Our products (as well as other kernel-based products) are running into a situation in which kernel extensions (kexts) are no longer approved. Kexts approved in previous macOS versions by MDM (or other distribution systems like JAMF) are no longer approved once they've upgraded to 10.13.4.
This does not seem to impact kexts that were user (locally) approved prior to the 10.13.4 upgrade.
Prior to macOS 10.13.4, software distributions systems (i.e. MDM or JAMF) did not require user-approval to load any properly signed kexts. With 10.13.4, user-approval is no longer disabled for software distributions systems. For enterprise deployments where it is necessary to distribute software that includes kexts without requiring user approval, you will need to configure the Apple Team IDs for our Carbon Black products in your MDM profile.
Team ID for our products are:
Cb Protection: 7AGZNQ2S2T
Cb Response: 7AGZNQ2S2T
Cb Defense (3.0 and lower): JA7945SK43
Cb Defense (3.1 and higher): 7AGZNQ2S2T
KEXT Bundle IDs for our products are:
com.bit9.cbsystemproxy (6.2.3-osx versions and earlier)
com.carbonblack.cbsystemproxy.<Major><Minor>fc<Maintenance> (6.2.4-osx versions and later)
Please note that the next Cb Defense Mac Sensor release (3.1) will require KEXT approval regardless of previous approval status due to an updated code signing certificate and bundle ID associated with the forthcoming 3.1 release.
Please also note that there is new behavior in 10.13.4 after the KEXT approval. A dialog will pop up telling users they need to reboot. This is a proactive measure by Apple. The Cb Defense Mac Sensor will not require a reboot and it will reload its KEXT immediately after the approval is done.
We are currently doing more research on this issue and will share any additional information as soon as it becomes available.