Unsupported Mac Mojave
Mojave will be almost UNUSABLE without graphics acceleration. This includes the 15' and 17' MacBook Pro systems (MacBookPro8,2 and 8,3). If you want to enable GPU acceleration on these machines, you'll need to disable the AMD GPU (This will work on MacBook Pro 8,2 and 8,3 systems ONLY. You CANNOT disable the AMD GPU in an iMac.). How to download macOS Mojave Installer even on unsupported Mac? Using this quick tutorial you can download macOS Mojave, macOS High Sierra and macOS Sierra o.
This advisory describes the changes and steps administrators can take to deploy Mac Connector 1.14.
This video, I demonstrate How to Install macOS 10.14 (Mojave) on unsupported IMac 2009. As of now, Mojave works almost perfectly on most recently droppe.
The Mojave 10.14.1 update does NOT install properly on unsupported machines, and could result in an unbootable OS. If you want to install the 10.14.1 update (and are not currently running 10.14.1), perform the following steps. Jun 22, 2020 A: If your Mac had official support in macOS Catalina, they will likely be able to be patched to run Big Sur with minimal issues. As of writing, only WiFi appears to be unstable, and even then, not for all users. If your Mac was unsupported before the release of macOS Catalina, support remains to be seen as graphics acceleration may not be.
Mac Connector version 1.14 introduces a number of changes that require user attention. Most notably, this Connector release includes changes to full disk access approvals and adds support for macOS 11 (Big Sur) System Extensions.
Since the inital 1.14 launch, compatibility issues have been discovered with 3rd party applications on macOS 10.15 Catalina when system extensions are in use. Apple will be addressing these issues in future releases of macOS 11 but will not be fixing these issues in macOS 10.15. Consequently, starting with version 1.14.1, the Mac Connector will use legacy kernel extensions instead of system extensions on all versions of macOS 10.15.
Mac Connector 1.14 is required to ensure endpoint protection on macOS 11. Older Mac Connectors will not work on this version of macOS.
It is highly recommended to deploy the Mac Connector with an MDM profile that grants the required approvals. MDM profiles must be installed before installing or upgrading the Mac Connector to ensure the needed permissions are recognized. Refer to the Known Issues section later in this document if MDM cannot be used.
Minimum OS Requirements
AMP for Endpoints Mac Connector 1.14.0 supports the following macOS versions:
- macOS 11, using macOS system extensions.
- macOS 10.15.5 and later, using macOS system extensions.
- macOS 10.15.0 through macOS 10.15.4, using macOS kernel extensions
- macOS 10.14, using macOS kernel extensions.
AMP for Endpoints Mac Connector 1.14.1 supports the following macOS versions:
- macOS 11, using macOS system extensions.
- macOS 10.15 using macOS kernel extensions.
- macOS 10.14, using macOS kernel extensions.
For deployments that include endpoints running older macOS versions, consult the OS Compatibility Table for compatible Mac Connector versions.
Important Changes
Mac Connector 1.14 introduces important changes in three areas:
- Approving AMP macOS Extensions to load
- Full Disk Access
- New Directory Structure
Approving Mac Connector macOS Extensions
The Mac Connector uses either System Extensions or legacy Kernel Extensions to monitor system activities, depending on the macOS version. On macOS 11, System Extensions replace the legacy Kernel Extensions that are unsupported in macOS 11. User approval is required on all versions of macOS before either type of extension is allowed to run. Without approval, certain Connector functions such as on-access file scan and network access monitoring will be unavailable.
Macos catalina for macbook pro 2015. Mac Connector 1.14 introduces two new macOS system extensions:
- An Endpoint Security extension, named AMP Security Extension, to monitor system events
- A Network Content Filter extension, named AMP Network Extension, to monitor network access
The two legacy Kernel Extensions, ampfileop.kext
and ampnetworkflow.kext
, are included for backwards compatibility on older macOS versions that don't support the new macOS System Extensions.
The following approvals are required for macOS 11** and later:
- Approve AMP Security Extension to load
- Approve AMP Network Extension to load
- Allow AMP Network Extension to filter network content
** Mac Connector version 1.14.0 also required these approvals on macOS 10.15. These approvals are no longer required on macOS 10.15 when running Mac Connector 1.14.1 or later.
The following approvals are required for macOS 10.14 and macOS 10.15:
- Approve AMP Kernel Extensions to load
These approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.
Approving Mac Connector macOS Extensions at the Endpoint
System and Kernel extensions can be approved manually from the macOS Security & Privacy Preferences pane.
Approving Mac Connector macOS Extensions using MDM
NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:
1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had themanagement profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.
AMP extensions can be approved using a management profile with the following payloads and properties:
Payload | Property | Value |
SystemExtensions | AllowedSystemExtensions | com.cisco.endpoint.svc.securityextension, com.cisco.endpoint.svc.networkextension |
AllowedSystemExtensionTypes | EndpointSecurityExtension, NetworkExtension | |
AllowedTeamIdentifiers | DE8Y96K9QP | |
SystemPolicyKernelExtensions | AllowedKernelExtensions | com.cisco.amp.fileop, com.cisco.amp.nke |
AllowedTeamIdentifiers | TDNYQP7VRK | |
WebContentFilter | AutoFilterEnabled | false |
FilterDataProviderBundleIdentifier | com.cisco.endpoint.svc.networkextension | |
FilterDataProviderDesignatedRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc.networkextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
FilterGrade | firewall | |
FilterBrowsers | false | |
FilterPackets | false | |
FilterSockets | true | |
PluginBundleID | com.cisco.endpoint.svc | |
UserDefinedName | AMP Network Extension |
Full Disk Access
MacOS 10.14 and later require approval before an application can access parts of the filesystem that contain personal user data (e.g. Contacts, Photos, Calendar, and other applications). Certain Connector functions such as on-access file scan will be unable to scan these files for threats without approval.
Previous Mac Connector versions required the user to grant Full Disk Access to the ampdaemon
program. Mac Connector 1.14 requires Full Disk Access for:
- 'AMP for Endpoints Service' and
- 'AMP Security Extension'
The ampdaemon
program no longer requires Full Disk Access starting with this new Mac Connector version.
Full Disk Access approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.
Approving Full Disk Access at the Endpoint
Full Disk Access can be approved manually from the macOS Security & Privacy Preferences pane.
Approving Full Disk Access Using MDM
NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:
1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had the management profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.
Full Disk Access can be approved using a management profile's Privacy Preferences Policy Control payload with a SystemPolicyAllFiles property with the following two entries, one for the AMP for Endpoints Service
and one for the AMP Security Extension
:
Description | Property | Value |
AMP for Endpoints Service | Allowed | true |
CodeRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
Identifier | com.cisco.endpoint.svc | |
IdentifierType | bundleID | |
AMP Security Extension | Allowed | true |
CodeRequirement | anchor apple generic and identifier 'com.cisco.endpoint.svc.securityextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP) | |
Identifier | com.cisco.endpoint.svc.securityextension | |
IdentifierType | bundleID |
If your deployment includes computers running AMP Connector version 1.12.7 or older, the following additional entry is still required to grant full disk access to ampdaemon
for those computers:
Description | Property | Value |
ampdaemon | Allowed | true |
CodeRequirement | identifier ampdaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TDNYQP7VRK | |
Identifier | /opt/cisco/amp/ampdaemon | |
IdentifierType | path |
Mojave Patch
New Directory Structure
Install Macos Mojave On Unsupported Mac
Mac Connector 1.14 introduces two changes to the directory structure:
- The Applications directory has been renamed from
Cisco AMP
toCisco AMP for Endpoints
. - The command-line utility
ampcli
has been moved from/opt/cisco/amp
to/Applications/Cisco AMP for Endpoints/AMP for Endpoints Connector.app/Contents/MacOS
. The directory/opt/cisco/amp
contains a symlink to theampcli
program at its new location.
The complete directory structure for the new AMP Connector is as follows:
Known Issues with macOS 11.0 and Mac Connector 1.14.1.
- Guidance for fault 10, 'Reboot required to load kernel module or system extension,' may be incorrect if four or more Network Content Filters are installed on the computer. Refer to the AMP For Endpoints Mac Connector Faults article for more details.
Known Issues with macOS 10.15/11.0 and Mac Connector 1.14.0.
- Some faults raised by the Mac Connector may be raised unexpectedly. Refer to the AMP For Endpoints Mac Connector Faults article for more details.
- Fault 13, Too many Network Content Filter system extensions, may be raised after upgrading. Rebooting the computer will resolve the fault in this situation.
- Fault 15, System Extension requires Full Disk Access, may be raised after reboot due to a bug in macOS 11.0.0. This issue is fixed in macOS 11.0.1. The fault can be resolved by re-granting full disk access in the Security & Privacy pane in macOS System Preferences.
- During installation, the Security & Privacy pane may display 'Placeholder Developer' as the application name when granting permission for the Mac Connector system extensions to run. This is due to a bug in macOS 10.15. Check the boxes beside 'Placeholder Developer' to allow the Mac Connector to protect the computer.
- The
systemextensionsctl list
command can be used to determine which system extensions are awaiting approval. System extensions with the state[activated waiting for user]
in this output are displayed as 'Placeholder Developer' in the macOS preferences page shown above. If more than two 'Placeholder Developer' entries are showin in the above preferences page, uninstall all software that uses system extensions (including the Mac Connector) so that no system extensions are awaiting approval, and then reinstall the Mac Connector.
The Mac Connector sysem extensions are identified as follows:- The Network Extension is shown as
com.cisco.endpoint.svc.networkextension
. - The Endpoint Security extension is shown has
com.cisco.endpoint.svc.securityextension
.
- The Network Extension is shown as
- The
- During install, the prompt to allow the Mac Connector's Content Filter to monitor network traffic may display '(null)' as the application name. This is caused by a bug in macOS 10.15. The user needs to select 'Allow' to to ensure protection of the computer.
If the prompt was dismissed by clicking 'Don't Allow' it can be displayed again by clicking the AMP Agent menulet icon in the menu bar and selecting 'Allow Network Filter.'
Once enabled, the AMP Network Extension filter will be listed in the Network Preferences page. - On macOS 11, when upgrading from Mac Connector 1.12 to Mac Connector 1.14, Fault 4, System Extension Failed to Load, may be raised temporarily while the Connector is transitioning from the kernel extensions to the new system extensions.
Revision History
Dec 1, 2020
- Mac Connector 1.14.1 no longer uses system extensions on macOS 10.15.
- Additional guidance on using terminal check which 'Placeholder Developer' System Extensions are awaiting approval when using Mac Connector 1.14.0.
Nov 9, 2020
- Corrected bundle ID in full disk access CodeRequirement MDM payload.
Mac High Sierra
Nov 3, 2020
Macos 10.14 Mojave On Unsupported Macs
- Release date for 1.14.0 Mac Connector is November 2020.
- The 1.14.0 Mac Connector will use System Extensions starting with macOS 10.15.5. Previously this was 10.15.6.
- Added Known Issues section.
- Updated directory structure outline.
Welcome to Mr. Macintosh.com. If you are part of one of the following groups, Mac Admins, Mac Support, Mac Developer, Mac in Education or Mac User, then this is the site for you. Each group is important, yet has different needs.
- Mac Admin = This tag is for anyone in who is in Macintosh Architecture, Engineering, System Administration, or MDM Administrators.
- Mac Support = Someone who supports or fixes Macintosh issues. This group includes anyone who works in a Macintosh Helpdesk role. You could be level 1-3 or even a Subject Matter Expert (SME) or Team Lead or Management.
- Mac in Education = This group is for anyone working in K-12 or Higher Education. You could be a teacher, Helpdesk Analyst, or Administrator.
- Mac Developer = A Mac Developer, covers anyone who develops software on the Mac, including macOS iOS, iPadOS, watchOS, and tvOS.
- Mac User = This could be anyone who uses a Mac. You want to learn more about how the Mac works. You could be an everyday user, enterprise user, student, collector, or even an enthusiast.
I have at one time or another been a part of 4 of 5 groups. I started as a Mac User when I got my first Mac (Blue and White PowerMac G3). Then I got my first job in Mac EDU (Mac Higher Education). After that, I moved on to Mac Support (Mac Enterprise IT Support). Today I am a member of Mac Admins (Macintosh Architecture & Engineering).
If you are just getting started and are thinking of getting into a career supporting Apple devices, knowledge and learning is critical. Read and learn as much as you can along the way.
Macos Mojave On Unsupported Macs
Be sure to check out my latest blog posts! If you have any comments or questions, feel free to contact me. Thank you for visiting my website.
«12»Comments
Mac Os On Unsupported Mac
- pls direct me to the right forum is the following question is not to be posted here.I downloaded the patch version dosdude1 Current version: 1.1.2.Created the flash drive and got a successful complete.Tested on a Macbook Pro mid 2011 and a new hard disk.The installation bar goes to the end and stays there, waited for a long time and have to shutdown the computer.I used Mojave Beta2 and i don't know if this is the problem. the dosdude1 version suggest the latest.So what Mojave beta works with Dosdude1 current version: 1.1.2?anybodyP.S. I know there some old version of this tool, which one will work?
- I have a 2011 iMac, cant i just upgrade the chip, ram and graphics card to make it work?
Not Happy, I have a iMac 27p SSD I7 mi-2009 fast, and NO MOJAVE UPGRADE, disgusting, Authorize only Mac's after 2012, that is 6 years old, use not acceptable when you think that your machine costs 4000 dollars, even Microsoft does not do that
A Mac is not a Phone !
I can understand that some features cannot be available, but the FULL release not available without a good technical cause cannot be accepted without fight.
Is there an association there that could issue a class action to claim for Mojave support for our not so old Macs ?
I have a 2009 PC with the latest Windows 10, Is not Apple ashamed to issue a Mojave is forbidden to a perfectly fast and modern machine like the iMac mid-2009 ? Same for MacBook Pro ? same for MacBook Air ? Please Steve come and clean their minds.
We have to make the buzz on Social Networks and Mac information sites, If not the delay will be 5 years, then 3 years, then 1 year and we will have to go back to Windows PC.
Best Regards
Not Happy, I have a iMac 27p SSD I7 mi-2009 fast, and NO MOJAVE UPGRADE, disgusting
Last it seems that there was a deal with Microsoft to use a microsoft antialiasing software up to 2017, this would restrict Apple Mac OS to Retina display, may be this is the real reason for discarding more that 5 years old Macs that are not Retina, a number of users having non retina screens (external ),are claiming that fonts are ugly with Mojave !!
So do not upgrade to MOJAVE if you have non Retina external display, try it with a Dongle.
- That is correct, and is exactly what I do, OutdoorAppDeveloper I would like to add a question. What if you upgraded the RAM and switched from an HDD to an SSD, would it be ok to install Mojave on a 2009 Mac with all of these upgrades?
- I did this but now the MBP (early 2011) start complaining about hardware accelaration not turned on. Any ideas?
- I have an iMac mid 2011 and I really intend to buy a new one. But for now all I can do is update it to Mojave and upgrade my actual RAM and change disk to SSD.
- I attempted using macOS Mojave Patcher v1.2.2, downloaded Mojave as instructed, created the USB installer however after rebooting the USB installer could not be seen. There’s no way to boot from it at all, any ideas?edited January 2019
- There's a compelling reason for installing Mojave on my mid-2009 MacBook Pro: Adobe Creative Cloud 2019 will not install on any older versions of MacOS. DosDude's patcher worked flawlessly, and the only problem with the update is cosmetic; the menu bar has a grey tint. I was able to install CC 2019 and it works perfectly.
You can disable transparency and then it'll work normally.There's a compelling reason for installing Mojave on my mid-2009 MacBook Pro: Adobe Creative Cloud 2019 will not install on any older versions of MacOS. DosDude's patcher worked flawlessly, and the only problem with the update is cosmetic; the menu bar has a grey tint. I was able to install CC 2019 and it works perfectly.
system preferences>accessibility>Display> enabling 'reduce transparency' removes the 'greying out glitches in light mode.- Posts: 2unconfirmed, memberHello!!! I'm in desperate need of some help. I tried following the provided in the mojave tool however I after step 6 my mac shut down and when I turn it on it has a cancel sign 🚫
I'm wondering if anyone can help me at least get it back to how it was before?
Thank you! - Posts: 2unconfirmed, member
I tried to add an emoji of the cancel sign but it didn't work so I'll add a picture of what it looks like here: - Though I used a different method and it worked like a charm. The methods can be found here- https://techrechard.com/how-to-install-macos-catalina-on-unsupported-mac/