MacOS Endpoints stuck in Bypass (Extension load pending)
Article ID: 285044
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
MacOS device(s) display "Bypass (extension load pending)" in the Carbon Black Cloud Console
Environment
- Carbon Black Cloud Console: All Supported Versions
- Carbon Black Cloud Sensor: All Supported Versions
- Apple MacOS: All Supported Versions
Cause
This is commonly caused because system / network extension extensions are not administratively pre-approved
Resolution
Determine if a MDM solution is being used.
- Run the below command
sudo profiles -P
- Results for no MDM
There are no configuration profiles installed.
- Results for with MDM will contain the below in the output:
com.apple.mdm
Approve Extensions using MDM (preferred)
- For full MDM Approval methods please see the following document: Approving the System Extension by using MDM
- Also to get started please see document: How to Get Started with MDM Deployment
Approve Extensions without MDM
In cases where the approval is not in place, complete the following steps:
- Confirm the system extension is approved by following the steps outlined in the installation guide
- Verify system extension by running the below command
sudo Systemextensionsctl list
- If results show that you need to reboot to unload old driver proceed with reboot.
- Check by refreshing the Console or CBC app in top right corner after reboot
- Verify FDA (Full Disk Access) and approve if needed
If you've verified a reboot does not resolve the issue, and all approvals are in place, please Contact Technical Support
Additional Information
- Bypass Reasons and Remediation options were added in the 14 April 2022 CBC Console Release with the Fix ID : DSER-38817: Added more sensor state/bypass descriptions to side panel
Feedback
Yes
No
Powered by
