Endpoint Standard: Existing Mac Sensor moves into bypass with a status of "Sensor Bypass Admin Action"
book
Article ID: 292052
calendar_today
Updated On: 01-25-2022
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Pre-existing, working sensors, move to bypass without direct Admin or User input
- Endpoints Page shows Status "Sensor Bypass Admin Action"
- Searching for sensorStates:DRIVER_INIT_ERROR shows all sensors that have not been KEXT approved/approval no longer exists
- All efforts to take the sensor out of bypass, fail
Environment
- Endpoint Standard Sensor: 3.0 and Higher
- Apple macOS: macOS 10.13.0 and Higher
- 3rd Party Deployment Tool: JAMF Pro
Cause
- The Endpoint Standard kernel extension (Kext) is no longer approved
- Possible corrupt payload on the whitelist
Resolution
- Rebuild configuration profiles with up to date white-listings and re-deploy
Additional Information
- Secure Kernel Extension Loading was introduced with macOS 10.13 High Sierra.
- The Endpoint Standard Sensor KEXT varies depending on the Sensor version. See macOS 10.13.4 Kext Approval Changes
- For an individual device, an End user can locally approve/allow the Kext via System Preferences>General Tab>Security & Privacy section
- The sensor status in the console will change to "Active" within 30 minutes of KEXT approval
Feedback
thumb_up
Yes
thumb_down
No