MacOS Endpoints stuck in Bypass (Extension load pending)
search cancel

MacOS Endpoints stuck in Bypass (Extension load pending)

book

Article ID: 285044

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Post 14 April 2022 Console Update, MacOS device(s) display "Bypass (extension load pending)" in the CBC Console
  • Prior to 14 April 2022 Console Update, MacOS device(s) displayed "Bypass (admin action)" in the CBC Console

Environment

  • Carbon Black Cloud Console: All Supported Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Apple MacOS: 10.x

Cause

This is commonly caused because system / network extension extensions are not administratively pre-approved

Resolution

Determine if a MDM solution is being used.

  1. Run the below command 
    sudo profiles -P
  2. Results for no MDM 
    There are no configuration profiles installed.
  3. Results for with MDM will contain the below in the output: 
    com.apple.mdm

Approve Extensions using MDM (preferred)

  • For full MDM Approval methods please see the following document: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/cbc-sensor-installation-guide/GUID-70A0E115-73D5-40E1-B80C-1700DC335D25.html
  • Also to get started please see https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Get-Started-with-MDM-Deployment/ta-p/109390

Approve Extensions without MDM
In cases where the approval is not in place, complete the following steps:

  1. Open Security Preferences
  2. Open "Security & Privacy"
  3. Click Unlock to change settings and select "App Store and identified developers" then click "Allow" for Carbon Black App
  4. Verify system extension by running the below command 
    sudo Systemextensionsctl list
  5. If results show that you need to reboot to unload old driver proceed with reboot. 
    • Check by refreshing the Console or CBC app in top right corner after reboot 
  6. Verify FDA (Full Disk Access) and approve if needed
    • Console
      • https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Find-macOS-Sensors-Where-Full-Disk/ta-p/112818
    • Manually on the system
      • https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/cbc-sensor-installation-guide/GUID-0325F3AC-3E3F-49FD-952B-96343EF3C405.html
If you've verified a reboot does not resolve the issue, and all approvals are in place, please Contact Technical Support

Additional Information

  • Additional Bypass Reasons and Remediation options were added in the 14 April 2022 CBC Console Release. See Release Note below  
    DSER-38817: Added more sensor state/bypass descriptions to side panel
Powered by Wolken Software