EDR: Deploying OSX Sensors via Jamf to MacOS 10.x
Article ID: 287665
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to deploy 7.x-osx sensors from Jamf to macOS versions that use kernel extensions.
Environment
- EDR macOS Sensor: 7.x
- macOS: Mojave (10.14), Catalina (10.15)
Resolution
1. Log in to Jamf, navigate to “Configuration Profiles”, and select "New"
2. Under the Approved Kernel Extensions select “Configure”.
3. Input the applicable "teamID" and "bundleID
Team Id: (For Cb Response) 7AGZNQ2S2T
KEXT Bundle ID:
com.carbonblack.CbOsxSensorNetmon
com.carbonblack.CbOsxSensorProcmon
com.carbonblack.cbsystemproxy.72fc2
(Note: 72fc2 above reflects the sensor version 7.2.2-osx being installed, modify as needed)
4. Select "Save"
6. Repackage sensor install package to push pkg.zip from Jamf to endpoint. Jamf requires the extension pkg.zip.
a. Download a new OSX installer package from the EDR console
b. Unzip the installer temporarily in a local directory i.e. /tmp/sensor/
c. Zip for deployment in Jamf
d. zip -r -X ~/Desktop/CarbonBlack.pkg.zip *
e. Upload CarbonBlack.pkg.zip to Jamf.
7. Deploy the sensor for installation.
Additional Information
- Prior to macOS 10.13.4, software distributions systems (i.e. MDM or JAMF) did not require user-approval to load any properly signed kexts.
- For macOS 10.13 - 10.15, Carbon Black products (as well as other kernel-based products) Netmon and Procmon kernel extensions are required. For enterprise deployments where it is necessary to distribute software that includes kexts without requiring user approval, it is required to configure the Apple Team IDs for our Carbon Black products in the MDM profile.
- For macOS 11.x and higher, system extensions are required to be configured in the MDM and is addressed in other articles (see Related Content).
- Both OSX-10.x and OSX-11.x+ profiles can be combined into one Jamf profile. Ask the Support engineer for guidance from the internal notes.
Feedback
Yes
No
Powered by
