How to add the Workstation ONE UEM policies necessary to successfully deploy Carbon Black macOS sensor.

• EDR Sensors:  macOS-7.x and higher
• Workspace ONE UEM:  22.4.x.x

1.  Confirm the devices are registered.
2.  Confirm the macOS devices are in the correct Smart Group.
3.  Add all 3 required profiles documented in "Granting macOS Sensor Access on macOS 11.0+ Big Sur" into 1 policy:
  a.  Add a policy. 
       In the Workspace ONE UEM console (WS1), select Resources > Profiles & Baselines > Profiles > Add > Add Profile.
       Select macOS.  Select Device Profile.   b.  Fill in the General Section.
       Name:  VMware Carbon Black Profiles
       Description: Contains SysExt Content and Full Disk
       Deployment: Managed
       Assignment Type: Auto
       Allow Removal:  Always
       Managed By: <your account>
       Smart Groups:  <select a smart group with macos 11.x and 12.x devices>
       Exclusions:  NO
       Additional Assignment Criteria:   Do NOT select.   c.  In the left margin, select System Extensions to add the CB System Extension policy.
       Hit the Configure button.
       Allow User Overrides:  Click to select.
       Team Identifier: <leave the default>
       Allowed System Extensions > Add System Extension.
                Team Identifier:  7AGZNQ2S2T
                 Bundle Identifier:  com.carbonblack.es-loader.es-extension
  d.  In the left margin, select Content Filter to add the CB Network Web Content policy.
        Select CONFIGURE.   (Note: The contents should be manually typed; Cut-n-Paste introduces hidden characters)
        Filter Type:  Plug-In
        Filter Name: Carbon Black Network Content Filter
        Identifier:  com.carbonblack.es-loader
        Service Address:  <leave blank>
        Organization:  <leave blank>
        Filter WebKit Traffic:   Click to select.
        Filter Socket Traffic:   Click to select.
        Authentication:
           Username:  <leave blank>
           Password:  <leave blank>
           Identity Certificate:  <leave blank>
        Custom Data:
            Select Add   e.  In the left margin, select Privacy Preferences to add the CB Privacy Profile.
       Select CONFIGURE.  (Note: The contents should be manually typed; Cut-n-Paste introduces hidden characters)
       Select ADD APP. The endpoint is ready for the VMware CB macOS 7.x install package.

• It is best to test the policy on 1-2 sensors prior to a large deployment to confirm the policies work.   Confirm filemods, modloads and netconns are reporting to the EDR console.
• Confirm a complete install using the following commands on the endpoint:

cat /var/log/cblog.log  (Good: activating extension success and Launching daemon)
systemextensionsctl list (Good: Only one Cb extension which is active, enabled)
log show -start "yyyy-mm-dd xx:xx:xx" --debug | grep -i cbosx [where xx is the time of installation]  
(Good:  Look for event types 1, 2 and 5 followed by data)

• Troubleshooting Tips:
  • If filemods and modloads are not reporting into the EDR console, then review the Privacy Preferences section for errors.
  • If netconns are not reporting into the EDR console, then review the Content Filter for errors.
  • The contents should be manually typed; Cut-n-Paste introduces hidden characters and the policy fails. 
  • Export the policy xml;  On a Mac or Linux OS use less <xml> to identify extra characters.  If needed use 'hexdump -C <xml>' and compare to a working policy xml provided by Support.
• If the policy needs to be corrected, it is best to uninstall, reboot, confirm the correct policy is installed and use the silent installer to install again.

launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
/Applications/"VMware Carbon Black EDR.app"/Contents/Resources/sensoruninst.sh
reboot & check new policy
installer -pkg /dirtopkg/CarbonBlackClientSetup.pkg -target /

•  WS1 importing of a profile defaults to a iOS profile instead of macOS, therefore as of Mar 2022 an exported macOS XML can not be properly imported into WS1.