Endpoint Security for Mac 22.214.171.124020 Release Notes
- Fast ring: 2019.06.20
- Slow ring: 2019.06.24
This version also includes on slow ring the improvements and fixes delivered with the Endpoint Security for Mac versions 126.96.36.199009, 188.8.131.52012, 184.108.40.206015, and 220.127.116.11017, all released on fast ring.
- Endpoint Security for Mac now uses FileVault to encrypt boot drives and diskutil to encrypt non-boot drives, respectively. Depending on the drive type, the security agent automatically leverages the appropriate application, with minimal input from users.
Support for FileVault and diskutil was first introduced with version 18.104.22.168009 on fast ring, but this version comes with additional changes for Macs with T2 chips to accommodate the latest macOS updates.
Updates from version 22.214.171.124009 or later
The update only changes how boot drive decryption on Macs with T2 chips is performed.
- In case of boot drives encrypted by older product versions (that were using diskutil, before 126.96.36.19909), users are now required to enter their disk passwords to also decrypt with diskutil, instead of FileVault as before. It is recommended to decrypt and re-encrypt such endpoints, in order to generate valid recovery keys in GravityZone.
- In case of boot drives encrypted by Endpoint Security for Mac after updating to 188.8.131.5209 (using FileVault), decryption still leverages FileVault, prompting the user for their system credentials.
New installations and updates from version 184.108.40.206560 or older
For Macs encrypted with FileVault, the users have to enter their credentials to start the system and unlock the boot drive at the same time. Once logged on, the system will prompt the users to unlock any encrypted non-boot drives by entering the disk password.
- For boot drives not currently encrypted, when an encryption policy is applied, the security agent prompts the users to enter their system credentials to send the corresponding recovery key to GravityZone and to start encryption with FileVault.
- For boot drives previously encrypted by older versions of Endpoint Security for Mac (using diskutil):
- After update, if an encryption policy is already applied on Mac endpoints, no user interaction is required. The encryption passwords and the recovery keys previously configured will continue to function as before the update, until a decryption policy will be applied. At that moment, the security agent will decrypt the boot drives with diskutil (using the old encryption passwords). At the next encryption policy, those boot drives will be encrypted with FileVault (using system credentials) and new recovery keys will be stored in GravityZone.
- After update, when a decryption policy is applied on Mac endpoints, the security agent prompts the users to enter their passwords previously configured to encrypt the disk, in order to start the decryption process.
You do not need to apply a new GravityZone policy for the above changes to take place. The security agent will prompt the users with corresponding windows according to the existing policy settings.
- For boot drives encrypted with FileVault, independently of GravityZone:
- When an encryption policy is applied, the security agent prompts the users to change the recovery key by entering their system credentials. The new recovery key will be stored in GravityZone.
- When a decryption policy is applied, the security agent prompts the users to enter their security system credentials in order to start the decryption process with FileVault.
- Non-boot drives are encrypted with diskutil and the encryption and decryption processes work as before with no changes.
- When an encryption policy is applied, the security agent prompts the users to configure a password to start the encryption process and to send a recovery key to GravityZone.
- To decrypt, the security agent prompts the users to enter their encryption password.
- The update does not require changing the password or recovery keys for non-boot drives.
- The product user interface now displays the EDR Sensor status.
- In a particular situation, different Mac systems were displayed in the GravityZone console under the same Mac endpoint.
- Traffic Scan caused file corruption when using FTP in passive mode.
- Traffic Scan caused slow login to Active Directory for endpoints running High Sierra (10.13) and Mojave (10.14).
- On systems with T2 chips, the password and recovery key set for full disk encryption would not unlock the boot drive. Users could unlock the boot drive only by using their system credentials. With the new encryption functionality, the user password is required to encrypt, unlock and decrypt a boot drive and, additionally, a recovery key is generated and backed up in GravityZone.
- The Finder displayed an additional EFI partition on macOS Mojave (10.14) endpoints with Device Control installed, when connecting an external drive with APFS format.
- Malware events were not sent to GravityZone console once a scheduled scan was finished.
- The product failed to report the endpoint hostname for EDR events.
- Other minor improvements and bug fixes.
- Anti-tampering module may cause crashes to the Time Machine tmutil tool, on macOS El Capitan (10.11).
- The Decryption Process window does not reappear if clicking the "X" button instead of Dismiss. It reappears after a system restart.