Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Mac Sensor installs with status "Sensor Bypass Admin Action"

Endpoint Standard: Mac Sensor installs with status "Sensor Bypass Admin Action"

Environment

  • Endpoint Standard (Formerly CB Defense) Sensor: All Versions
  • Apple macOS: Mac OS 10.13.0 and Higher
  • Unattended install method used to install Sensor on macOS

Symptoms

  • Once registered, the Endpoints Page shows "Sensor Bypass Admin Action"
  • All efforts to take the sensor out of bypass fail

Cause

  • The kernel extension (Kext) is not approved by the end user
  • It is possible that error 603946981 may be observed

Resolution

  1. In the Sensor Management page of the Web Console searching for sensorStates:DRIVER_INIT_ERROR to find all sensors that have not been KEXT approved. See https://community.carbonblack.com/docs/DOC-9885
  2. Sensor KEXT can then be locally approved by the end user in System Preferences > Security & Privacy. See Cb Defense: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade and Cb Defense: How to approve Mac Sensor 3.1 KEXT for Install/Upgrade
  3. The sensor status will change to "Active" within 30 minutes of KEXT approval.
  4. If the approval request has timed out, the installer needs to be run again to trigger the request message. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.

Additional Notes


Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎02-06-2018
Views:
7374
Contributors