Jun 22, 2020 A: If your Mac had official support in macOS Catalina, they will likely be able to be patched to run Big Sur with minimal issues. As of writing, only WiFi appears to be unstable, and even then, not for all users. If your Mac was unsupported before the release of macOS Catalina, support remains to be seen as graphics acceleration may not be. Whether or not you should install MacOS Catalina onto an unsupported Mac is another question entirely, as performance may not be up to par, and some things may not work as expected (or at all, since features like Sidecar are compatible with specific Macs only), but if you’re an advanced user who is interested in running macOS 10.15 on. How to keep older Macs secure: a geeky approach (run Catalina on unsupported Macs) Posted on October 8th, 2019 by Jay Vrijenhoek. Note: This article was originally written for macOS Mojave, and has been adapted for macOS Catalina. From a security standpoint, using the latest version of macOS—the Mac operating system—is always preferred.
This advisory describes the changes and steps administrators can take to deploy Mac Connector 1.14.
Mac Connector version 1.14 introduces a number of changes that require user attention. Most notably, this Connector release includes changes to full disk access approvals and adds support for macOS 11 (Big Sur) System Extensions.
Since the inital 1.14 launch, compatibility issues have been discovered with 3rd party applications on macOS 10.15 Catalina when system extensions are in use. Apple will be addressing these issues in future releases of macOS 11 but will not be fixing these issues in macOS 10.15. Consequently, starting with version 1.14.1, the Mac Connector will use legacy kernel extensions instead of system extensions on all versions of macOS 10.15.
Mac Connector 1.14 is required to ensure endpoint protection on macOS 11. Older Mac Connectors will not work on this version of macOS.
It is highly recommended to deploy the Mac Connector with an MDM profile that grants the required approvals. MDM profiles must be installed before installing or upgrading the Mac Connector to ensure the needed permissions are recognized. Refer to the Known Issues section later in this document if MDM cannot be used.
Minimum OS Requirements
AMP for Endpoints Mac Connector 1.14.0 supports the following macOS versions:
- macOS 11, using macOS system extensions.
- macOS 10.15.5 and later, using macOS system extensions.
- macOS 10.15.0 through macOS 10.15.4, using macOS kernel extensions
- macOS 10.14, using macOS kernel extensions.
AMP for Endpoints Mac Connector 1.14.1 supports the following macOS versions:
- macOS 11, using macOS system extensions.
- macOS 10.15 using macOS kernel extensions.
- macOS 10.14, using macOS kernel extensions.
For deployments that include endpoints running older macOS versions, consult the OS Compatibility Table for compatible Mac Connector versions.
Important Changes
Mac Connector 1.14 introduces important changes in three areas:
- Approving AMP macOS Extensions to load
- Full Disk Access
- New Directory Structure
Approving Mac Connector macOS Extensions
The Mac Connector uses either System Extensions or legacy Kernel Extensions to monitor system activities, depending on the macOS version. On macOS 11, System Extensions replace the legacy Kernel Extensions that are unsupported in macOS 11. User approval is required on all versions of macOS before either type of extension is allowed to run. Without approval, certain Connector functions such as on-access file scan and network access monitoring will be unavailable.
Mac Connector 1.14 introduces two new macOS system extensions:
- An Endpoint Security extension, named AMP Security Extension, to monitor system events
- A Network Content Filter extension, named AMP Network Extension, to monitor network access
The two legacy Kernel Extensions, ampfileop.kext and ampnetworkflow.kext, are included for backwards compatibility on older macOS versions that don't support the new macOS System Extensions.
The following approvals are required for macOS 11** and later:
- Approve AMP Security Extension to load
- Approve AMP Network Extension to load
- Allow AMP Network Extension to filter network content
** Mac Connector version 1.14.0 also required these approvals on macOS 10.15. These approvals are no longer required on macOS 10.15 when running Mac Connector 1.14.1 or later.
The following approvals are required for macOS 10.14 and macOS 10.15:
- Approve AMP Kernel Extensions to load
These approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.
Approving Mac Connector macOS Extensions at the Endpoint
System and Kernel extensions can be approved manually from the macOS Security & Privacy Preferences pane.
Approving Mac Connector macOS Extensions using MDM
NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:
1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had themanagement profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.
AMP extensions can be approved using a management profile with the following payloads and properties:
| Payload | Property | Value |
| SystemExtensions | AllowedSystemExtensions | com.cisco.endpoint.svc.securityextension, com.cisco.endpoint.svc.networkextension |
| AllowedSystemExtensionTypes | EndpointSecurityExtension, NetworkExtension | |
| AllowedTeamIdentifiers | DE8Y96K9QP | |
| SystemPolicyKernelExtensions | AllowedKernelExtensions | com.cisco.amp.fileop, com.cisco.amp.nke |
| AllowedTeamIdentifiers | TDNYQP7VRK | |
| WebContentFilter | AutoFilterEnabled | false |
| FilterDataProviderBundleIdentifier | com.cisco.endpoint.svc.networkextension | |
| FilterDataProviderDesignatedRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc.networkextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
| FilterGrade | firewall | |
| FilterBrowsers | false | |
| FilterPackets | false | |
| FilterSockets | true | |
| PluginBundleID | com.cisco.endpoint.svc | |
| UserDefinedName | AMP Network Extension |
Full Disk Access
MacOS 10.14 and later require approval before an application can access parts of the filesystem that contain personal user data (e.g. Contacts, Photos, Calendar, and other applications). Certain Connector functions such as on-access file scan will be unable to scan these files for threats without approval.
Previous Mac Connector versions required the user to grant Full Disk Access to the ampdaemon program. Mac Connector 1.14 requires Full Disk Access for:
- 'AMP for Endpoints Service' and
- 'AMP Security Extension'
The ampdaemon program no longer requires Full Disk Access starting with this new Mac Connector version.
Full Disk Access approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.
Approving Full Disk Access at the Endpoint
Full Disk Access can be approved manually from the macOS Security & Privacy Preferences pane.
Approving Full Disk Access Using MDM
NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:
1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had the management profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.
Full Disk Access can be approved using a management profile's Privacy Preferences Policy Control payload with a SystemPolicyAllFiles property with the following two entries, one for the AMP for Endpoints Service and one for the AMP Security Extension:
| Description | Property | Value |
| AMP for Endpoints Service | Allowed | true |
| CodeRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
| Identifier | com.cisco.endpoint.svc | |
| IdentifierType | bundleID | |
| AMP Security Extension | Allowed | true |
| CodeRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc.securityextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
| Identifier | com.cisco.endpoint.svc.securityextension | |
| IdentifierType | bundleID |
If your deployment includes computers running AMP Connector version 1.12.7 or older, the following additional entry is still required to grant full disk access to ampdaemon for those computers:
| Description | Property | Value |
| ampdaemon | Allowed | true |
| CodeRequirement | identifier ampdaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TDNYQP7VRK | |
| Identifier | /opt/cisco/amp/ampdaemon | |
| IdentifierType | path |
New Directory Structure
Mac Connector 1.14 introduces two changes to the directory structure:
- The Applications directory has been renamed from
Cisco AMPtoCisco AMP for Endpoints. - The command-line utility
ampclihas been moved from/opt/cisco/ampto/Applications/Cisco AMP for Endpoints/AMP for Endpoints Connector.app/Contents/MacOS. The directory/opt/cisco/ampcontains a symlink to theampcliprogram at its new location.
The complete directory structure for the new AMP Connector is as follows:
Known Issues with macOS 11.0 and Mac Connector 1.14.1.
Macos Mojave On Unsupported Mac
- Guidance for fault 10, 'Reboot required to load kernel module or system extension,' may be incorrect if four or more Network Content Filters are installed on the computer. Refer to the AMP For Endpoints Mac Connector Faults article for more details.
Known Issues with macOS 10.15/11.0 and Mac Connector 1.14.0.
- Some faults raised by the Mac Connector may be raised unexpectedly. Refer to the AMP For Endpoints Mac Connector Faults article for more details.
- Fault 13, Too many Network Content Filter system extensions, may be raised after upgrading. Rebooting the computer will resolve the fault in this situation.
- Fault 15, System Extension requires Full Disk Access, may be raised after reboot due to a bug in macOS 11.0.0. This issue is fixed in macOS 11.0.1. The fault can be resolved by re-granting full disk access in the Security & Privacy pane in macOS System Preferences.
- During installation, the Security & Privacy pane may display 'Placeholder Developer' as the application name when granting permission for the Mac Connector system extensions to run. This is due to a bug in macOS 10.15. Check the boxes beside 'Placeholder Developer' to allow the Mac Connector to protect the computer.
- The
systemextensionsctl listcommand can be used to determine which system extensions are awaiting approval. System extensions with the state[activated waiting for user]in this output are displayed as 'Placeholder Developer' in the macOS preferences page shown above. If more than two 'Placeholder Developer' entries are showin in the above preferences page, uninstall all software that uses system extensions (including the Mac Connector) so that no system extensions are awaiting approval, and then reinstall the Mac Connector.
The Mac Connector sysem extensions are identified as follows:- The Network Extension is shown as
com.cisco.endpoint.svc.networkextension. - The Endpoint Security extension is shown has
com.cisco.endpoint.svc.securityextension.
- The Network Extension is shown as
- The
- During install, the prompt to allow the Mac Connector's Content Filter to monitor network traffic may display '(null)' as the application name. This is caused by a bug in macOS 10.15. The user needs to select 'Allow' to to ensure protection of the computer.
If the prompt was dismissed by clicking 'Don't Allow' it can be displayed again by clicking the AMP Agent menulet icon in the menu bar and selecting 'Allow Network Filter.'
Once enabled, the AMP Network Extension filter will be listed in the Network Preferences page. - On macOS 11, when upgrading from Mac Connector 1.12 to Mac Connector 1.14, Fault 4, System Extension Failed to Load, may be raised temporarily while the Connector is transitioning from the kernel extensions to the new system extensions.
Revision History
Dec 1, 2020
- Mac Connector 1.14.1 no longer uses system extensions on macOS 10.15.
- Additional guidance on using terminal check which 'Placeholder Developer' System Extensions are awaiting approval when using Mac Connector 1.14.0.
Nov 9, 2020
Install Macos Mojave On Unsupported Mac
- Corrected bundle ID in full disk access CodeRequirement MDM payload.
Nov 3, 2020
- Release date for 1.14.0 Mac Connector is November 2020.
- The 1.14.0 Mac Connector will use System Extensions starting with macOS 10.15.5. Previously this was 10.15.6.
- Added Known Issues section.
- Updated directory structure outline.