Endpoint Standard: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade
search cancel

Endpoint Standard: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade

book

Article ID: 286413

calendar_today

Updated On: 01-31-2023

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Carbon Black recommends submitting the applicable Endpoint Standard KEXT IDs described in macOS 10.13.4 Kext Approval Changes for approval by MDM before install or upgrade of Mac Sensor 3.0. However, if KEXT is not pre-approved by MDM, this article describes how to approve KEXTs locally upon install or upgrade.

Environment

  • Endpoint Standard: 3.0 and above
  • Apple MacOS: Mac OS 10.13 - 11

Resolution

  1. When installing or upgrading to Mac Sensor 3.0 on High Sierra+, the installer will pause and you will see a prompt from the installer telling you to allow the kernel extension within 5 minutes
    CBDefense_SuccessfullyInstalled.png

     

  2. Behind this notification is another notification from the OS explaining how to allow the extension from "Scargo, Inc."
    Extension_SignedBy_Scargo.png

     

  3. Opening Security preferences pane, you can allow the software from "Scargo, Inc.” to run
    Approve_KEXT_PublisherScargo.png

     

  4. The installer will finish, the kernel extension will load, and the Cb logo will load in the menu bar
    CBDefense_IconActive.png

     

  5. Use the below command to verify that the CB Defense KEXT extension has been approved 
    kextstat | grep -s com.confer

Additional Information

  • The Mac 3.0 Sensor is signed by Confer, a subsidiary of Scargo Inc. Confer is likewise a subsidiary of Carbon Black. See https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Why-does-KEXT-approval-show-Scargo-Inc-as-Developer/ta-p/38800 for more information.
  • Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as CB Defense kernel extension, com.confer.sensor.kext for Sensor version 3.0 or com.carbonblack.defense.kext for Sensor version 3.1 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
  • If KEXT is not approved at the time of loading, the Mac Sensor will install with status "Sensor Bypass Admin Action" in the Sensor Management Page of the CB Defense PSC Console. See Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action" for details.
  • In some situations you may see an additional pop up stating that a reboot is required; however, the sensor does not need to reboot after the install/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.
  • If using the 3.1.x.x Sensor and above, see https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Verify-Sensor-3-1-KEXT-Approval/ta-p/51082
  • Kernel Extension is being deprecated as versions go forward. For MacOS versions above 12 use System Extension for best results. 
Powered by Wolken Software