Support Center > Search Results > SecureKnowledge Details
Self-protection feature in Endpoint Security for macOS Technical Level

Important Notes

  • When you enable self-protection, you must enter the Organizational uninstall password to uninstall or upgrade the Endpoint Security client.
  • You can configure and update the Organizational password at any time.
    Usually, an administrator configures this password before any computers are connected.
  • In E84.30 and E84.70 this feature is disabled by default.
    In higher releases, this feature is enabled by default.
  • This feature requires macOS 10.15 (Catalina) or higher.

Use the 'cpSelfProtection' utility to manage the self-protection after the Endpoint Security client installation

  • The Endpoint Security client installs the 'cpSelfProtection' utility on macOS in this directory:
    /Library/Application\ Support/Checkpoint/Endpoint\ Security/
  • To run this utility in the Terminal:
    cd /Library/Application\ Support/Checkpoint/Endpoint\ Security/
  • To see the built-in help, run:
    ./cpSelfProtection -h
  • This utility can change the self-protection:
    • Temporarily (does not survive reboot):
      ./cpSelfProtection {enable | disable}
    • Permanently (survives reboot):
      ./cpSelfProtection {on | off}
  • When you run this utility, you can provide the password as an argument.
    If you do not enter the password as an explicit argument, this utility shows an authentication dialog.
  • If you run this utility from a Terminal and you enter the password as an explicit argument, the Terminal may save the password in the history file.
    You can remove the password from the history with this command (it prevents anything in your current session from being written to your long-term history, but does not clear out that long-term history):
    history -c
  • To avoid authentication dialogs during an upgrade, an MDM solution can use the utility to disable the self-protection before running the upgrade.
  • If you run this utility from an MDM, then the script itself contains the password.
    Remove the script from the MDM after you run it.

Give us Feedback
Please rate this document