Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CBC Mac Sensor Announcement for macOS 12.3

CBC Mac Sensor Announcement for macOS 12.3

April 22nd update: Sensor 3.6.1.10 will not be available after 4/20/2022. VMware Carbon Black strongly recommends not upgrading to macOS 12.3 until sensor version 3.6.2.110 is installed.

On Monday March 14th, Apple GA'd macOS version 12.3. Carbon Black Cloud has identified in some cases that a sensor enters bypass mode immediately after upgrading to macOS 12.3, which results in feature loss. Additionally, the bypass state in this scenario does not properly display on backend. VMware Carbon Black strongly recommends not upgrading to 12.3 until the release of the 3.6.2 sensor which will resolve the issue.

During pre-release builds, Carbon Black Cloud identified changes that Apple has made in version 12.3 with regards to their internal protocols. In some circumstances, these changes resulted into the sensor silently going into bypass mode while still appearing as active from the console. While the sensor is in bypass mode, the endpoint will not be protected. If encountered, this issue can be resolved by upgrading the sensor to version 3.6.2.110.

The Carbon Black Cloud macOS team has released the 3.6.2 version of the sensor as a resolution to the issue. Refer to release notes here: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/3.6.2.110/rn/vmware-carbon-black-cloud-macos-se...

Check back on this post for more information in the future.

Labels (1)
Comments

Hello @flymate-n8 @wongvi! We're sending this out using JAMF, and test users are getting the 'System Extension Blocked' popup. Is there a new 'Kernel Extension Bundle ID' to approve in mac, related to this new version?

Hello @Justang,

What version and architecture of macOS are you attempting to install this on?

Per the release notes, the Kernel Extension is Intel only, and only on macOS Big Sur 11 or earlier (so not macOS Monterey 12).

Our fleet is all on macOS Monterey at this point, so I have no easy way to check if the Bundle ID changed.

Hey @flymate-n8, thanks for your response, and please forgive my Mac OS/Hardware knowledge gaps if what I bring up is wrong.

Background:

We have a mix of Intel and M1 chip Mac systems, a fairly large fleet. These systems are mostly on 12.x, many already on 12.3.0.

The notifications in CB portal brings up this bulletin for a working Mac (12.3) version of CB (3.6.2) that was slated for release today (March 21st).

We've tested CB install on 7 systems and all seem to come up green in CB portal (12.2.1, and 12.3.0).

Issue:

The problem that's being seen is when sending this new version out with JAMF, the users get a popup identifying 'System Extension Blocked'. These users have no administrative rights and won't be able to get that going themselves.

Question:

Is there a specific or new system extension ID needed? I think these are the options needed (just going off google):

Apple Team ID:
System Extension Bundle ID:

I'm not sure that they've changed, but just to confirm, they should be

Apple Team ID: 7AGZNQ2S2T
System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension

Also, depending on how you're deploying the installer, you may need to update the cfg.ini so that "KernelType=2"

Some more tidbits here

https://community.carbonblack.com/t5/Documentation-Downloads/Carbon-Black-Cloud-Approving-the-macOS-...

https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Unable-to-upgrade-or-install-...

Thank you, we'll try that out.

Is anyone having issues installin CBC 3.6.2.110 on MacOS 12.3.1? looks like is not installing for us i opened a ticket and i'm waiting for CB feedback on it

Hi andreasimeoni...I'm having the same issue with 12.3.1. Were you able to get that resolved with CB Support? If so, what was the resolution?

Thanks!

RTV

Article Information
Author:
Creation Date:
‎03-14-2022
Views:
5813
Contributors