Forcepoint DLP Endpoint Windows and Mac deployments

To upgrade your existing version of Forcepoint DLP Endpoint:
Note: If the user uses custom messages on the endpoint and before upgrading to v23.11, they have to push these custom messages again via FSM profile after the upgrade.
  1. Make sure you have a v8.8.x or later management server installed and functioning. You must be logged on to the Forcepoint DLP server with a Service Account before you run the package builder. Otherwise, incorrect communication keys are created and Forcepoint DLP Endpoint cannot connect to the Forcepoint DLP server.
  2. (optional) Make a backup copy of the Endpoint package builder executable file, WebsenseEndpointPackageBuilder.exe. This file is found at C:\Program Files (x86)\Websense\Data Security\client.
  3. Download ForcepointOneEndpointPackage.zip from the Forcepoint Downloads page and unzip it into the C:\Program Files (x86)\Websense\Data Security\client folder. Five files are unzipped and placed in the folder:
    • The WebsenseEndpointPackageBuilder.exe file is for building the Forcepoint DLP Endpoint software package to install on your endpoint machines.
    • The WebsenseEPClassifier.pkg.zip file is a DLP Endpoint Classifier exclusively for Mac endpoints running Forcepoint DLP Endpoint.

      Sites that are not running Forcepoint DLP Endpoint on Mac can ignore the WebsenseEPClassifier.pkg.zip.file.

    • The EPA.msi file is the Endpoint Classifier for Win32 endpoints.

      Sites that are not running Forcepoint DLP Endpoint on Win32 machines can ignore the EPA.msi file.

    • The EPA64.msi file is the Endpoint Classifier for Win64 endpoint machines.

      Sites that are not running Forcepoint DLP Endpoint on Win 64 machines can ignore the EPA64.msi file.

      Important:

      Due to a compatibility issue with older Windows Endpoint Classifier files, you must use the Windows Endpoint Classifier files provided in this ZIP file when you build a Windows Forcepoint DLP Endpoint installation package using this package builder.

      If you use older Windows Endpoint Classifier files, the package builder shows an error message and does not build an installation package.

    • The EndpointMessageTemplates.zip file contains the updated endpoint message templates for this release. For Forcepoint DLP Endpoint customers, the v20.09 release introduced a new message that may not be available in Forcepoint DLP yet. To show this message, customers must replace their message templates through the Forcepoint Security Manager:
  4. If you have Mac endpoint machines running Forcepoint DLP Endpoint:
    1. Back up the file WebsenseEPClassifier.pkg.zip in the following folder: C:\Program Files (x86)\Websense\Data Security\client\OS X. If the OS folder does not exist, create it.
    2. Copy the new WebsenseEPClassifier.pkg.zip from the folder in step 3 and place it into the \OS X folder.

      You do not need to unzip this file. It is automatically unzipped by the package builder when it creates the new Mac installation package.

  5. If you have Win32 endpoint machines running Forcepoint DLP Endpoint:
    1. Back up the file EPA.msi in the following folder:

      C:\Program Files (x86)\Websense\Data Security\client.

    2. Copy the new EPA.msi from the folder in step 3 and place it into

      C:\Program Files (x86)\Websense\Data Security\client.

  6. If you have Win64 endpoint machines running Forcepoint DLP Endpoint:
    1. Back up the file EPA64.msi in the following folder:

      C:\Program Files (x86)\Websense\Data Security\client.

    2. Copy the new EPA64.msi from the folder in step 3 and place it into

      C:\Program Files (x86)\Websense\Data Security\client.

  7. Run WebsenseEndpointPackageBuilder.exe to generate a new Forcepoint DLP Endpoint installation package.
  8. Deploy the v23.11 installation package to each endpoint machine using one of the methods described in the Installation and Deployment Guide for Forcepoint F1E.
  9. If you are upgrading to Forcepoint DLP Endpoint v21.12 or later on macOS 11 (Big Sur) onwards, you are prompted to enable full disk access (FDA) for new processes:
    1. When the installer opens the prompt, click Open Full Disk Access to open the macOS System Preferences window.
    2. On the Privacy tab, select ESDaemonBundle.app and Websense Endpoint Helper.app.
    3. Click the + button under the list.
    4. Go to Library/Application Support/Websense Endpoint/DLP/, select wsdlpd, then click Open.
    5. Verify that wsdlpd is included in the list and selected.
    6. Click the + button under the list.
    7. Go to Library/Application Support/Websense Endpoint/EPClassifier/, select EndPointClassifier, then click Open.
    8. Verify that EndPointClassifier is included in the list and selected.
    9. Close the Security & Privacy window.
      Note: If you are deploying Forcepoint DLP Endpoint using Jamf, you can enable FDA for these processes using a configuration file. See the Deploying F1E DLP Endpoints on macOS Environments via Jamf Profile Knowledge Base article.
  10. Restart the endpoint machine after installation is complete, if needed.
    Upgrade from Restart Required?
    Forcepoint DLP Endpoint (Windows)

    v20.x

    v21.x

    v22.x

    v23.x

    Yes
    Forcepoint DLP Endpoint (Mac)

    v20.x

    v21.x

    v22.x

    v23.x

    Yes
  11. If you upgraded Forcepoint DLP Endpoint on a Mac endpoint machine running macOS 10.15 or later, you must enable full disk access, then restart the machine. For more information, see Enabling full disk access on macOS 10.15, macOS 11, and macOS 12.
Important:

The new Forcepoint F1E cannot be downgraded to the older, conventional version (v8.5 or earlier).

If you update to Forcepoint DLP Endpoint v23.11 and need to downgrade to a conventional version, you must manually remove the new Forcepoint DLP Endpoint version before you install the older, conventional version. Forcepoint DLP Endpoint can be downgraded to a previous Forcepoint F1E version (Forcepoint DLP Endpoint v18.x. v19.x, or v20.x)