macOS Agents Change Hostname or Show As Duplicate Agents in Console

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Following a networking state change, such as connecting to a VPN, an existing macOS Agent's hostname changes in the Console.
In some instances, this network change could trigger the endpoint to re-register entirely, resulting in a duplicated Agent.

Environment

App Control Agent: All Supported Versions
App Control Server: All Supported Versions
Apple macOS: All Supported Versions

Cause

macOS utilizes three distinct system variables to determine its identity:

ComputerName: User-friendly identifier displayed in the UI, example: L1234
LocalHostName: The local subnet identifier used for Bonjour routing, example: L1234.local
HostName: The primary POSIX hostname used by the terminal and system APIs.

By default, the HostName variable is explicitly left undefined in macOS. When undefined, the operating system will attempt to dynamically resolve its own hostname by querying reverse DNS or DHCP information from the primary active network interface.

When a user connects to a modern VPN or proxy service (Zscaler, GlobalProtect, etc), a new virtual network interface is established and prioritized. If the DNS resolution on this new virtual interface returns an IP address, a stale DNS record, or no record at all, the macOS system dynamically updates its own HostName to match this transient state.

The Agent relies on system APIs (like gethostname() ) to identify the endpoint. When reading this newly altered, transient HostName, and depending on the timing of the network transition, the Agent will either overwrite its existing Console record with the incorrect name, or trigger a completely new registration, resulting in a duplicate.

Resolution

To prevent macOS from dynamically changing its hostname during network transitions, configure the endpoint to use a statically defined HostName using one of the methods below

Manual Endpoint Configuration

Verify Dynamic Global Hostname is disabled in the macOS Network settings.
Open Terminal and identify each of the machine's identities:
```
sudo scutil --get ComputerName
sudo scutil --get LocalHostName
sudo scutil --get HostName
```
- In many situations --get HostName will return "HostName: not set"
Manually set the HostName to match the LocalHostName, appending the local domain suffix if required (ex: .local or otherwise)
```
sudo scutil --set HostName <LocalHostName.local>
```
Flush the local DNS cache
```
sudo dscacheutil -flushcache
```
Restart the endpoint, or restart the Agent.

MDM Deployment Script

The following example script is a best effort example and should be adjusted to meet environmental needs accordingly.

#!/bin/bash

# Get LocalHostName
LHN=$(scutil --get LocalHostName)

# If LocalHostName is not blank, change HostName
if [ -n "$LHN" ]; then
    scutil --set HostName "$LHN.local"
fi

Additional Information

Engineering investigated this issue (EA-22001) and found no changes available in the Agent to circumvent this situation.
Change your computer's name or local hostname on Mac
Use a dynamic global hostname on Mac
Manage system configuration parameters (scutil)