Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Carbon Black Cloud] Changes to KEXT pre-approval on macOS Big Sur (v3.5.1+)

[Carbon Black Cloud] Changes to KEXT pre-approval on macOS Big Sur (v3.5.1+)

Environment

Applicable sensor versions: 3.5.1 and higher
Applicable OS versions: macOS 11/Big Sur

The following instructions apply only to macOS 11. For prior versions of macOS, please see this article

 

Introduction

The Carbon Black Cloud macOS sensor v3.5.1 sensor supports operation on macOS 11 via two frameworks: KEXT and System Extension.

Because of the performance implications of operating in user-space, particularly with regards to prevention, we will continue to offer KEXT support on macOS 11 as an interim option to give customers full sensor functionality while we work on enabling and tuning the same functionality in user-space.

There are additional steps that must be taken in order to ensure that the KEXT is fully approved on macOS 11, please see below for more details and step by step instructions.

Please note that the local approval and reboot (or cache rebuild) are required for each installation or upgrade of a KEXT-enabled sensor. If not done, the sensor could enter a bypass state after upgrade.

Step 1: MDM KEXT pre-approval on macOS 11

MDM pre-approval is required in order to load KEXTs on macOS Big Sur.

The easiest way to distribute the necessary MDM payload to approve the KEXT is to upload the MDM-KEXT-approval.mobileconfig file, found in the mounted DMG of the installer, in the docs folder. 

It is also possible to recreate the attached mobileconfig in your MDM tool. You can accomplish this by specifying the Apple Team ID and KEXT Bundle ID in your Kernel Extension configuration profile:

Apple Team ID: 7AGZNQ2S2T

KEXT Bundle ID: com.carbonblack.defense.kext

 

Step 2: Local KEXT approval and endpoint reboot (two options)

On macOS 11 a local approval of the KEXT (user will be prompted) and a reboot are required to complete approval of the KEXT. This is in addition to the pre-approval in Step 1. There are two ways of doing it, one of which relies on the endpoint user, and the other is accomplished via MDM.

Option 1: Local approval

After the sensor has been installed, the user will be prompted to approve the KEXT. To approve it, they can go to the Security & Privacy preferences pane, unlock the pane with their credentials, and approve the KEXT.

They will then be prompted to restart. Upon reboot the KEXT will load as expected.

Option 2: MDM kernel cache rebuild via custom reboot command (if supported)

To avoid relying on local user approval, you can use your MDM to issue a customized reboot command to rebuild the Kernel Cache. Please note that custom reboot commands are not supported by all MDM providers.

Please see Apple documentation here: https://developer.apple.com/documentation/devicemanagement/restartdevicecommand/command

The easiest way to distribute the necessary MDM command to finish approving the KEXT is to upload the MDM-KEXT-reboot-command.xml file, found in the docs folder of the sensor installation DMG. The command is also copied below. The XML file should be uploaded as a Custom Command and sent to endpoints after KEXT install.

IMPORTANT: this will reboot the target machine without warning, and that this distribution method is a temporary workflow until MDM providers update their reboot protocols to support RebuildKernelCache.

<dict>
<key>RebuildKernelCache</key>
<true/>
<key>KextPaths</key>
<string>/Library/Extensions/CbDefenseSensor.kext</string>
<key>RequestType</key>
<string>RestartDevice</string>
</dict>

Here is an example from Workspace ONE:

Screen Shot 2020-12-07 at 5.49.16 PM.pngScreen Shot 2020-12-07 at 5.49.30 PM.png

Additional resources:

 

Labels (1)
Comments

Jamf, another popular MDM, unfortunately doesn't support XML upload of custom commands. Do you have a solution for how to rebuild the kernel cache via Jamf, and not relying on user approval?

We are having the same issue with Jamf

+1 for Jamf

I got to install and work but Jamf still returns a failed message.  Reason is the logging issue with CB package.  I am living with the error count for now

Are there any updates on this? I am using Jamf and I am not sure how to add this to the process.

orc

ANY UPDATE FOR JAMF?

Does anyone know the "kextcache -i" option? and if it can be used for remotely kernel cache rebuild for Bigsur in Jamf?

instead of using the DM-KEXT-reboot-command.xml 

that isn't supported by Jamf

the custom command in step 2 does not work on non-supervised devices it seems. maybe it's worth mentioning that?

Screen Shot 2021-04-19 at 08.55.17.pngScreen Shot 2021-04-19 at 08.55.27.pngScreen Shot 2021-04-19 at 08.55.36.pngScreen Shot 2021-04-19 at 08.55.50.png

Are there any updates for Jamf yet? 

Article Information
Author:
Creation Date:
‎12-07-2020
Views:
15887
Contributors