Environment
- Cb Defense Sensor: 3.1 and above
- Apple MAC OS: Mac OS 10.13 and above
Objective
Carbon Black recommends submitting the applicable Cb Defense KEXT IDs described in macOS 10.13.4 Kext Approval Changes for approval by MDM before install or upgrade of Mac Sensor 3.1. However, if KEXT is not pre-approved by MDM, this article describes how to approve KEXTs locally upon install or upgrade.
Resolution
- When installing or upgrading Mac Sensor 3.1 on High Sierra+ using the unattended install method, the installation will fail if KEXT has not already been pre-approved. Sample cli output below
$ sudo /Volumes/CbDefense-3.1.x.x/docs/cbdefense_install_unattended.sh -i /Volumes/CbDefense-3.1.x.xx/CbDefense\ Install.pkg -c xxxxxxxxx
Running tool: /Volumes/CbDefense-3.1.x.xx/docs/cbdefense_install_unattended.sh, version 3.1.x.x.
For maximum compatibility, ensure to use this tool for installing or upgrading to a matching 3.1.x.xx version of the corresponding Cb Defense PKG. Both the tool and the PKG should be extracted from the same Cb Defense DMG 3.1.x.xx.
Previous sensor installation detected.
Detected macOS version: 10.13.4......OK
KEXT check: macOS >=10.13 detected, checking KEXT pre-approval...Error: KEXT does not appear to be pre-approved on this device by MDM or user.
Exiting the sensor upgrade because KEXT pre-approval was not detected.
Please use one of the following options to workaround this:
1. (Preferred) Pre-approve KEXT on macOS 10.13+ devices prior to the sensor upgrade. Refer to KB and use your preferred KEXT approval method for the following Cb Defense KEXT IDs:
- KEXT bundle ID: com.confer.sensor.kext
- KEXT team ID: 7AGZNQ2S2T
Using this option will ensure that Cb Defense sensor version 3.1.1.27 remains fully operational immediately after the upgrade.
In order to bypass this message and receive the prompt allowing the end user to locally approve KEXT, you must use the option --skip-kext-approval-check
- The installer will then pause and you will see the same prompt from the installer telling you to allow the kernel extension within 5 minutes
- Behind this notification is another notification from the OS explaining how to allow the extension from "Carbon Black, Inc."
Opening Security preferences pane, you can allow the software from "Carbon Black, Inc. to run
The installer will finish, the kernel extension will load, and the Cb logo will load in the menu bar
- Use kextstat | grep -s com.carbonblack to verify that the Cb Defense KEXT extension has been approved. See Cb Defense: How to Verify KEXT Approval on macOS for details
Additional Notes
- Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as Cb Defense kernel extension, com.confer.sensor.kext for Sensor version 3.0 or com.carbonblack.defense.kext for Sensor version 3.1 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
- If KEXT is not approved at the time of loading, the Mac Sensor will install with status "Sensor Bypass Admin Action" in the Sensor Management Page of the Cb Defense Web Console. See Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action" for details.
- In some situations you may see an additional pop up stating that a reboot is required; however, the sensor does not need to reboot after the install/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.
Related Content
https://developer.apple.com/library/content/technotes/tn2459/_index.htmlCb Defense Sensor 3.0 Mac Release Notes
macOS 10.13.4 Kext Approval Changes
Cb Defense: Why do I need to re-approve KEXT after upgrading to Mac Sensor 3.1?
Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action"
Cb Defense: How To Find Sensors on High Sierra With KEXT Not Approved
