@davidhiggs This is what I am looking for finally got this. I have a question using this EA can we identify which machine's cortex got disabled?

I don't know what would be a disabled status, I would think that's the same as false for protected. But you can look at the whole set of options using the cytool from here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-mac/troubleshoot-traps-for-mac/cytool-for-mac.html

@davidhiggs What does it mean if the result comes back as false? I just started your EA (thanks by the way!) and so far only have one device showing as "false". Had my Security team check on it to see if anything looks wrong from their side and they said it looks good - talking with XDR console and they were able to perform a live remote terminal session successfully.

UPDATE: The "false" means it's not getting the policy. Security dived into it more and was able to see that was the case for the one I found.

@bcbackes few reasons for false: I’ve seen some machines disappear from the console (server side settings can be set to remove computer after period of time of inactivity), failed agent updates, agent failure after MacOS update. Some agents require hands on to remove and reinstall.

@davidhiggs have i am getting the error : The operation couldn’t be completed. (SPErrorDomain error 10.) while applying this config profile to M1 chip laptops and its failing. Do you have any suggestion on this error?

you shouldn't be doing any kernel (legacy system extension) whitelisting/approvals for cortex, should just be system extensions

@davidhiggs So for M1 processor how do i take it forward for the new installation and approval kernel extension?

the current Jamf setup guide should be all you need, take note of the section which talks about approving kernel extension ONLY for 10.15.3 and below.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-3/cortex-xdr-agent-admin/cortex-xdr-agent-for-mac/install-the-cortex-xdr-agent-for-macos/install-the-cortex-xdr-agent-for-mac-using-jamf

@davidhiggs how we can handle the M1 processor laptop config profile setup. Because i have installed Rosetta on the M1 processor machines but the configuration profile not apply to the M1 processor

machines its failing.

@davidhiggs Any reason for this.

Do we need to create two different profile for M1 and normal inter processor?

Could you please guide me to solve this, and also i have applied few user to this config profile. After apply config profile few user wifi got disconnected from the internet automatically?

Regards,
Udhaya

@udhayakumar
As Apple Silicon on Big Sur does not support Configuration Profiles with Kernel extensions, you need new profiles for M1 devices.
I cloned my Cortex Configuration Profile and removed the Kernel Extensions payload. This is then scoped for the M1 devices and my existing Cortex profile excludes M1 devices in the scope. I've done the same for any Configuartion Profile that has a kernel extension payload.

#!/bin/sh

## postinstall

wait 10

/usr/sbin/installer -allowUntrusted -pkg /private/tmp/Traps_macOS_installer/Traps.pkg -target /

exit 0

I know this is an old post, but I have been trying without success getting the Composer created package to deploy. It seems that even though I have the package created exactly the same as yours in Composer (save for the filenames), Jamf is not deploying it to the /private/tmp/ folder, plus the script is erroring out stating that the Certificate is untrusted, to use the -allowUntrusted flag in the script...I absolutely am using it in the postinstall script! 

Jamf support sent my ticket to their engineers, but I figured you folks might have some ideas for me to try in the mean time.

Save yourself the trouble and just upload the zip file right into Jamf Pro / Jamf Admin. No need to package, it will just work as is. The zip file contains a package and your company config. Add the zip file like you would a package to your policy and you're done.

I tried that and for some reason the install still failed. What I ended up doing was making a DMG file in Composer and adding the postinstall script (as a script in Jamf Pro) to run after things were copied to the endpoint. That worked.

Depends on the failure I guess. Your admin should have supplied a zip with these files:
Config.xml
Cortex XDR Uninstaller
Cortex XDR.pkg
The zip deployment has worked for us without issue, so might be other factors at play. I would review the deployment guide top to bottom, including any changes to config profiles and the various different considerations for macOS versions.

I've uploaded the zip as is using Jamf Admin and deployed it out in my policy. Installs just fine. I should note that I'm using the signed Unified Configuration Profile that the vendor provided. That's deployed to all my Macs before I deploy out the package. 

Only weirdness I'm seeing is after Cortex v7.6 is installed a couple days later it get's disabled somehow and the network content filter prevents Cisco AnyConnect from connecting to VPN. My Security Team has opened a ticket with the vendor on it. I should say that if I move Cortex.app from Applications to the Trash it unloads all the System Extensions disabling the Network Content Filter and AnyConnect works without issues. Seen this on 3 Macs so far on Jamf Pro Cloud server.

Yep, was using the zip file that had those three files and a hidden 4th file, version.xml I believe. I also used all of the configuration profiles from the vendor...It would install, but wouldn't catch the config file, so Cortex was greyed out. Once I made it into a DMG with a separate script to launch the installer, then it worked. I was even using all the same files from the zip.

We also have some issue's with Cortex 7.5.1 and even the lastest 7.6.0
Cortex deploying to the machine works fine and also we use the unified configuration policy to the machine. But... on INtel machines no problems only on the new M! pro/max machines all internet connections will be blocked by the Cortex Network filter.

Strange thing is when we reboot with wifi enabled and only Ethernet connected the internet works fine. After enabling Wifi the connection still works but somehow the ethernet adapter will switch to 169.254.x.x. address and even the wifi connection will be enabled but no internet connection at that time.
Did some several tests and found out that a complete new machine with no mdm enrollment also has this same problem.
We contacted the vendor and they also did a remote desktop session to see what happens.... But the problem still exists for almost 5 weeks now after sending spindumps and complete log files.

Anyone seeing issues with v7.6 where it's showing disabled for Protection Status? I look at the Connection and it says Not Available. I suspect it's the XDR Network Filter causing this issue. I'm seeing this on ARM based and Intel based Macs. I'm using the Unified signed config profile from the Vendor (one for ARM and a separate one for Intel). Config profiles are scoped based on processor type. My Security team has a ticket in with the vendor but haven't gotten any real answers from the vendor yet.