Endpoint Standard: Existing Mac Sensor moves into bypass with a status of "Sensor Bypass Admin Action"
search cancel

Endpoint Standard: Existing Mac Sensor moves into bypass with a status of "Sensor Bypass Admin Action"

book

Article ID: 292052

calendar_today

Updated On: 01-25-2022

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Pre-existing, working sensors, move to bypass without direct Admin or User input
  • Endpoints Page shows Status "Sensor Bypass Admin Action"
  • Searching for sensorStates:DRIVER_INIT_ERROR shows all sensors that have not been KEXT approved/approval no longer exists
  • All efforts to take the sensor out of bypass, fail

Environment

  • Endpoint Standard Sensor: 3.0 and Higher
  • Apple macOS: macOS 10.13.0 and Higher
  • 3rd Party Deployment Tool: JAMF Pro

Cause

  • The Endpoint Standard kernel extension (Kext) is no longer approved 
  • Possible corrupt payload on the whitelist

Resolution

  • Rebuild configuration profiles with up to date white-listings and re-deploy

Additional Information

  • Secure Kernel Extension Loading was introduced with macOS 10.13 High Sierra. 
  • The Endpoint Standard Sensor KEXT varies depending on the Sensor version. See macOS 10.13.4 Kext Approval Changes
  • For an individual device, an End user can locally approve/allow the Kext via System Preferences>General Tab>Security & Privacy section
  • The sensor status in the console will change to "Active" within 30 minutes of KEXT approval