| Check Point Endpoint Security support for macOS 10.13 (High Sierra) | Technical Level |
| Solution ID | sk120836 | | Technical Level | | Product | Endpoint Security Client, Endpoint Security VPN, Harmony Disk and Media Encryption | | Version | E80.71 | | OS | Mac | | Date Created | 10-Oct-2017 | | Last Modified | 10-Jun-2018 |
BackgroundmacOS 10.13 has new security features which prevent third-party vendors from implementing a Full Disk Encryption Solution. In essence, the macOS security domain has become more proprietary to Apple. - APFS (Apple File System) is a new container-based file system. macOS is booted from an APFS volume which reside inside a synthesized disk. The synthesized disk is an Apple proprietary container stored on a GPT volume of type APPLE_APFS. Apple does not expose which physical disk sectors are used by a specific APFS volume, and Apple does not provide third-party vendors with an APFS encryption filter API. As a result, a third-party Full Disk Encryption can not encrypt individual APFS volumes but only the entire APFS container (including macOS recovery partition).
- SIP (System Integrity Protection) was introduced already in OS X 10.11 and further enhanced in macOS 10.13. One SIP feature is to prevent any third party application from changing the boot volume. This is typically needed by a Full Disk Encryption solution when enabling boot from the pre-boot volume. SIP can be disabled or relaxed but that requires a user to boot into macOS recovery. From a security perspective, an enterprise is not recommended to disable or to relax SIP.
In addition, although not a showstopper for developing a Full Disk Encryption Solution, another macOS security feature should be mentioned: - User Approved Kernel Extension loading feature will by default block any third-party kernel extension from running. The user experience is degraded with a warning dialog which can only be resolved by a user locally. This may be a good feature for consumers but difficult to manage for enterprise customers.
Check Point SolutionDue to significant changes in macOS 10.13 (High Sierra), which were introduced by the new Apple File System (APFS) and by the System Integrity Protection (SIP), Check Point has had to discontinue the 'Full Disk Encryption for Mac' product. To replace the current Full Disk Encryption for Mac, Check Point will offer a Native Encryption Management (NEM) for macOS that will support migration from the old product to the new, with the disk encrypted and protected at all times. The new product will use Apple FileVault on the Mac and will be managed by Endpoint server, just like the previous product. The release will deliver: - Endpoint Security managed client and Endpoint Security VPN.
- Endpoint Management Server hotfix on top of R77.30.03 / R77.20 EP6.2 for managing the new Native Encryption Management product.
Delivery schedule: - Limited Availability - December 18, 2017 - sk121595.
| This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios. |
|
|
|
Endpoint Security Vpn For Mac 10.11
Best Free Vpn For Mac
Dec 07, 2015 Check Point recommends to use a mobile network account when installing Endpoint Security on Mac OS X 10.11 (El Capitan). OS X minor version upgrades on OS X 10.11 (El Capitan) must be initiated from an account with a home folder (mobile network account or a local account).
Endpoint Security VPN for Mac. Endpoint Security VPN combines Remote Access VPN with Endpoint Security in a client that is installed on endpoint computers. It is recommended for managed endpoints that require a simple and transparent remote access experience together with Desktop Firewall rules. E82.00 Endpoint Security VPN Clients for macOS - Disc Image (DMG).