Environment

• Carbon Black Cloud Sensor: All Supported Versions 
• Apple macOS: 10.13 and higher

Objective

Resolution

1. Log in to JAMF, navigate to “Configuration Profiles”, and select "New" 
2. Under the Approved Kernel Extensions select “Configure” 
3. Input the applicable "teamID" and "bundleID" described in macOS 10.13.4 Kext Approval Changes for the sensor version you are installing 
4. Select "Save"

Additional Notes

• Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as Carbon Black Cloud kernel extension com.carbonblack.defense.kext for Sensor version 3.7 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
• If KEXT is not approved at the time of loading, the Mac Sensor will install with the status "Sensor Bypass Admin Action" in the Sensor Management Page of the Carbon Black Console. See Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action" for details.
• In some situations you may see an additional pop-up stating that a reboot is required; however, the sensor does not need to reboot after the installation/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.

Related Content

macOS 10.13.4 Kext Approval Changes
Cb Defense: How to approve Mac Sensor 3.1 KEXT for Install/Upgrade
Cb Defense: Why do I need to re-approve KEXT after upgrading to Mac Sensor 3.1?
Cb Defense: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade
Cb Defense: Why does KEXT approval show Scargo Inc as Developer for new cert?
Endpoint Standard: Mac Sensor installs with status "Sensor Bypass Admin Action"
CB Defense: How To Find Sensors on High Sierra With KEXT Not Approved
Endpoint Standard: How to Verify Sensor 3.1 KEXT Approval
Carbon Black Cloud: How To Collect Sensor Logs Locally (Mac)