• Carbon Black Cloud Sensor: All Versions
  • Audit & Remediation (was CB Live Ops)
  • Endpoint Standard (was CB Defense)
  • Enterprise EDR (was CB ThreatHunter)
• Apple macOS: All Supported Versions

3.5.x.x Sensor and Higher

1. Launch preferred terminal emulator
2. Run log collection command to output to existing directory

   sudo /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS/repcli capture <Uninstall_Code> <Destination_Directory>

3. Collect logs from <Destination_Directory>
4. Upload the file to the case

3.1.x.x - 3.4.x.x Sensor

1. Launch preferred terminal emulator
2. Run log collection command to output to existing directory

   sudo /Applications/Confer.app/uninstall -l <UNINSTALL_CODE> -d <Destination_Directory>

3. Collect logs from <Destination_Directory>
4. Upload the file to the case

3.0.x.x Sensor and Lower

• via Sensor Bypass

1. Launch preferred terminal emulator
2. Enable bypass

   sudo /Applications/Confer.app/uninstall -b  <UNINSTALL_CODE>

3. Run the following command

   tar czf ~/Confer-copy.tgz /Applications/Confer.app

    
4. Collect the resulting file
5. Rename the file to include the name of the device

   {DeviceName}_Confer-copy.tgz

6. Disable bypass

   sudo /Applications/Confer.app/uninstall -n  <UNINSTALL_CODE>

7. Upload the file to the case

• Via Safe Mode

1. Log onto the desired device (either directly or via RDP)
2. Boot the machine into Safe Mode
3. Launch Terminal
4. Run the following command

   tar czf ~/Confer-copy.tgz /Applications/Confer.app

    
5. Collect the resulting file
6. Rename the file to include the name of the device

   {DeviceName}_Confer-copy.tgz

7. Upload the file to the case

• Sensor services do not need to be running in order to gather this data
• The only requirement for the 3.1.x.x and higher options is that the directory exists prior to running the command