I would definitely open TAC case if any issues after deployment.
Hi — here’s a practical, step-by-step runbook for deploying Harmony / Endpoint Security Client E89.10 on macOS when your management is R81.20 on‑prem (Web UI Management + SmartEndpoint). I’ll cover package prep in SmartEndpoint, deployment options (manual vs Tiny Agent), macOS permissions (Full Disk Access + Network Extension), and verification / uninstall.
0) Quick compatibility checklist (do this first)
-
Management server compatibility\ E89.x macOS clients (including E89.10) are supported with Endpoint Security Management Servers R81.10 / R81.20 / R82 (on‑prem and cloud), with E89.00 and higher = “yes”. [sc1.checkpoint.com]
-
macOS version support\ E89.x supports macOS releases per the “Client Requirements” table; notably macOS Sequoia (15) is GA-supported starting E89.00 and later, and other versions map accordingly.\ Also, the E89.10 download entry lists supported macOS versions (e.g., macOS 13/14/15 in the download details). [sc1.checkpoint.com] [support.ch…kpoint.com]
-
Know the “two macOS approvals” you’ll need\ Starting E88.00+:
1) Get the E89.10 macOS installer package
Option A — download from Check Point Support (most common)
- Download the E89.10 macOS package (example filename shown as EPS_E89.10_ALL_app.zip on the download page). [support.ch…kpoint.com]
- If you need to confirm the exact build mapping for E89.10 on macOS, Check Point publishes build numbers in their “Standalone Clients – Versions and Build Numbers” SK. [support.ch…kpoint.com]
Option B — if you already have the ZIP from another environment
- You can still upload it into your Endpoint package repository from SmartEndpoint (next section). [sc1.checkpoint.com]
2) Upload the client package into the Package Repository (SmartEndpoint)
This is the part that’s often missing from “short” docs: you must load/upload the package into the repository so SmartEndpoint can produce the customized Mac installer ZIP you distribute.
- Open SmartEndpoint
- Go to Deployment tab
- Use Load client installer file (or equivalent repository load action) to upload the new client package into the repository. [sc1.checkpoint.com], [sc1.checkpoint.com]
- Notes / pitfalls:
- Check Point warns you cannot mix package “types” in one repository for a given release (for Windows they mention Dynamic vs MSI); repository hygiene matters for successful deployments. [sc1.checkpoint.com]
- After upload, packages are stored on the server (default path is documented). [sc1.checkpoint.com]
3) Build the macOS installer ZIP from SmartEndpoint (the one you deploy)
In SmartEndpoint → Deployment tab:
- Under Mac Client, click Download. [sc1.checkpoint.com], [sc1.checkpoint.com]
- In the download window:
- SmartEndpoint outputs Endpoint_Security_Installer.zip — this is what you distribute to Macs. [sc1.checkpoint.com], [sc1.checkpoint.com]
✅ Important design constraint: macOS client packages are distributed manually and do not use the classic “Software Deployment” flow the way Windows does. [sc1.checkpoint.com], [sc1.checkpoint.com]
4) Choose your deployment method
Method 1 — Manual distribution (simple / small fleets)
You distribute Endpoint_Security_Installer.zip using:
Method 2 — “Tiny Agent” for automatic initial install (better for scale)
Check Point’s Tiny Agent is a small app that downloads and installs the initial client automatically.\ It is available for on‑prem deployments with Endpoint Security Management Server R81.20 or higher. [sc1.checkpoint.com]
To download Tiny Agent (per Check Point flow):
- In Web UI, click Overview → Download Endpoint (top banner), or
- Policy → Deployment Policy → Software Deployment → Download Endpoint (top banner).\ This downloads EPS_TINY.zip, unzip it and run the app. [sc1.checkpoint.com]
5) Pre-approve macOS permissions (MDM best practice)
Why this matters
Without MDM profiles, end users must manually approve system components and Full Disk Access; Check Point explicitly recommends using MDM (Jamf/Intune) to avoid user prompts by deploying the necessary payloads. [sc1.checkpoint.com]
What you need to push via MDM
Check Point’s MDM deployment guide lists profile files including:
If you do not have MDM, you can still proceed—users will just need to approve permissions interactively. [sc1.checkpoint.com], [sc1.checkpoint.com]
6) Install on the Mac (end-user or scripted hands-on steps)
On the macOS endpoint:
- Copy Endpoint_Security_Installer.zip to a local disk (not a file share). [sc1.checkpoint.com]
- Double‑click the ZIP to expand it. [sc1.checkpoint.com], [sc1.checkpoint.com]
- Launch the extracted .app (“Check Point Endpoint Security Installer”). [sc1.checkpoint.com], [sc1.checkpoint.com]
- Click Install. [sc1.checkpoint.com], [sc1.checkpoint.com]
- Enter macOS admin username/password to authorize the install. [sc1.checkpoint.com], [sc1.checkpoint.com]
- Wait for “installed successfully” and click Close; the menu bar icon should appear. [sc1.checkpoint.com], [sc1.checkpoint.com]
7) Post-install: approve permissions (if not already handled by MDM)
A) Full Disk Access (FDA)
Starting E88.00+, only the main executable “Check Point Endpoint Security” needs Full Disk Access.\ If not pre-approved by MDM, the user must allow it in macOS privacy settings. [sc1.checkpoint.com] [sc1.checkpoint.com], [sc1.checkpoint.com]
B) Network Extension
Starting E88.00+, the client needs approval for “Check Point Network Extension”.\ On newer macOS versions (example shared in the community), the setting is typically found under:\ System Settings → General → Login Items & Extensions → Network Extensions. [sc1.checkpoint.com] [community….kpoint.com]
(If you’re using MDM, push the Network Extension .mobileconfig so the user doesn’t need to do this manually.) [sc1.checkpoint.com], [sc1.checkpoint.com]
8) Verify the client is enrolled and healthy
- Confirm the Endpoint Security icon is in the macOS menu bar after install. [sc1.checkpoint.com], [sc1.checkpoint.com]
- From SmartEndpoint/Web UI, confirm the endpoint appears and pulls policy (normal heartbeat).
- If you see “Endpoint Security needs user authentication”, it can occur because internal communication may require a valid Kerberos ticket, and the user may need to run Authenticate from the client menu. [sc1.checkpoint.com]
9) Upgrades and blade changes
- Upgrades can be performed the same way as installations; additionally, the Endpoint Web Management Console Software Deployment can push new versions or add/remove blades.\ (Even though macOS packages are “manual distribution,” Check Point still documents upgrade operations via the web console for certain workflows.) [sc1.checkpoint.com]
10) Uninstall (and mandatory “Reset computer” step)
On the Mac, run the uninstall script:
sudo "/Library/Application Support/Checkpoint/Endpoint Security/uninstall.sh"
[sc1.checkpoint.com], [sc1.checkpoint.com]
After uninstall, the admin must reset the computer object in SmartEndpoint (Check Point explicitly calls this out). [sc1.checkpoint.com], [sc1.checkpoint.com]
Common pitfalls / troubleshooting tips (quick)
Two questions so I can tailor this to your environment (no need to answer if you just want the generic runbook)
- Are your Macs MDM-managed (Jamf / Intune / Kandji), or is this a manual install scenario? [sc1.checkpoint.com]
- Which blades are you deploying (e.g., Threat Prevention, Firewall/App Control, Media Encryption, Remote Access VPN)? This matters for which MDM profiles you must push. [sc1.checkpoint.com], [sc1.checkpoint.com]
If you tell me MDM type + target macOS versions + blades, I can provide a more “copy/paste” deployment recipe (e.g., Jamf policy layout or Intune profile checklist) aligned to the exact permissions your blade set requires.
