Introduction

Check PointEndpoint Security client secures endpoints running macOS . The client secures the endpoint using these Software Blades:

• Anti-Malware

• Remote Access VPN

• Firewall for desktop security

• Compliance

• Media Encryption

• Native Encryption Management

• Threat Emulation

• Forensics

• Anti-Ransomware

• Capsule Docs

The Firewall, Compliance, Capsule Docs, Media Encryption, Threat Emulation, Anti-Ransomware, and Native Encryption Management blades are centrally managed from SmartEndpoint. The VPN blade is managed by the policy created in SmartDashboard and installed on the gateway.

What's News

New Features

• Support for the Endpoint Security Clients on macOS Catalina (10.15).

• Support for SandBlast Agent Forensics which enables automated attack analysis.

  • Continuously collects data about user systems for later Forensics use.

  • Automatically builds actionable Forensics reports with important attack information.

  • Integrates monitoring and investigation of security events through SmartEvent and SmartLog.

Enhancements

• New User Interface aligned with the look and feel of the SandBlast Agent for Windows.

• This release includes stability, quality and performance fixes.

System Requirements

This section describes management, client, and gateway requirements.

Management Requirements

E82.00 Endpoint Security clients for Mac work with R80.20, R80.30, R77.30.03 and R77.20 EP6.2 Endpoint Security Management Servers.

The Native Encryption Management blade requires a dedicated server hotfix and a SmartConsole, only for R77.30.03 and R77.20 EP6.2 Management servers. See Installing the Server Hotfix for Native Encryption Management.

Upgrade your servers and SmartConsole to the required version before you deploy E82.00 clients. See the home page.

Note - This solution is fully integrated as of R80.20.

Supported Upgrade Path to E82.00 Mac

• E80.89

• E80.71

Client Requirements

E82.00 Endpoint Security Mac clients are compatible with these Mac platforms:

• macOS Catalina (10.15)

• macOS Mojave (10.14)

Supported OS upgrade to macOS Catalina (10.15) from:

• macOS Mojave (10.14)

• macOS High Sierra (10.13)

VPN Gateway Requirements

For the most up-to-date list of supported operating systems, server and gateway requirements, see sk67820.

Workflow for Upgrading to macOS Catalina (10.15)

macOS Catalina (10.15) can only work with E82.00 clients. You must upgrade the Endpoint Security client to this version before you can upgrade the operating system.

This is the high level work flow for upgrading an Endpoint Security client computer to macOS Catalina (10.15):

1. Make sure your management and SmartConsole supports Native Encryption Management.

2. Deploy the Endpoint Security client.

3. Upgrade the Endpoint Security client to E82.00.

4. Upgrade the operating system to macOS Catalina (10.15).

Deploying the New Client

Client packages for Mac clients must be distributed manually and do not use Software Deployment.

To get the Mac client package:

1. In SmartEndpoint, in the Deployment tab, select an entity in the Action column and click Load client installer file.

2. Browse to the new client package.

   The selected package is put in the Package Repository.

3. Click Mac Client > Download.

4. In the window that opens, select which blades to include in the package and click OK.

5. Optional: If Remote Access VPN is part of the package, you can configure a VPN site.

6. Select the location to save the package.

   The selected package starts to download.

7. The package shows in the configured location.

   Use a third party distribution method to distribute the ZIP file to Endpoint users.

Note -In the E82.00 Release, the Endpoint Security Installer.app bundle is not notarized.

To avoid macOS security warnings, make sure the installer does not have the com.apple.quarantine attribute at the time of the installation.

1. macOS does not add the com.apple.quarantine attribute when downloading from shared network folders or from the removal disk.

2. If the com.apple.quarantine attribute is added, it is possible to remove it manually using the xattr command.

Installing the Client

Make sure users know how to install the client.

To install the Mac client package on client computers:

1. Double-click the ZIP file to expand it.

2. Click the APP file that shows next to the zip file.

   The Check Point Endpoint Security Installer opens.

3. Click Install.

4. Enter a Name and Password to authorize the installation and click OK.

   Wait while package installs.

5. A message shows that the package installed successfully or failed for a specified reason. Click Close.

   If the installation was successful, the Endpoint Security icon shows in the menu bar.

Installing and Using Native Encryption Management

Native Encryption Management replaces Full Disk Encryption.

How to manage user acquisitions of mobile accounts using Full Disk Encryption on macOS 10.13 or later: sk122674.

SmartEndpoint Settings for Native Encryption Management

Only these settings can be used to manage the Native Encryption Management blade on the client:

• Recovery

  • Full Disk Encryption - Native Encryption Recovery Media.

  • Full Disk Encryption - Native Encryption Remote Help.

• User Acquisition

  • Full Disk Encryption - Pre-boot enforcement will begin after the acquisition process has acquired X user(s).

• Volume Encryption

  • Only protection of the system volume is supported.

• Deployment

  • Download Mac Client - select the Full Disk Encryption blade.

Password Reset and Data Recovery

You can help users recover FileVault-encrypted data if they can't log in to their Mac.

You can help users recover their data or reset their password using a personal recovery key that is unique to the client computer. Resetting the password can be done remotely.

Password Reset Using a Personal Key

If a user forgets the login password, the administrator can send a personal recovery key to the remote user, to allow them to log in. The key is a string of letters and numbers separated by dashes.

Step 1: User locates the serial number of the locked device:

1. Find the serial number of the locked device. It is usually printed on the back of the device.

2. Give the serial number to the support representative.

Step 2: Administrator gives a recovery key to the user:

1. Get the serial number of the locked device from the user.

2. In SmartEndpoint, select Users and Computers.

3. In Global Actions, click Native Encryption Recovery Media.

4. In the Native Encryption Remote Help window, type the Serial Number.

5. Click Get Recovery Key.

6. Give the recovery key to the user.

Step 3: User resets their password:

1. Get the Recovery Key from the support representative.

2. Restart the Mac.

3. In the FileVault pre-boot screen, click the ? butto

   A message shows: If you forgot your password you can reset it using your Recovery Key.

4. Type the Recovery Key, and click ->.

   A progress bar shows.

5. For Local Users:

   1. In the Reset Password window, the user enters a new password, and optionally, a password hint.

   2. Click Reset Password.

How to update the Personal Recovery Key (PRK) for Native Encryption Management FileVault, see sk138352.

Mac Recovery Using a Personal Key

A personal key is unique to the client Mac computer or device. The key is a string of letters and numbers separated by dashes.

To recover a user's FileVault-encrypted Mac using the personal key, the administrator reads the key to the user, and uses the key to decrypt and unlock the computer.

To decrypt and recover the user's FileVault-encrypted Mac:

For a volume formatted as APFS on macOS Catalina (10.15) -

1. Show the disk volumes on the Mac. Run the command:
   diskutil apfs list

   The volume to recover is the OS Volume. It has a name similar to disk2s1.

2. Run this command:

   diskutil apfs unlockVolume <Diskname> -passphrase <personal recovery key>

   The volume is now unlocked.

3. Get the list of apfs cryptousers. Run:

   diskutil apfs listcryptousers <Diskname>
   For example:
   diskutil apfs listcryptousers disk2s1

   For a local user, select the UUID of the user that has Type: Local Open Directory User

4. Decrypt the volume. Run:

   diskutil apfs decryptVolume <diskname> -user <user UUID>

5. Enter the password of the local user.

6. To monitor progress of the decryption, run
   diskutil apfs list

   For a volume formatted as CoreStorage on macOS 10.12 or higher -

7. Run this command:

   diskutil cs unlockVolume <lvUUID> -passphrase <personal recovery key>

8. The user interface shows a prompt to allow access. Enter the keychain password.

   The volume is now unlocked.

9. Start the decryption. Run:

   diskutil cs decryptVolume <lvUUID>

10. When prompted, enter the password for the local user.

11. To monitor progress of the decryption, run:
    diskutil cs list

The user can now reboot the Mac normally. They do not see the FileVault pre-boot screen.

Installing the Server Hotfix for Native Encryption Management

You must install a Hotfix on the Endpoint Security Management Server to make it possible to manage native FileVault encryption.

The R77.30.03 Hotfix and the R77.20 EP6.2 Hotfix are available for download on the home page.

Note -

• Native Encryption Management can be installed as a clean install and an upgrade from the E80.71 Native Encryption Management hotfix.

• This solution is fully integrated in R80.20 and R80.30.

To install the R77.30.03 Hotfix:

1. Take a snapshot of the server, to save a backup.

2. Copy uepm_HOTFIX_FLUORINE_NEM_010.tgz to the server.

3. Make a temporary directory:

   # mkdir /home/admin/temp

4. Extract the installation files to the temporary directory:

   # tar -zxvf uepm_HOTFIX_FLUORINE_NEM_010.tgz -C /home/admin/temp/

5. Go to the temporary directory and run the installation executable file:

   # cd /home/admin/temp

   # ./uepm_HOTFIX_FLUORINE_NEM_010

6. Reboot.

To install the R77.20 EP6.2 Hotfix:

1. Take a snapshot of the server, to save a backup.

2. Copy uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz to the server.

3. Make a temporary directory:

   # mkdir /home/admin/temp

4. Extract the installation files to the temporary directory:

   # tar -zxvf uepm_HOTFIX_R77_20_EP6_2_NEM_001.tgz -C /home/admin/temp/

5. Go to the temporary directory and run the installation executable file:

   # cd /home/admin/temp

   # ./uepm_HOTFIX_R77_20_EP6_2_NEM_001

6. Reboot.

Notes on Installation

If you have included the VPN blade in the deployment package, make sure you meet these requirements:

Network Requirements

• You have gateways that support remote VPN access and, if necessary, with the required Hotfix installed on them.

• If Visitor mode is configured on port 443 of a VPN gateway and the gateway's WebUI is enabled, make sure that the WebUI listens for connections on a port other than 443. Otherwise, the client will not connect.

Keychain Requirements

• Only certificates issued by a public CA can be stored in the keychain password management system by double-clicking the PKCS#12 file.

• If you want users to enter a certificate issued by the ICA into the keychain, they must complete the enrollment process. During enrollment, the client automatically enters the certificate into the keychain.

Note - Media Encryption Blade and the Office Access Utility for Mac can not be installed at the same time.

Uninstalling the Client on Mac

To uninstall the Endpoint Security client on Mac computers:

1. Open a terminal window.

2. Run:

   sudo "/Library/Application Support/Checkpoint/Endpoint Security/uninstall.sh"

   • If the Endpoint Security client was encrypted, the uninstall script first prompts for a login and a logout to disable FileVault. After decryption, the script continues to uninstall the client.

   • After you uninstall the Endpoint Security client, you must reset the computer through SmartEndpoint on the Security Management Server. See Resetting a Computer.

Known Limitations

For known limitations that apply to this release, see the home page.