Endpoint Standard: Mac sensor unable to block connections handled by App Proxy Provider (per-app VPN)
Article ID: 288444
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- An issue has been found where the CBC Sensor is not able to block network connections tunneled by a per-app VPN using Apple’s App Proxy Provider when the endpoint is placed in quarantine.
- This is for all internet-accessing apps
Environment
- Endpoint Standard Sensor : All Versions
- Apple macOS: All Supported Versions
Cause
This has been identified as an issue with MacOS System Extension and network filtering framework limitations
Resolution
- VMWare Carbon Black is working with Apple for an in-product solution
- As a workaround, create a special policy for quarantined endpoints to block the sites from being able to load over the per-app VPN tunnel, whether in Chrome or Safari or any other application configured to use the per-app VPN. This policy should be configured with a "Blocking and Isolation" rule to block any per-app VPN application running on the endpoint. Please refer to the following example for Workspace One Tunnel. Please note that the application path will vary depending on the per-app VPN used:
- Navigate to sensor settings of the policy
- Under "Prevention" tab > "Blocking and Isolation" section > "Application at path" section, add the following path(this path should be updated based on the per-app VPN used) :
Applications at path: /Applications/VMware Tunnel.app/Contents/PlugIns/macOSAppProxyProvider.appex/Contents/MacOS/macOSAppProxyProvider Operation attempt: Runs or is running Action: Deny operation
- Applying this policy to a sensor prevents the per-app VPN network traffic from running by blocking the App Proxy Provider responsible for the per-app VPN tunnel.
Feedback
Yes
No
Powered by
