Support Center > Search Results > SecureKnowledge Details
Check Point Endpoint Security Client for macOS - General Limitations Technical Level

This article lists general limitations for Check Point Endpoint Security Client for macOS.
These limitations are in addition to those listed in the corresponding Known Limitations articles for each release.

  • General Limitations
  • Forensics
  • Compliance Blade    
  • VPN Blade
  • Firewall Blade
  • Full Disk Encryption (FDE) Blade
  • FileVault Management
  • Media Encryption Blade             
  • Compliance Blade
  • Anti-Malware Blade
  • Anti-Ransomware
  • URL Filtering Blade
  • Capsule Docs Blade
  • Installation

General Limitations
Push Operations are ignored for macOS client.
Centralized Client Deployment from Software Deployment Policy is not supported.
Endpoint Client User Interface Localization is not supported.
The following configurations in Common Client Settings Policy are not supported:
  • Client user interface settings: configurations such as custom preboot and One Check images and appearance of tray icon.
  • Allowing users to disable network protection on their computers.
  • Installation and upgrade settings
Telemetry data is not generated.
To use SideCar and Airdrop features, starting E83.20 for macOS client, you need to allow IPv6 traffic in the Endpoint Firewall policy. See sk171972.
Only English is supported as the interface's language.
The Big Sur macOS, (and later) may ask users to grant access to security modules after some special activities. In such cases, follow OS directives. To avoid this, Check Point recommends MDM management tools to predefine the desired configurations.
The Big Sur macOS version does not display correctly in SmartEndpoint reports.
If nodeJS is installed on the Mac, build directories should be excluded in SBA policy (AR/EFR and TE) to improve performance.
The Forensics report does not show Network events.
Compliance Blade
Remediation actions are not triggered on macOS.
Environment variables in path of checked files are not supported
Compliance blade on macOS currently supports checks for the following Anti-Virus vendors:
  • Kaspersky
  • Check Point
  • Sophos
  • McAfee
  • Symantec
  • TrendMicro
  • Norton
The following compliance checks are not supported:
  • Latest service packs installed
  • running secure screen saver
If the default name of the compliance rule for checking if assigned blades are running is changed, i.e. cloned or edited, this rule will not be applied to the macOS Compliance blade. Then, on the server side there will be no compliance reporting (inform, warn, restrict). Client will also not go into the assumed compliance state.
VPN Blade
SCV Compliance check ("Use Compliance Blade" state should be defined in order to enforce client compliance prior to VPN connection).
[Not relevant for Big Sur and higher] In some rare cases during the upgrade of VPN client from previous version, user may experience temporary inability to connect to VPN site. Delay may be from seconds to several minutes. To address this issue user should perform reboot of operating system.
A certificate for user authentication should be stored in the keychain when you use Secondary Connect.
Remote Access VPN clients do not support the use of a personal certificate as an authentication method if the saved certificate is on SmartCard. This is relevant for macOS 11 Big Sur.
Remote Access VPN clients do not support the use of personal certificates as an authentication method, if the certificate is in storage on a SmartCard. This is relevant for macOS 11 BugSur.
Firewall Blade
Firewall cannot block traffic in a VPN tunnel.
Disable Wireless On Lan feature is not supported.
Application Control is not supported.
Individual IPv6 addresses cannot be blocked. One can set "IPv6 block all" for all IPv6 addresses.
Full Disk Encryption (FDE) Blade
From E80.71 LA, FDE Blade is replaced by FileVault blade
Password change in FDE pre-boot is not synched to macOS. 
Smart Card login in FDE pre-boot is not supported.
OneCheck is not supported.
FileVault Blade
Only system volume is encrypted.
Institutional Recovery Key can only be imported once.
Audit logs are not generated.
Assigning FileVault users using SmartEndpoint is not supported.
User Acquisition setting "Continue to acquire users after pre-boot has been enforced.” is not supported.
User Acquisition setting “Pre-boot enforcement will begin after at least one user has been acquired after X days” is not supported.
EPS-36528: Apple FileVault encryption cannot be stopped or reversed. Avoid install/uninstall/upgrade when FileVault is encrypting/decrypting.
Media Encryption Blade
Offline Mode Remote Help (MEPP / macOS Offline Access Tool does not support Remote Help).
Custom Encryption is not supported (Media Encryption does not support configuration of which file(s) should be encrypted).
Port Protection is not supported. Early Availablity release of the feature is available in E85.30. See sk176366 for more details. 
CD/DVDs and storage devices connected to ports other than USB, are not supported.
External Media that are mounted as virtual devices (Core Storage or APFS (Apple File System )) are not supported.
Time Machine using external media is not supported.
Media formatted as NTFS is not supported.
Media scan is not supported.
EPS-31758: To enable Media Encryption SysExt the user must lower Security Policy through Recovery Mode.
Anti-Malware Blade
Anti-Malware Blade is not supported on macOS client.
Contextual scan is not supported (Finder does not have option for scan).
EPS-26010: Enable Web protection - not supported (always off)
EPS-26011: Scan Mail messages - not supported (always off)
EPS-26012: Signature source settings - not supported (only External Check Point Signature server setting is supported)
Scan targets settings:
  • Critical areas - not supported (always on)
  • Optical drives  - not supported (always off)
  • Mail messages  - not supported (always off)
  • Unrecognized devices  - not supported (always off)
EPS-26016: Configure Threat Cloud knowledge sharing - not supported
EPS-26017: Process exclusion - MD5 not supported
EPS-26059: Anti-Malware detections integration with Forensics report - not supported.
Backup configurations for the file types in the Anti-Ransomware policy are not enforced.
Backup configurations for the file size in Anti-Ransomware policy are not enforced.
URL Filtering Blade
URL Filtering is supported using Agent Chrome Browser Extension for SandBlast Agent Web Management users.
Capsule Docs Blade
For the list of Capsule Docs limitations, refer to sk108376
In macOS 10.13 and later, the gatekeeper requests consent from the end user before allowing to load a third party kernel extension for the first time.
It is possible to avoid this by preparing the installation of Endpoint Security on each machine by deploying a Device Management Kernel Extension Policy Payload containing the Check Point team identifier.
In macOS 10.13 and later, the gatekeeper warns when installing quarantined software: "Endpoint Security installer can't be opened because the identity of the developer cannot be confirmed. Your security preferences allow installation of only apps from the App Store and identified developers.” 
The macOS gatekeeper may quarantine third party software for multiple reasons, but it is possible to avoid this by either (1) Right-clicking the EPS installer in Finder and selecting "Open". (2) Removing the attribute before opening the EPS installer.
In macOS 10.15 and later, the gatekeeper blocks the very first launch of third party executables that require access to user's files and folders.
The end user needs to open the macOS System Preferences Privacy-Full Disk Access dialog and accept each executable. Right after completing installation, Endpoint Security guides the end user to complete this process.
In macOS 10.15.4 and later, the gatekeeper regularly informs the end user about running "legacy third party kernel extensions".

Related solutions:

Give us Feedback
Please rate this document