Environment

• Carbon Black Cloud Sensor: All Versions
• Apple macOS: All Supported Versions

Symptoms

• Device Quarantine 
• Reporting Network Activity (netconn events)
• Endpoint Standard detections that leverage the network events
• Enterprise EDR watchlists that leverage the network events
• Endpoint Standard: Policy blocking operation “Communicates over the Network”

Cause

• Carbon Black Cloud Mac sensor code signing certificates are expiring on January 9, 2023.
• Carbon Black Cloud Mac sensors installed and approved prior to January 9th, 2023 will continue to fully protect the endpoint past the expiration date, but if a sensor with an expired certificate is installed or approved (Sensor Versions 3.7.2.77 & 3.7.1.12 and lower), or if a sensor is manually reset (via repcli) after January 9th, 2023, then Network Extension functionalities will be unavailable

Resolution

• For any new installations or upgrades after January 9th 2023, please upgrade to the latest macOS sensor.
• We will have new sensor versions available for download from the console within the next couple of weeks. Please follow this post for updated sensor availability and version numbers. 

Additional Notes

• Sensors deployed in KEXT mode are not impacted
• There are no code changes in the updated macOS Sensor releases; only the updated certificate, but we will change the build number to make clear which version has the newest certificate.  

Related Content