Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to verify full disk access granted via MDM profile (3.1.x.x and Higher)

Carbon Black Cloud: How to verify full disk access granted via MDM profile (3.1.x.x and Higher)

Environment

  • Carbon Black Cloud Sensor: 3.1.x.x and Higher
    • Audit and Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Apple macOS: All Supported Versions

Objective

Provide guidance on confirming MDM profile is configured correctly to grant full disk access to the Carbon Black Cloud Sensor

Resolution

  1. Run command to check MDMOverrides.plist
    sudo plutil -p /Library/Application\ Support/com.apple.TCC/MDMOverrides.plist
  2. Check output related to CbDefense and SystemPolicyAllFiles ('"Allowed" => 1' means enabled/allowed, 0 means disabled/not allowed)
    "CbDefense" => {
    "kTCCServiceSystemPolicyAllFiles" => {
    "Allowed" => 1
    "CodeRequirement" => "identifier CbDefense and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T""
    "CodeRequirementData" => {length = 152, bytes = 0xfade0c00 00000098 00000001 00000006 ... 4e513253 32540000 }
    "Comment" => ""
    "Identifier" => "CbDefense"
    "IdentifierType" => "bundleID"
    "StaticCode" => 0
    }
    }

Additional Notes

  • Privacy Preferences Policy Control (PPPC) payload settings configured via an MDM tool (like JAMF) are not available to end-users through Security & Privacy as they are not set by the end-user
  • User running the command above must be in the sudoers list (/etc/sudoers)
  • The 'certificate leaf[subject.OU]' field will show the Team ID for the appropriate Sensor version

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎07-06-2020
Views:
1417
Contributors