Mac Endpoint in "Bypass", even after all manual approval steps in documentation are followed
search cancel

Mac Endpoint in "Bypass", even after all manual approval steps in documentation are followed

book

Article ID: 372601

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

After installing 3.8.0.58 sensor on a 14.5 macOS endpoint without MDM approvals, the sensor remains in Bypass or a FDA Error status, despite following all steps in Documentation here.

Environment

  • Carbon Black Cloud Sensor: 3.8.0.58 and Higher
  • Apple MacOS:12.7 and Higher

Cause

com.vmware.carbonblack.cloud.se-agent.extension was not granted Full Disk Permission during sensor installation

Resolution

  1. Navigate to System Settings > Privacy & Security > Full Disk Access
  2. Toggle the com.vmware.carbonblack.cloud-se-agent.extension entry to enabled
  3. Change will require credentials
  4. In addition drag-and-drop the entire /Applications/VMware/Carbon Black Cloud/repmgr.bundle from the Finder window to the Full Disk Access pane similar to step 5 and 6 of the FDA documentation

Additional Information

  • Moving the entire repmgr.bundle from to Full Disk Access will not display any indication that it was done but will still work
  • It may still take a reboot or 15 minutes to an hour for FDA warnings or errors to go away once this has been completed
  • If needed so a clean install can be done the MacOS Sensor can be uninstalled following these steps
  • If terminal is given FDA access then the following can be used check if the correct permissions were given
  • Querying the TCC.db is the best way to see which sensor component is either missing or doesn't have the correct permissions.  For reference, these are the proper components and their proper settings (from the TCC.db): 
    com.vmware.carbonblack.cloud.se-agent.extension|0|2|4|1
com.vmware.carbonblack.cloud.daemon|0|2|4|1
com.vmware.carbonblack.cloud.se-agent|0|2|4|1
/Applications/VMware Carbon Black Cloud/LiveQuery.bundle/Contents/MacOS/osqueryi|1|2|4|1
/Applications/VMware Carbon Black Cloud/UnInstaller.bundle/Contents/MacOS/UnInstaller|1|2|4|1
/Applications/VMware Carbon Black Cloud/uninstall.bundle/Contents/MacOS/uninstall|1|2|4|1

    You can get this clean output by running this on the command line:

    sqlite3 /Library/Application\ Support/com.apple.TCC/tcc.db 'select client,client_type,auth_value,auth_reason,auth_version from access;'

    If any of the above components do not match their settings, then the manual steps in the user guide should be re-followed and reapplied. 

  • Incorrect permissions will display 
    com.vmware.carbonblack.cloud.daemon|0|0|5|1|??
    • If these results are returned then step 4 of the resolution was not completed correctly
Powered by Wolken Software