Changes to Endpoint Security for Mac in macOS Big Sur and later: network extension, proxy configurations and SSL certificate
Starting with macOS Big Sur, Apple uses technologies that affect the behavior of the Endpoint Security for Mac agent.
Specifically, Apple has replaced the kernel extensions found in older versions of macOS with system extensions, which run in the user space. Therefore, Bitdefender has switched for Endpoint Security for Mac from kernel extensions to system extensions too. One system extension in particular requires more attention from users: the network extension.
To work properly, some of the Endpoint Security for Mac features or network components (Antiphising, Traffic Scan and Web Access Control in the Content Control module, and the EDR Sensor) require the following approvals from users:
Approval for the network extension
Approval for the tunneling application used to filter the internet traffic
Approval for the SSL certificate
If the network extension, the tunneling application and the SSL certificate are not approved, Endpoint Security for Mac displays warning messages at every three hours.
Important
Starting with version 4.15.127.200127, Endpoint Security for Mac provides full support for Content Control in macOS Big Sur 11.2 (see the release notes). Previously on macOS Big Sur 11.0 and 11.1, Content Control had entered the passthrough mode and stopped any connection filtering when another application with a network extension was installed on the endpoint (for example, Cisco AnyConnect VPN). This happened due to an incompatibility issue of the operating system. In such a situation, the GravityZone console displayed the following error message: "Unknown issue (Product.NetworkExtensionIsDisabled.NetworkExtensionIncompatibility)".
For details about the Endpoint Security for Mac support in macOS Big Sur, refer to Bitdefender support for macOS Big Sur.
Note
This article includes procedures and screenshots available with macOS Big Sur. The procedures are also applicable with later versions of macOS, such as Monterey and Ventura, but the user interface may differ, so please pay attention when following the steps.
The network extension
At installation
In the older macOS versions, kernel extensions required approval only at the first installation of Endpoint Security for Mac. Starting with macOS Big Sur, the network extension requires approval every time the agent or a network component is installed or reinstalled (unless another component is already installed).
At installation, Mac users receive the following System Extension Blocked warning message for the Network extension:
"The program "SecurityNetworkInstallerApp" tried to load new system extension(s). If you want to enable these extensions, open Security & Privacy System Preferences."
To approve the network extension in macOS Big Sur and other older macOS versions, follow the steps below.
To approve the network extension in macOS Sequoia and later, refer to this article.
Network extension approval in macOS Big Sur
Click Open Security Preferences.
Go to Security > Privacy > General.
Click the lock at the bottom of the window to make changes.
Enter your system credentials and click Unlock.
Click Allow for the blocked system extension.
With the Network extension not approved, Endpoint Security for Mac displays a You are at risk warning with the following message in the View Issues window:
"Install and allow the network extension to enable full protection."
To fix the issue:
Click Install now to open the Security > Privacy window.
Click the lock at the bottom of the window to make changes.
Enter your system credentials and click Unlock.
Click Allow for the blocked system extension.
Note
In macOS Ventura these controls are available in the Privacy & Security page.
At uninstall
Starting with macOS Big Sur and later, the network extension requires user approval when the agent or the network components are uninstalled (no other component remains installed).
If the user does not approve the change, the agent or the component will not be uninstalled.
The tunneling application (proxy configurations)
The system extension runs in the user space, so Endpoint Security for Mac uses a tunneling application (like a VPN) to filter the traffic. This application also requires approval.
In the "BDLDaemon" Would Like to Add Proxy Configurations window, click Allow.
With the application not approved, Endpoint Security for Mac displays a You are at risk warning and the following message in the View Issues window:
"Install the network component by allowing BDLDaemon.app to add Proxy Configuration."
The proxy configuration will be added to System Preferences > Network.
Bitdefender DCI connects only if the network extension was approved.
The SSL certificate
To filter the HTTPS traffic, Endpoint Security for Mac requires the approval of a SSL certificate.
If the Trust Settings are not updated, Endpoint Security for Mac displays a You are at risk warning and the following message in the View Issues window:
"The SSL certificate is not trusted. Please trust the certificate to enable SSL protection."
To trust the SSL certificate:
Click Open Keychain Access.
Double-click on Bitdefender CA SSL.
Expand the Trust section.
Click When using this certificate and select Always Trust.
Close the window.
Enter your system credentials and click Update Settings.
Important
In addition to the procedures described above, BEST requires Full Disk Access permissions in macOS Big Sur. For details, refer to Full Disk Access is not granted for Bitdefender Endpoint Security Tools in macOS Mojave (10.14) and later.