Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Carbon Black Cloud] Approving the macOS Sensor's System Extension and Network Extension (v3.5.1+)

[Carbon Black Cloud] Approving the macOS Sensor's System Extension and Network Extension (v3.5.1+)

Environment

Supported sensor versions: 3.5.1+
Supported OS versions: macOS 11/Big Sur and later

This article provides instructions on pre-approving the System Extension and Network Extension for the macOS sensor on macOS 11. For instructions on approving the KEXT on macOS 11, please see this article.

 

Introduction

In order for them to load on macOS 11, the Carbon Black Cloud macOS sensor's System Extension and Network Extension must be pre-approved. While this can be accomplished locally by the user, we recommend deploying these approvals via an MDM if you have access to one.

Please follow the instructions below for more information on accomplishing this.

 

Approving the System Extension via MDM

The following are the manual steps to create the correct mobileconfig in your MDM. You can accomplish this by specifying the Apple Team ID and System Extension bundle Identifier in your Allowed System Extension configuration profile:

System Extension Types:  Allowed System Extensions

Apple Team ID: 7AGZNQ2S2T

System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension

Please note: selecting "allowed system extension types" and supplying the Team ID will not work.

Example from Jamf:

Screen Shot 2020-12-07 at 6.32.32 PM.pngExample from Workspace ONE:

Screen Shot 2020-12-07 at 6.32.18 PM.png

 

Approving the Network Extension Component of the System Extension via MDM:

You can grant the System Extension the ability to Filter Network Content via a Web Content Filter configuration profile. If the network extension is not approved, functionality related to reporting netconn activity and network quarantine will not work.

Note: These instructions were created using Apple documentation and ProfileCreator (found here: https://github.com/ProfileCreator/ProfileCreator). Field names, values, and functionality may vary depending on the MDM framework or sensor version used.

Network Extension .mobileconfig information:

You can create your own Network Extension .mobileconfig file, or use the sample .mobileconfig file included with the sensor installer.

After creating this profile, the profile should be signed to enable distribution via MDM. 

The fields should be completed exactly as follows. Please copy and paste for accuracy.

In the General payload:

  • Payload Scope should be set to: System

In the Web Content Filter payload:

Filter Type should be set to: Plug-In

Plug-In Bundle ID: com.vmware.carbonblack.cloud.se-agent

Screen Shot 2021-03-15 at 11.46.31 AM.png

 

Select Enable Socket Filtering

  • Filter Data Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension
  • Filter Data Provider Designated Requirement (macOS):
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

Screen Shot 2021-03-15 at 11.46.44 AM.png

Select Enable Packet Filtering (macOS)

  • Filter Packet Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension

  • Filter Packet Provider Designated Requirement (macOS):
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

Screen Shot 2021-03-15 at 11.46.55 AM.png

Labels (1)
Comments

Hello, I have the system extension enabled through JAMF however can you please put an example for JAMF under the network extension component? It is not clear to me how to set this up and having an example for JAMF would be very helpful.

There should be a JAMF example for the network extension piece. 

Will this be sufficient? I'm having some problems with signing the profile but after downloading the profile creator above, and uploading the non signed cert I get the above setting. Please let me know if this is sufficient.

Screen Shot 2020-12-16 at 11.48.01 AM.png

I want to 2nd/3rd/whatever the suggestion for having a Jamf Pro example.

But I will say the way wegnertroy setup the network extension piece worked for me. Jamf signed the profile for me (we use the cloud version) so I was able to deploy without issue.

I'm not finding any information on how to do this without MDM. This article states: "While this can be accomplished locally by the user, we recommend deploying these approvals via an MDM if you have access to one."

 

I only have a handful of Windows clients and 2 Macs to manage.  How do you accomplish this locally by the user and without MDM?  Do I need to run a command after upgrading the sensor?  Do I need to change a system setting?  Please advise. 

Also, How do you verify the approval was successful for both?

Thanks,

[deleted]

KS1

Hi All,

I am trying to deploy 3.5.3.82 via Jamf but keep getting system extension blocked once the application gets deployed.

I have created the configuration profiles as requested but still having issues. Anyone else having issues or can help me resolve this?

Thanks

Is it just me or did this stop working in later versions of Big Sur and Monterey?

We've just upgraded and newly installed a bunch of Macs with either Bg Sur (11.6.1) or Monterey (12.0.1) and so far ALL of them have had to manually approve the System Extension for CB Cloud (3.6.1.10).

Are we doing something wrong or does the provided instructions (and profiles in the dmg) no longer work in recent macOS releases?

Has anyone gotten this to work without an MDM? 

MDM is now the only supported way to deliver configuration profiles to macOS, so it's fair to assume no...

Article Information
Author:
Creation Date:
‎12-07-2020
Views:
21829
Contributors