Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: MacOS Endpoints stuck in Bypass (Extension load pending)

Carbon Black Cloud: MacOS Endpoints stuck in Bypass (Extension load pending)

Environment

  • Carbon Black Cloud Console: All Supported Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Apple MacOS: 10.x

Symptoms

  • Post 14 April 2022 Console Update, MacOS device(s) display "Bypass (extension load pending)" in the CBC Console
  • Prior to 14 April 2022 Console Update, MacOS device(s) displayed "Bypass (admin action)" in the CBC Console

Cause

This is commonly caused because system / network extension extensions are not administratively pre-approved

Resolution

Extensions Already Approved
In cases where the approvals are in place, a reboot will cause the drivers to load

Approve Extensions using MDM (preferred)
For full MDM Approval methods please see the following document: Approving the System Extension and Network Extension for macOS 11+

Approve Extensions without MDM
In cases where the approval is not in place, complete the following steps:
  1. Open Security Preferences
  2. Click Unlock to change settings and click "Allow"
  3. Approve system extension
  4. Please see the article to approve Full disk access manually Full Disk Access Requirement for the macOS Sensor
If you've verified a reboot does not resolve the issue, and all approvals are in place, please Contact Technical Support

Additional Notes

  • Additional Bypass Reasons and Remediation options were added in the 14 April 2022 CBC Console Release. See Release Note below 
    DSER-38817: Added more sensor state/bypass descriptions to side panel

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎10-24-2022
Views:
1594
Contributors