This article lists general limitations for Check Point Endpoint Security Client for macOS. These limitations are in addition to those listed in the corresponding Known Limitations articles for each release.
Table of Contents
General Limitations
Forensics
Compliance Blade
VPN Blade
Firewall Blade
Full Disk Encryption (FDE) Blade
FileVault Management
Media Encryption Blade
Compliance Blade
Anti-Malware Blade
Anti-Ransomware
URL Filtering Blade
Capsule Docs Blade
Installation
The following features are not supported on Check Point Endpoint Security Client for macOS:
General Limitations
Push Operations are ignored for macOS client
Centralized Client Deployment from Software Deployment Policy is not supported
Endpoint Client User Interface Localization is not supported
The following configurations in Common Client Settings Policy are not supported:
Client user interface settings: configurations such as custom preboot and One Check images and appearance of tray icon.
Allowing users to disable network protection on their computers.
Installation and upgrade settings
Uninstall Password
Telemetry data not generated
In order to use SideCar and Airdrop features, starting E83.20 for macOS client, you need to allow IPv6 traffic in the Endpoint Firewall policy. See sk171972
Only English is supported as the interface's language.
The Big Sur macOS may ask users to grant access to security modules after some special activities. In such cases, follow OS directives. To avoid this, we recommend MDM management tools to predefine the desired configurations.
The Big Sur macOS version does not display correctly in SmartEndpoint reports.
If nodeJS is installed on the Mac, build directories should be excluded in SBA policy (AR/EFR and TE) to improve performance.
Forensics
The Forensics report does not show Network events.
Compliance Blade
Remediation actions are not triggered on macOS
Environment variables in path of checked files are not supported
Compliance blade on macOS currently supports checks for the following Anti-Virus vendors:
Kaspersky
Check Point
Sophos
McAfee
Symantec
TrendMicro
Norton
The following compliance checks are not supported:
Latest service packs installed
running secure screen saver
If the default name of the compliance rule for checking if assigned blades are running is changed, i.e. cloned or edited, this rule will not be applied to the macOS Compliance blade. Then, on the server side there will be no compliance reporting (inform, warn, restrict). Client will also not go into the assumed compliance state.
VPN Blade
SCV Compliance check ("Use Compliance Blade" state should be defined in order to enforce client compliance prior to VPN connection)
[Not relevant for Big Sur and up] In some rare cases during the upgrade of VPN client from previous version, user may experience temporary inability to connect to VPN site. Delay may be from seconds to several minutes. To address this issue user should perform reboot of operating system.
A certificate for user authentication should be stored in the keychain when you use Secondary Connect.
Remote Access VPN clients do not support the use of a personal certificate as an authentication method if the saved certificate is on SmartCard. This is relevant for macOS 11 Big Sur.
Remote Access VPN clients do not support the use of personal certificates as an authentication method, if the certificate is in storage on a SmartCard. This is relevant for macOS 11 BugSur.
Firewall Blade
Firewall cannot block traffic in a VPN tunnel
Disable Wireless On Lan feature is not supported
Application Control is not supported
Individual IPv6 addresses cannot be blocked. One can set "IPv6 block all" for all IPv6 addresses.
Full Disk Encryption (FDE) Blade (From E80.71 LA, FDE Blade is replaced by FileVault blade)
Password change in FDE pre-boot is not synched to macOS
Smart Card login in FDE pre-boot is not supported
OneCheck is not supported
FileVault Blade
Only system volume is encrypted.
Institutional Recovery Key can only be imported once.
Audit logs are not generated.
Assigning FileVault users using SmartEndpoint is not supported.
User Acquisition setting "Continue to acquire users after pre-boot has been enforced.” is not supported.
User Acquisition setting “Pre-boot enforcement will begin after at least one user has been acquired after X days” is not supported.
Media Encryption Blade
Offline Mode Remote Help (MEPP / macOS Offline Access Tool does not support Remote Help)
Custom Encryption is not supported (Media Encryption does not support configuration of which file(s) should be encrypted)
Port Protection is not supported on macOS
CD/DVDs and storage devices connected to ports other than USB, are not supported
External Media that are mounted as virtual devices (Core Storage or APFS (Apple File System )) are not supported.
Time Machine using external media is not supported.
Media formatted as NTFS is not supported.
Media Encryption blade: Media scan - not supported.
EPS-26010: Enable Web protection - not supported (always off)
EPS-26011: Scan Mail messages - not supported (always off)
EPS-26012: Signature source settings - not supported (only External Check Point Signature server setting is supported)
EPS-26014: Push operations:
Scan for malware - not supported
Update malware for signature database - not supported
Operations restore file from quarantine - not supported
EPS-26015: Scan targets settings:
Critical areas - not supported (always on)
Optical drives - not supported (always off)
Mail messages - not supported (always off)
Unrecognized devices - not supported (always off)
EPS-26016: Configure Threat Cloud knowledge sharing - not supported
EPS-26017: Process exclusion - MD5 not supported
EPS-26059: Anti-Malware detections integration with Forensics report - not supported.
Anti-Ransomware
Backup configurations for the file types in the Anti-Ransomware policy are not enforced.
Backup configurations for the file size in Anti-Ransomware policy are not enforced.
URL Filtering Blade
URL Filtering is supported using Agent Chrome Browser Extension for SandBlast Agent Web Management users.
Capsule Docs Blade
For list of Capsule Docs limitations, refer to sk108376
Installation
In macOS 10.13 and later, the gatekeeper requests consent from the end user before allowing to load a third party kernel extension for the first time. It is possible to avoid this by preparing the installation of Endpoint Security on each machine by deploying a Device Management Kernel Extension Policy Payload containing the Check Point team identifier.
In macOS 10.13 and later, the gatekeeper warns when installing quarantined software: "Endpoint Security installer can't be opened because the identity of the developer cannot be confirmed. Your security preferences allow installation of only apps from the App Store and identified developers.” The macOS gatekeeper may quarantine third party software for multiple reasons, but it is possible to avoid this by either (1) Right-clicking the EPS installer in Finder and selecting "Open". (2) Removing the com.apple.quarantine attribute before opening the EPS installer.
In macOS 10.15 and later, the gatekeeper blocks the very first launch of third party executables that require access to user's files and folders. The end user needs to open the macOS System Preferences Privacy-Full Disk Access dialog and accept each executable. Right after completing installation, Endpoint Security guides the end user to complete this process.
In macOS 10.15.4 and later, the gatekeeper regularly informs the end user about running "legacy third party kernel extensions".
