Cb Defense: How to approve Mac Sensor 3.1 KEXT for Install/Upgrade
Cb Defense Sensor: 3.1 and above
Apple MAC OS: Mac OS 10.13 and above
Carbon Black recommends submitting the applicable Cb Defense KEXT IDs described in macOS 10.13.4 Kext Approval Changes for approval by MDM before install or upgrade of Mac Sensor 3.1. However, if KEXT is not pre-approved by MDM, this article describes how to approve KEXTs locally upon install or upgrade.
When installing or upgrading Mac Sensor 3.1 on High Sierra+ using the unattended install method, the installation will fail if KEXT has not already been pre-approved. Sample cli output below
Running tool: /Volumes/CbDefense-3.1.x.xx/docs/cbdefense_install_unattended.sh, version 3.1.x.x.
For maximum compatibility, ensure to use this tool for installing or upgrading to a matching 3.1.x.xx version of the corresponding Cb Defense PKG. Both the tool and the PKG should be extracted from the same Cb Defense DMG 3.1.x.xx.
Previous sensor installation detected.
Detected macOS version: 10.13.4......OK
KEXT check: macOS >=10.13 detected, checking KEXT pre-approval...Error: KEXT does not appear to be pre-approved on this device by MDM or user.
Exiting the sensor upgrade because KEXT pre-approval was not detected.
Please use one of the following options to workaround this:
1. (Preferred) Pre-approve KEXT on macOS 10.13+ devices prior to the sensor upgrade. Refer to KB and use your preferred KEXT approval method for the following Cb Defense KEXT IDs:
- KEXT bundle ID: com.confer.sensor.kext
- KEXT team ID: 7AGZNQ2S2T
Using this option will ensure that Cb Defense sensor version 188.8.131.52 remains fully operational immediately after the upgrade.
In order to bypass this message and receive the prompt allowing the end user to locally approve KEXT, you must use the option --skip-kext-approval-check
The installer will then pause and you will see the same prompt from the installer telling you to allow the kernel extension within 5 minutes
Behind this notification is another notification from the OS explaining how to allow the extension from "Carbon Black, Inc."
Opening Security preferences pane, you can allow the software from "Carbon Black, Inc. to run
The installer will finish, the kernel extension will load, and the Cb logo will load in the menu bar
Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as Cb Defense kernel extension, com.confer.sensor.kext for Sensor version 3.0 or com.carbonblack.defense.kext for Sensor version 3.1 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
In some situations you may see an additional pop up stating that a reboot is required; however, the sensor does not need to reboot after the install/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.