Version

Cb Response, all versions

Issue

When deploying the Cb Response Mac/OS X sensor via the Microsoft documented SCCM method (https://technet.microsoft.com/en-us/library/jj687950.aspx), a Deployment Failed message is presented even though the sensor is installed correctly (based on sensor install logs)

Symptoms

Deployment Failed message is presented in SCCM with the Error Description of:  "The application was not detected after installation completed successfully."

Cause

The Cb Response OS X sensor includes all files necessary for all supported OS X releases.  This causes an issue with the default SCCM method of detecting that the software was installed correctly as it will expect all bundled drivers/files to be deployed.  In order to support both OS X 10.8 and 10.9 and later, unique drivers must be bundled for each and only the correct driver is deployed which breaks default detection.

Solution

As part of SCCM deployment of Mac software procedure, the CMApputil took is used to generate a .cmmac file.  This is simply a zip file with a unique extension, the .cmmac must be customized to avoid this issue with the following steps:

1)  Unzip the .cmmac file generated using any zip tool (7zip or similar)

2)  Locate the following file in the extracted .cmmac file structure:

CMMACPackage/Metadata/Detection.xml

3)  Edit the Detection.xml file and locate the text similar to the following (version number may differ)

<DetectionAction Type="Advanced"> <Property Identifier="com.carbonblack.Kext.pkg" Version="5.2.5.70103" Type="Package"/> <Property Identifier="com.carbonblack.sensordiag.pkg" Version="5.2.5.70103" Type="Package"/> <Property Identifier="com.carbonblack.CbOsxSensorService.pkg" Version="5.2.5.70103" Type="Package"/> <Property Identifier="com.carbonblack.daemon.pkg" Version="5.2.5.70103" Type="Package"/> <Property Identifier="com.carbonblack.Kext10.pkg" Version="5.2.5.70103" Type="Package"/> <Property Identifier="com.carbonblack.sensoruninst.pkg" Version="5.2.5.70103" Type="Package"/> </DetectionAction>

5)  If you are deploying to a OSX 10.8 system, the following line must be removed completely from the file:

<Property Identifier="com.carbonblack.Kext10.pkg" Version="5.2.5.70103" Type="Package"/>

If you are deploying to a OSX 10.9 system or later, the following line must be removed completely from the file:

<Property Identifier="com.carbonblack.Kext.pkg" Version="5.2.5.70103" Type="Package"/>

6)  Save the changes you made to Detection.xml in the same file structure and use any zip tool (7zip or similar) to repackage the extracted directory and contents (making sure to use the same .cmmac extension)

You can then deploy the sensor via SCCM and the installation detection will succeed.  You cannot use the same package for both OSX 10.8 and 10.9 and later systems and they should be deployed independently via different cmmac packages.