This article lists general limitations for Check Point Endpoint Security Client for macOS.
These limitations are in addition to those listed in the corresponding Known Limitations articles for each release.

For the list of macOS releases, see Endpoint Security Homepage

General Limitations Forensics Compliance Blade   VPN Blade

Firewall Blade FileVault Blade Media Encryption Blade            Compliance Blade

Anti-Malware Blade Anti-Ransomware URL Filtering Blade Capsule Docs Blade

General Limitations

AHTP-26371:  Emulation on local Threat Emulation (TE) appliances is supported Support added starting from Endpoint Security E86.80 macOS Clients  Fallback to cloud is supported only starting from Endpoint Security E87.00 macOS Clients.

EPS-47949: Time-limited installations are not supported.

EPS-41116: Push Operations are ignored for macOS client. Resolved in Endpoint Security E86.20 macOS Clients

Centralized Client Deployment from Software Deployment Policy is not supported. Resolved in Endpoint Security E85.30 macOS Clients

Endpoint Client User Interface Localization is not supported.

The following configurations in Common Client Settings Policy are not supported: Client user interface settings: configurations such as custom preboot and One Check images and appearance of tray icon. Allowing users to disable network protection on their computers.

Telemetry data is not generated. Resolved in Endpoint Security E85.30 macOS Clients

To use SideCar and Airdrop features, starting E83.20 for macOS client, you need to allow IPv6 traffic in the Endpoint Firewall policy. See sk171972. Resolved in Endpoint Security E85.30 macOS Clients

Only English is supported as the interface's language.

The Big Sur macOS, (and later) may ask users to grant access to security modules after some special activities. In such cases, follow OS directives. To avoid this, Check Point recommends MDM management tools to predefine the desired configurations.

The Big Sur macOS version does not display correctly in SmartEndpoint reports. Resolved in Endpoint Security E85.30 macOS Clients

If nodeJS is installed on the Mac, build directories should be excluded in SBA policy (AR/EFR and TE) to improve performance.

EPS-40903: Time machine restore of a backup containing an Endpoint Security installation is not supported.

Forensics

The Forensics report does not show Network events.

Compliance Blade

Remediation actions are not triggered on macOS.

Environment variables in path of checked files are not supported

Compliance blade on macOS currently supports checks for the following Anti-Virus vendors: Kaspersky Check Point Sophos McAfee Symantec TrendMicro Norton

The following compliance checks are not supported: Latest service packs installed running secure screen saver

If the default name of the compliance rule for checking if assigned blades are running is changed, i.e. cloned or edited, this rule will not be applied to the macOS Compliance blade. Then, on the server side there will be no compliance reporting (inform, warn, restrict). Client will also not go into the assumed compliance state.

VPN Blade

SCV Compliance check ("Use Compliance Blade" state should be defined in order to enforce client compliance prior to VPN connection).

[Not relevant for Big Sur and higher] In some rare cases during the upgrade of VPN client from previous version, user may experience temporary inability to connect to VPN site. Delay may be from seconds to several minutes. To address this issue user should perform reboot of operating system.

A certificate for user authentication should be stored in the keychain when you use Secondary Connect.

Remote Access VPN clients do not support the use of a personal certificate as an authentication method if the saved certificate is on SmartCard. This is relevant for macOS 11 Big Sur.

Remote Access VPN clients do not support the use of personal certificates as an authentication method, if the certificate is in storage on a SmartCard. This is relevant for macOS 11 BugSur.

Firewall Blade

Firewall cannot block traffic in a VPN tunnel.

Disable Wireless On Lan feature is not supported.

Application Control is not supported.

Individual IPv6 addresses cannot be blocked. One can set "IPv6 block all" for all IPv6 addresses. Resolved in Endpoint Security E85.30 macOS Clients

FileVault Blade Starting from E80.71 LA, the FDE Blade is replaced by FileVault Blade

Only system volume is encrypted.

Institutional Recovery Key can only be imported once.

Audit logs are not generated.

Assigning FileVault users using SmartEndpoint is not supported.

User Acquisition setting "Continue to acquire users after pre-boot has been enforced” is not supported.

User Acquisition setting “Pre-boot enforcement will begin after at least one user has been acquired after X days” is not supported.

EPS-36528: Apple FileVault encryption cannot be stopped or reversed. Avoid install/uninstall/upgrade when FileVault is encrypting/decrypting.

Smart Card login is not supported.

OneCheck is not supported.

Media Encryption Blade

Offline Mode Remote Help (MEPP / macOS Offline Access Tool does not support Remote Help).

Custom Encryption is not supported (Media Encryption does not support configuration of which file(s) should be encrypted).

Port Protection is not supported. Early Availablity release of the feature is available in E85.30. See sk176366 for more details.

CD/DVDs and storage devices connected to ports other than USB, are not supported.

External Media that are mounted as virtual devices (Core Storage or APFS (Apple File System )) are not supported.

Time Machine using external media is not supported. Resolved in Endpoint Security E85.30 macOS Clients

Media formatted as NTFS is not supported.

Media scan is not supported.

Anti-Malware Blade

Anti-Malware Blade is not supported on macOS client. Resolved in Endpoint Security E82.50 macOS Clients

Contextual scan is not supported (Finder does not have option for scan). Resolved in Endpoint Security E83.200 macOS Clients

EPS-26010: Enable Web protection - not supported (always off)

EPS-26011: Scan Mail messages - not supported (always off)

EPS-26012: Signature source settings - not supported (only External Check Point Signature server setting is supported)

EPS-26016: Configure Threat Cloud knowledge sharing - not supported

EPS-26017: Process exclusion - MD5 not supported

EPS-26059: Anti-Malware detections integration with Forensics report - not supported.

Anti-Ransomware

Backup configurations for the file types in the Anti-Ransomware policy are not enforced.

Backup configurations for the file size in Anti-Ransomware policy are not enforced.

URL Filtering Blade

URL Filtering is supported using Agent Chrome Browser Extension for SandBlast Agent Web Management users.

Capsule Docs Blade

For the list of Capsule Docs limitations, refer to sk108376