Carbon Black Cloud: How To Check DeviceID On Endpoint (macOS up to 3.4.x.x)
search cancel

Carbon Black Cloud: How To Check DeviceID On Endpoint (macOS up to 3.4.x.x)

book

Article ID: 290322

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Explain the steps to confirm the DeviceID of a 3.4.x.x or lower Sensor on the machine where it is installed

Environment

  • Carbon Black Cloud Sensor: 3.4.x.x and Lower
  • Apple macOS: All Supported Versions

Resolution

  1. Launch terminal
  2. Use grep to get RegistrationId 
    % grep 'RegistrationId' /Applications/Confer.app/cfg.ini
  3. Output will look like 
    RegistrationId=<org_id>-<device_id>

Additional Information

  • Confirming the DeviceID locally on the machine with the Sensor installed can be helpful in troubleshooting issues and reviewing Alerts and other Events within the Carbon Black Cloud Console
  • For example, with the DeviceID you can review Events specific to that single device on the Investigate page by replacing <DeviceID> with the ID retrieved using the above method 
    https://<DashboardURL>/investigate?selected[deviceId]=<DeviceID>&selected[selectedTab]=DEVICE&s[searchWindow]=ALL&s[c][DEVICE_ID][0]=<DeviceID>
  • Searching for device_id on applicable Inventory pages will find the device tied to that registration, regardless of the current hostname
    • device_id is the unique identifier for a given Sensor in relation to VMware Carbon Black Cloud
    • Hostname, IP Address, and Active Directory information are all considered metadata for a device record as they all can be changed
  • Both the RegistrationId and point of presence (PoP) or Backend can be found in the cfg.ini file to ensure a given device is registered to the correct PoP/Backend 
    % grep 'BackendServer' /Applications/Confer.app/cfg.ini
BackendServer=<Device_Services_URL>
RegistrationId=<org_id>-<device_id>
Powered by Wolken Software