Environment
Supported sensor versions: 3.5.1+
Supported OS versions: macOS 11/Big Sur and later
This article provides instructions on pre-approving the System Extension and Network Extension for the macOS sensor on macOS 11. For instructions on approving the KEXT on macOS 11, please see this article.
Introduction
In order for them to load on macOS 11, the Carbon Black Cloud macOS sensor's System Extension and Network Extension must be pre-approved. While this can be accomplished locally by the user, we recommend deploying these approvals via an MDM if you have access to one.
Please follow the instructions below for more information on accomplishing this.
Approving the System Extension via MDM
The following are the manual steps to create the correct mobileconfig in your MDM. You can accomplish this by specifying the Apple Team ID and System Extension bundle Identifier in your Allowed System Extension configuration profile:
System Extension Types: Allowed System Extensions
Apple Team ID: 7AGZNQ2S2T
System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension
Please note: selecting "allowed system extension types" and supplying the Team ID will not work.
Example from Jamf:
Approving the Network Extension Component of the System Extension via MDM:
You can grant the System Extension the ability to Filter Network Content via a Web Content Filter configuration profile. If the network extension is not approved, functionality related to reporting netconn activity and network quarantine will not work.
Note: These instructions were created using Apple documentation and ProfileCreator (found here: https://github.com/ProfileCreator/ProfileCreator). Field names, values, and functionality may vary depending on the MDM framework or sensor version used.
Network Extension .mobileconfig information:
You can create your own Network Extension .mobileconfig file, or use the sample .mobileconfig file included with the sensor installer.
After creating this profile, the profile should be signed to enable distribution via MDM.
The fields should be completed exactly as follows. Please copy and paste for accuracy.
In the General payload:
- Payload Scope should be set to: System
In the Web Content Filter payload:
Filter Type should be set to: Plug-In
Plug-In Bundle ID: com.vmware.carbonblack.cloud.se-agent
Select Enable Socket Filtering
- Filter Data Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension
- Filter Data Provider Designated Requirement (macOS):
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Select Enable Packet Filtering (macOS)
- Filter Packet Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension
- Filter Packet Provider Designated Requirement (macOS):
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Will this be sufficient? I'm having some problems with signing the profile but after downloading the profile creator above, and uploading the non signed cert I get the above setting. Please let me know if this is sufficient.
