[Carbon Black Cloud] Installing the sensor in KEXT mode on macOS Big Sur (v3.5.1+)
Supported sensor versions: 3.5.1+ Supported OS versions: macOS 11/Big Sur Supported installation methods: command-line installation, installation via MDM
The Carbon Black Cloud macOS sensor supports both System Extension and KEXT-based operation. System Extension mode is the default on macOS Big Sur, but the sensor can be installed in KEXT mode or switched into KEXT mode via RepCLI after installation. KEXTs currently enable more functionality on the Carbon Black Cloud than System Extensions do, so KEXT mode may be ideal for some users. For more information on the functionality delivered by System Extensions vs. KEXTs on macOS Big Sur, please review this article.
Before you begin installation
For an optimal experience, pre-approve the sensor's KEXT prior to installing the sensor. Pre-approving the KEXT on macOS Big Sur is different than older operating systems, so please review the KEXT pre-approval documentation carefully.
Installing the sensor into KEXT mode on macOS Big Sur
On macOS 11, the attended installer will default to installing a System Extension sensor. In order to install into KEXT mode, we recommend using the unattended install script, cbcloud_install_unattended.sh, found in the mounted DMG of the sensor installer in the docs folder.
A new -k flag has been introduced to cbcloud_install_unattended.sh to signify a KEXT sensor install. This flag also works over upgrade.
In order for Kernel Extensions (aka legacy System Extensions) to be run on macOS Big Sur, Apple has added two new or enhanced restrictions:
Kernel Extension must be pre-approved via MDM (since macOS 10.13)
Kernel Extensions must also be approved manually by the user, and the OS requires a reboot after install. Alternatively, a kernel cache rebuild can be triggered with a custom reboot script.
Run the cbcloud_install_unattended.sh script. Your mount point may be slightly different:
Please note the -k flag appended onto the installation script.
Before the install finishes, a pop-up will appear stating that a System Extension has been updated. Approve this prompt in the Security & Privacy pane of System Preferences or follow the steps here to automate the secondary KEXT approval through MDM using a custom reboot command. Install may report a failure here, due to the user not approving KEXT in time. The install can still be completed despite this reported failure.
Once the installation and local KEXT approval have completed, the user must reboot to finalize the installation. Until a reboot is performed, the sensor will report into the console with a bypass status.
Can I use Cloud Upgrade to upgrade sensors running in KEXT mode on macOS Big Sur?
No. Cloud Upgrade only supports the default installation and upgrade scenario, which is System Extension-mode on macOS Big Sur. Sensors running in KEXT mode will need to be upgraded either via an MDM or via a local command-line installation.
Attempts to upgrade a sensor running the KEXT on macOS Big Sur via Cloud Upgrade will not succeed.
Apple also requires the use of an MDM to pre-approve kernel extensions on macOS Big Sur.