Content Aware Protection Not Blocking Git Operations on macOS Despite SSL Certificate Configuration

Products Endpoint Protector Discussions & Questions
, ,
1

I’m experiencing an issue where Content Aware Protection policies are working correctly on Windows but failing to block Git operations on macOS, even after proper SSL certificate installation.

Environment:

  • Endpoint Protector Server: [Your version]

  • macOS Client: Endpoint Protector [version]

  • macOS Version: [Your macOS version - from sw_vers]

  • Windows Client: Working correctly

Issue:

On Windows, the Content Aware Protection policy for Source Code successfully blocks Git operations with the expected SSL certificate error:

fatal: unable to access 'https://github.com/github/explore.git/': SSL certificate problem: self-signed certificate in certificate chain

On macOS, Git operations complete successfully and are NOT blocked by the same policy, despite following all SSL certificate installation steps.

Steps Taken:

  1. Certificate Installation:

    • Exported/imported Endpoint Protector SSL certificate (named: cacert) into macOS System Keychain

    • Set certificate trust to “Always Trust” for SSL

    • Configured certificate system-wide (not just Login keychain)

  2. Git Configuration Attempted:

bash

   git config --global http.proxy http://127.0.0.1:8080
   git config --global https.proxy http://127.0.0.1:8080
   git config --global http.sslCAInfo ~/ep-cert.pem

  1. Policy Verification:

    • Content Aware Protection policy is enabled

    • Policy is assigned to macOS computer group

    • Action is set to “Block”

    • Same policy works perfectly on Windows devices

Key Finding:

The Endpoint Protector network filtering component (system extension) is not installed or activated on macOS, which prevents SSL inspection and Content Aware Protection from working. Traffic is not being intercepted.

Questions:

  1. Does the macOS client installer automatically install the required system extension, or is manual approval needed during installation?

  2. Are there specific macOS Security & Privacy settings that must be configured for the network extension to activate?

  3. Is there a known compatibility issue with certain macOS versions (Big Sur/Monterey/Ventura/Sonoma)?

  4. What is the correct proxy configuration for macOS? (127.0.0.1:8080 doesn’t seem to work)

  5. How can I verify that the network extension is properly installed and active?

Expected Behavior:

macOS should behave identically to Windows - Git operations over HTTPS should be intercepted by SSL inspection, analyzed by Content Aware Protection, and blocked according to policy rules.

Additional Context:

  • Windows client: SSL inspection working, policies enforced correctly

  • macOS client: Appears to be installed but network filtering not functioning

  • Both clients connected to same EP server with identical policies

Has anyone else encountered this issue? Any guidance on properly enabling the network extension on macOS would be greatly appreciated.

1 Like
2

Hi Paras,

“The Endpoint Protector network filtering component (system extension) is not installed or activated on macOS, which prevents SSL inspection and Content Aware Protection from working. Traffic is not being intercepted.”

You figured it out, this is the reason the Content Aware Protection policy is not working. Besides granting full disk access and uploading/trusting the certificate in the keychain, the Endpoint Protector client also needs to load a network extension. Under normal circumstances, the user is prompted to Allow the network extension. Please follow steps 1–7 on the following link to ensure the configuration is set up correctly: Global Settings | Netwrix Product Documentation

Another prerequisite for the network extension prompt to appear is that a CAP policy must be enabled on the specific machine, ideally with a browser selected as an exit point.

I’ve seen situations where the network extension pop-up didn’t show up and most of the times the cause was an MDM profile blocking additional extensions from being added. If your Mac is enrolled into MDM, it’s worth checking if there are any restrictions related to extensions, filters, proxies or VPN.

Also, if you have an MDM, you can pre-approve full disk access, the certificate and the network extension, so users don’t have to manually do it. Netwrix has an MDM deployment guide for Jamf, but the steps are very similar across all MDMs: Jamf | Netwrix Product Documentation

Hope this helps.

Zoran

1 Like