How to validate a complete install, or upgrade, for a macOS sensor.

• EDR Sensors: macOS 7.x and higher
• macOS: Big Sur (11) and Monterey (12) 

1. Confirm the sensor is running.  Note '/Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService' is running.

   ps -ax | grep -i cbosx

2. Confirm the system extension is enabled and running.  Confirm 'com.carbonblack.es-loader.es-extension' is 'activated' and 'enabled' 

   systemextensionctl list

3. Confirm Full Disk Access.  Note: es-extension should be listed but not necessarily checked if pushed by MDM;  Should be listed and checked if manually installed.

   Check Settings > Security&Privacy > es-extension    

4. Confirm Network Content access is enabled.  Note a Carbon Black Content Network Filter should be green and 'Running'. (The name is associated to the policy)

   Check Settings > Network 

5. Check logs for install or upgrade errors.

   cat /var/log/cblog.log

6. If MDM polices were used (Workspace ONE, JamF), there is the option to provide the exported profile to VMware Carbon Black Support for validation.
7. Advanced logging messages.

   log show -start “yyyy-mm-dd hh:mm:ss" -debug | grep -i cb (use the date/timestamp of the install)
   log show -start “yyyy-mm-dd hh:mm:ss" -debug | grep -i carbonblack
   

• Files to check:

• Stop & Start the sensor.

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist

• Determine the version running:

/Applications/VMware\ Carbon\ Black\ EDR.app/Contents/MacOS/CbOsxSensorService -v

 Additional Links: 

• Install EDR MacOS sensor
• Confirm MacOS has Full Disk Access
• Verify MacOS sensor installation
• Uninstall EDR MacOS sensor 
• Validating MDM Policies for a complete install