Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to approve KEXT on JAMF

Carbon Black Cloud: How to approve KEXT on JAMF

Environment

  • Carbon Black Cloud Sensor: All Supported Versions 
  • Apple macOS: 10.13 and higher

Objective

Pre-approve Carbon Black Cloud KEXT IDs described in macOS 10.13.4 Kext Approval Changes before installation or upgrade of macOS Sensor 3.7 and higher.

Resolution

  1. Log in to JAMF, navigate to “Configuration Profiles”, and select "New" 
  2. Under the Approved Kernel Extensions select “Configure” 
  3. Input the applicable "teamID" and "bundleID" described in macOS 10.13.4 Kext Approval Changes for the sensor version you are installing 
  4. Select "Save"

Additional Notes

  • Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as Carbon Black Cloud kernel extension com.carbonblack.defense.kext for Sensor version 3.7 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
  • If KEXT is not approved at the time of loading, the Mac Sensor will install with the status "Sensor Bypass Admin Action" in the Sensor Management Page of the Carbon Black Console. See Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action" for details.
  • In some situations you may see an additional pop-up stating that a reboot is required; however, the sensor does not need to reboot after the installation/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎06-25-2018
Views:
7830
Contributors