Endpoint Standard: Mac sensor unable to block connections handled by App Proxy Provider (per-app VPN)
book
Article ID: 288444
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
An issue has been found where the CBC Sensor is not able to block network connections tunneled by a per-app VPN using Apple’s App Proxy Provider when the endpoint is placed in quarantine.
This is for all internet-accessing apps
Environment
Endpoint Standard Sensor : All Versions
Apple macOS: All Supported Versions
Cause
This has been identified as an issue with MacOS System Extension and network filtering framework limitations
Resolution
VMWare Carbon Black is working with Apple for an in-product solution
As a workaround, create a special policy for quarantined endpoints to block the sites from being able to load over the per-app VPN tunnel, whether in Chrome or Safari or any other application configured to use the per-app VPN. This policy should be configured with a "Blocking and Isolation" rule to block any per-app VPN application running on the endpoint.Please refer to the following example for Workspace One Tunnel.Please note that the application path will vary depending on the per-app VPN used:
Navigate to sensor settings of the policy
Under "Prevention" tab > "Blocking and Isolation" section > "Application at path" section, add the following path(this path should be updated based on the per-app VPN used) :
Applications at path: /Applications/VMware Tunnel.app/Contents/PlugIns/macOSAppProxyProvider.appex/Contents/MacOS/macOSAppProxyProvider
Operation attempt: Runs or is running
Action: Deny operation
Applying this policy to a sensor prevents the per-app VPN network traffic from running by blocking the App Proxy Provider responsible for the per-app VPN tunnel.