endpoint Security Server R77.30.03 / E80.89 (EXE)
R77.20 EP6.2SmartConsole for Endpoint Security Server R77.20 EP6.2 / E80.89 (EXE)
R80.20SmartConsole for Endpoint Security Server R80.20sk137593
R80.30SmartConsole for Endpoint Security Server R80.30sk153153
R80.40SmartConsole for Endpoint Security Server R80.40sk165473

Known Limitations

Show / Hide this section
Issue IDDescription
The Big Sur macOS may ask users to grant access to security modules after some special activities. In such cases, follow OS directives. To avoid this, we recommend MDM management tools to predefine the desired configurations.
EPS-29195The Big Sur macOS version does not display correctly in SmartEndpoint reports.
AHTP-19465The Forensics report does not show Network events.
AHTP-20017Backup configurations for the file types in the Anti-Ransomware policy are not enforced.
AHTP-19924Backup configurations for the file size in Anti-Ransomware policy are not enforced.
AHTP-15310If nodeJS is installed on the Mac, build directories should be excluded in SBA policy (AR/EFR and TE) to improve performance.
EPS-23361

If the default name of the compliance rule for checking if assigned blades are running is changed, i.e. cloned or edited, this rule will not be applied to the macOS compliance blade. Then, on the server side there will be no compliance reporting (inform, warn, restrict). Client will also not go into the assumed compliance state.

ESVPN-1920In some rare cases during the upgrade of VPN client from previous version, user may experience temporary inability to connect to VPN site. Delay may be from seconds to several minutes. To address this issue user should perform reboot of operating system.
ESVPN-2215A certificate for user authentication should be stored in the keychain when you use Secondary Connect.
ESVPN-2521Remote Access VPN clients do not support the use of a personal certificate as an authentication method if the saved certificate is on SmartCard. This is relevant for macOS 11 Big Sur.
EPS-30773Apple Sidecar does not work when E84.30 Mac Firewall blade is installed/upgraded.

Documentation and Related SecureKnowledge Articles

Show / Hide this section
Document
E84.30 Endpoint Security Client for Mac
E84.30 Endpoint Security Client for macOS Release Notes
Remote Access VPN Clients
E84.30 Endpoint Security VPN Clients for macOS Release Notes
E80.71 and higher Endpoint Security VPN for Mac Administration Guide
Other
MDM Deployment Guide

For more information on Check Point releases see: Maintrain Release map, Maintrain Upgrade map, Maintrain Backward Compatibility map, Maintrain Releases plan.

You can also visit our Endpoint forum, Remote Access forum, Capsule Docs forum, or any other CHECKMATES forum to ask questions and get answers from technical peers and Support experts.

For more information on Check Point releases see: Maintrain Release map, Maintrain Upgrade map, Maintrain Backward Compatibility map, Maintrain Releases plan.

For more information, see:

  • For installation and upgrade instructions, use the procedures in: Installation and Upgrade Guide for Gaia Platforms R77 Versions
You can also visit our Endpoint Security forum, Full Disk Encryption forum, Media Encryption & Check Point GO forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.

Revision History

Show / Hide this section
DateDescription
24 January 2021Added link to MDM Deployment Guide.
14 January 2021Release of GA. Build E84.30.0820.
16 Dec 2020Release of new Early Availability build.
Additions:
1. ME full support
2. Self-protection capability
3. Quality and limitations fixes
EA update build on 16/12/20 is E84.30.0796
18 Nov 2020First release of this document.
First EA build is E84.30.0773

Mac Endpoint Protection Client

-->

Applies to: Configuration Manager (current branch)

This article describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client software to Macs.

When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

In these procedures, you have two options for installing client certificates. Read more about client certificates for Macs in Prepare to deploy client software to Macs.

  • Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't support automatic certificate renewal. Re-enroll the Mac computer before the installed certificate expires.

  • Use a certificate request and installation method that is independent from Configuration Manager.

Important

To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point certificate. For example, use the FQDN of the management point server.

Configure client settings

Client

Use the default client settings to configure enrollment for Mac computers. You can't use custom client settings. To request and install the certificate, the Configuration Manager client for Mac requires the default client settings.

  1. In the Configuration Manager console, go to the Administration workspace. Select the Client Settings node, and then select Default Client Settings.

  2. On the Home tab of the ribbon, in the Properties group, choose Properties.

  3. Select the Enrollment section, and then configure the following settings:

    1. Allow users to enroll mobile devices and Mac computers: Yes

    2. Enrollment profile: Choose Set Profile.

  4. In the Mobile Device Enrollment Profile dialog box, choose Create.

  5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. Then configure the Management site code. Select the Configuration Manager primary site that contains the management points for these Mac computers.

    Note

    If you can't select the site, make sure that you configure at least one management point in the site to support mobile devices.

  6. Choose Add.

  7. In the Add Certification Authority for Mobile Devices window, select the certification authority server that issues certificates to Mac computers.

  8. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you previously created.

  9. Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

    Tip

    If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group.

The next time the devices download client policy, Configuration Manager applies these settings for all users. To initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.

In addition to the enrollment client settings, make sure that you have configured the following client device settings:

  • Hardware inventory: Enable and configure this feature if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to extend hardware inventory.

  • Compliance settings: Enable and configure this feature if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Plan for and configure compliance settings.

For more information, see How to configure client settings.

Download the client for macOS

  1. Download the macOS client file package, Microsoft Endpoint Configuration Manager - macOS Client (64-bit). Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on the Configuration Manager installation media.

  2. Run the installer on the Windows computer. Extract the Mac client package, Macclient.dmg, to a folder on the local disk. The default path is C:Program FilesMicrosoftSystem Center Configuration Manager for Mac client.

  3. Copy the Macclient.dmg file to a folder on the Mac computer.

  4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.

  5. In the folder, make sure that it contains the following files:

    • Ccmsetup: Installs the Configuration Manager client on your Mac computers using CMClient.pkg

    • CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers

    • CMUninstall: Uninstalls the client from your Mac computers

    • CMAppUtil: Converts Apple application packages into a format that you can deploy as a Configuration Manager application

    • CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client

Enroll the Mac client

Enroll individual clients with the Mac computer enrollment wizard.

To automate enrollment for many clients, use the CMEnroll tool.

Enroll the client with the Mac computer enrollment wizard

  1. After you install the client, the Computer Enrollment wizard opens. To manually start the wizard, select Enroll from the Configuration Manager preference page.

  2. On the second page of the wizard, provide the following information:

    • User name: The user name can be in the following formats:

      • domainname. For example: contosomnorth

      • [email protected]. For example: [email protected]

        Important

        When you use an email address to populate the User name field, Configuration Manager automatically populates the Server name field. It uses the default name of the enrollment proxy point server and the domain name of the email address. If these names don't match the name of the enrollment proxy point server, fix the Server name during enrollment.

        The user name and corresponding password must match an Active Directory user account that has Read and Enroll permissions on the Mac client certificate template.

    • Server name: The name of the enrollment proxy point server.

Client and certificate automation with CMEnroll

Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool. To run the tool, you must have an Active Directory user account.

  1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.

  2. Enter the following command: sudo ./ccmsetup

  3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, don't restart, and continue to the next step.

  4. From the Tools folder on the Mac computer, type the following command: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

    After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. For more information, see Enroll the client by using the Mac computer enrollment wizard.

    Example: If the enrollment proxy point server is named server02.contoso.com, and you grant contosomnorth permissions for the Mac client certificate template, type the following command: sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contosomnorth'

    Note

    If the user name includes any of the following characters, enrollment fails: <>'+=,. Use an out-of-band certificate with a user name that doesn't include these characters.

    For a more seamless user experience, script the installation steps. Then users only have to supply their user name and password.

  5. Type the password for the Active Directory user account. When you enter this command, it prompts for two passwords. The first password is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

  6. Wait until you see the Successfully enrolled message.

  7. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

    2. In the Keychain Access window, in the Keychains section, choose System. Then in the Category section, choose Keys.

    3. Expand the keys to view the client certificates. Find the certificate with a private key that you installed, and open the key.

    4. On the Access Control tab, choose Confirm before allowing access.

    5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

    6. Choose Save Changes and close the Keychain Access dialog box.

  8. Restart the Mac computer.

To verify that the client installation is successful, open the Configuration Manager item in System Preferences on the Mac computer. Also update and view the All Systems collection in the Configuration Manager console. Confirm that the Mac computer appears in this collection as a managed client.

Adobe flash professional mac torrent. Tip

To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. Use it to collect the following diagnostic information:

  • A list of running processes
  • The macOS X operating system version
  • macOS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash.
  • The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
  • The contents of the folder /Library/Application Support/Microsoft/CCM/Logs.

The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip

Manage certificates external to Configuration Manager

Update Symantec Endpoint Client

You can use a certificate request and installation method independent from Configuration Manager. Use the same general process, but include the following additional steps:

  • When you install the Configuration Manager client, use the MP and SubjectName command-line options. Enter the following command: sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>. The certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.

    Example: The management point's internet FQDN is server03.contoso.com. The Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject. Use the following command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com

  • If you have more than one certificate that contains the same subject value, specify the certificate serial number to use for the Configuration Manager client. Use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '<serial number>'.

    For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D4391A00000003DB'

Renew the Mac client certificate

This procedure removes the SMSID. The Configuration Manager client for Mac requires a new ID to use a new or renewed certificate.

Important

After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also delete any stored client history. For example, hardware inventory history for that client.

  1. Create and populate a device collection for the Mac computers that must renew the computer certificates.

  2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

  3. On the General page of the wizard, specify the following information:

    • Name: Remove SMSID for Mac

    • Type: Mac OS X

  4. On the Supported Platforms page, select all macOS X versions.

  5. On the Settings page, select New. In the Create Setting window, specify the following information:

    • Name: Remove SMSID for Mac

    • Setting type: Script

    • Data type: String

  6. In the Create Setting window, for Discovery script, select Add script. This action specifies a script to discover Mac computers configured with an SMSID.

  7. In the Edit Discovery Script window, enter the following shell script:

  8. Choose OK to close the Edit Discovery Script window.

  9. In the Create Setting window, for Remediation script (optional), choose Add script. This action specifies a script to remove the SMSID when it's found on Mac computers.

  10. In the Create Remediation Script window, enter the following shell script:

  11. Choose OK to close the Create Remediation Script window.

  12. On the Compliance Rules page, choose New. Then in the Create Rule window, specify the following information:

    • Name: Remove SMSID for Mac

    • Selected setting: Choose Browse and then select the discovery script that you previously specified.

    • In the following values field: The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.

    • Enable the option to Run the specified remediation script when this setting is noncompliant.

  13. Complete the wizard.

  14. Create a configuration baseline that contains this configuration item. Deploy the baseline to the target collection.

    For more information, see How to create configuration baselines.

  15. After you install a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

See also