Carbon Black Cloud: How To Add Removable System Extension Configuration in MDM
search cancel

Carbon Black Cloud: How To Add Removable System Extension Configuration in MDM

book

Article ID: 291305

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Apple introduced a feature for macOS12+ in which system extensions can be configured to be removable using MDM configuration profile so that user authorization is not required for uninstallation.
  • CB highly recommends deploying this policy in environments, for maximum interoperability during sensor upgrade and uninstall and full compliance with macOS SysEXT management via MDM.

  • Adding removable system extension configuration in MDM

    Removable system extension can be configured using the instructions present in the docs section of installer, MDM-instructions.txt and MDM-SYSEXT-approval-mobileconfig-sample.txt.

Environment

  • Carbon Black Cloud MacOS Sensor: 3.8 and Higher
  • App MacOS: 12 and Higher

Resolution

 

  1. MDM-instructions.txt

MDM System Extension Approval Configuration - To construct the correct configuration, you must specify the Apple Team ID and System Extension bundle ID in your

configuration profile

Deactivation approval configuration

Section:  Removable System Extensions

Apple Team ID: 7AGZNQ2S2T

System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension

  1. MDM-SYSEXT-approval-mobileconfig-sample.txt  
    <key>AllowedSystemExtensions</key>
    <dict>
        <key>7AGZNQ2S2T</key>
        <array>
            <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
        </array>
    </dict>
<key>RemovableSystemExtensions</key>
    <dict>
        <key>7AGZNQ2S2T</key>
        <array>
            <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
        </array>
    </dict>

Additional Information

  • Verify removable system extension status using repcli status
    • Removable system extension status can be found under general info section of repcli status - Removable: Unknown/Yes/No
      • State values
        • Unknown - MDM removable system extension policy value is yet to be read/fetched.
        • Yes - MDM removable system extension policy is available
        • No - MDM removable system extension policy is not available
  • Status Message: The status message will be set if the MDM removable system extension policy is missing. It can be viewed on the sensor using repcli status command.
Powered by Wolken Software