Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Carbon Black Cloud] Installing the sensor in KEXT mode on macOS Big Sur (v3.5.1+)

[Carbon Black Cloud] Installing the sensor in KEXT mode on macOS Big Sur (v3.5.1+)

Environment

Supported sensor versions: 3.5.1+
Supported OS versions: macOS 11/Big Sur
Supported installation methods: command-line installation, installation via MDM

 

Introduction

The Carbon Black Cloud macOS sensor supports both System Extension and KEXT-based operation. System Extension mode is the default on macOS Big Sur, but the sensor can be installed in KEXT mode or switched into KEXT mode via RepCLI after installation. KEXTs currently enable more functionality on the Carbon Black Cloud than System Extensions do, so KEXT mode may be ideal for some users. For more information on the functionality delivered by System Extensions vs. KEXTs on macOS Big Sur, please review this article.

 

Before you begin installation

For an optimal experience, pre-approve the sensor's KEXT prior to installing the sensor. Pre-approving the KEXT on macOS Big Sur is different than older operating systems, so please review the KEXT pre-approval documentation carefully.

 

Installing the sensor into KEXT mode on macOS Big Sur

On macOS 11, the attended installer will default to installing a System Extension sensor. In order to install into KEXT mode, we recommend using the unattended install script, cbcloud_install_unattended.sh, found in the mounted DMG of the sensor installer in the docs folder.

A new -k flag has been introduced to cbcloud_install_unattended.sh to signify a KEXT sensor install. This flag also works over upgrade. 

In order for Kernel Extensions (aka legacy System Extensions) to be run on macOS Big Sur, Apple has added two new or enhanced restrictions:

  1. Kernel Extension must be pre-approved via MDM (since macOS 10.13)
  2. Kernel Extensions must also be approved manually by the user, and the OS requires a reboot after install. Alternatively, a kernel cache rebuild can be triggered with a custom reboot script.

Installation steps

  1. Run the cbcloud_install_unattended.sh script. Your mount point may be slightly different:

    sudo /Volumes/CBCloud-3.5.1.123/docs/cbcloud_install_unattended.sh -i /Volumes/CBCloud-3.5.1.123/CBCloud\ Install.pkg -c [Company Registration Code] -k
    Please note the -k flag appended onto the installation script.

  2. Before the install finishes, a pop-up will appear stating that a System Extension has been updated. Approve this prompt in the Security & Privacy pane of System Preferences or follow the steps here to automate the secondary KEXT approval through MDM using a custom reboot command. Install may report a failure here, due to the user not approving KEXT in time. The install can still be completed despite this reported failure.Screen Shot 2020-12-07 at 9.01.54 PM.png

     

Once the installation and local KEXT approval have completed, the user must reboot to finalize the installation. Until a reboot is performed, the sensor will report into the console with a bypass status.

Can I use Cloud Upgrade to upgrade sensors running in KEXT mode on macOS Big Sur?

No. Cloud Upgrade only supports the default installation and upgrade scenario, which is System Extension-mode on macOS Big Sur. Sensors running in KEXT mode will need to be upgraded either via an MDM or via a local command-line installation.

Attempts to upgrade a sensor running the KEXT on macOS Big Sur via Cloud Upgrade will not succeed.

Apple also requires the use of an MDM to pre-approve kernel extensions on macOS Big Sur.

Labels (1)
Comments

Once a sensor is installed and fully functioning in KEXT mode and active in the CB Console, can it be updated using the console or do updates need to be done through an MDM as well?

Is it possible in the console to verify if a particular sensor is in SysExt or KEXT?

@mattsmigal wondering if you got a response on this?? thanks

@dtenebruso 

Nothing, I still have no idea. 

Article Information
Author:
Creation Date:
‎12-07-2020
Views:
7892
Contributors