So far we are deploying FireEye HX agent 33.46 on 1600 Macs in Big Sur with no problems. We make sure any PPPC or Extension approval profiles are deployed before the agent is installed.
Hello
@Phantom5 Are you able to provide what you profile looks like for PPPC and Extension Approval? We just received the 33.51.0 installer. We pushed out to my Mac and I received the pop up. The System extension we used for v32 does not appear to work (the profile was already in my device). Many thanks
Did you ever get this resolved? I am having the same issue while upgrading from 32 to 33.51.0. The new FireEye Helper is causing a System Extension pop up.
Hey Folks,
I have resolved our issue of receiving the System Extension "content" block and also the FireEye Network Filter pop up. After many hours of research, testing and a phone call to FireEye I finally have the ingredients to silently upgrade/install version 33.51.10 to Big Sur.
**Note - we do not use BitDefender
** These are not all of my notes**.
I also left my previous PPPC profile on which allowed Full Disk Access to xagt. Which basically included every service. It does not hurt to have more than you needed. You can also check with your CSIRT team to see what they needed scanned.
System Extension Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
The Team ID for FireEye as of writing is P2BNL68L2C.
You can get this ID from drawing the FE client into PPPC Utility. It will reveal the code and Team ID, which then you can use for deployment.
To whitelist this we need to create a configuration profile. The specific extension name for the xagt that should be whitelisted is com.fireeye.system-extension
Malware Detection
For malware detection FireEye leverages Bitdefender’s AV engine which has its own System Extension. This must be whitlisted also or users will get the below prompt:
The team ID for Bitdefender is GUNFMW623Y and the whitelisting is similar to before but should allow all Driver Extensions, Endpoint Security Extensions and Network Extensions.
Socket Filter Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
From MacOS Big Sur onwards there is a requirement for the agent to have a network socket filter. Upon installation the agent will trigger this prompt to the user:
The entries are as follows:
| Setting | Value |
| Filter Name | FireEye Helper |
| Identifier | P2BNL68L2C.com.fireeye.helper |
| Filter Order | Firewall |
| Socket Filter Bundle Identifier | com.fireeye.system-extension |
| Socket Filter Designated Requirements | identifier "com.fireeye.system-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L2C |
| | |
| FilterSockets | True |
@pueo - Many thanks. I can't imagine how many hours this saved me nor do I want to think about how long you had to work to get this all working correctly.
This is the first time I have had to specifically call out a system extension by name in order for it to be approved. Typically approving by team identifier has been enough for me.
@pueo - Many thanks. I can't imagine how many hours this saved me nor do I want to think about how long you had to work to get this all working correctly.
This is the first time I have had to specifically call out a system extension by name in order for it to be approved. Typically approving by team identifier has been enough for me.
No problem. There is more. After more than a few emails to FE they eventually gave me updated documentation with the exact procedure a MDM Admin needs to follow in order to successfully deploy FireEye v33.51.0.
One of the bigger changes was adding more settings to the PPPC (whitelist) setting. The previous documentation only had ALLsystemfiles but they now suggest to have quite a few more. They also provide screen shots for Whitelisting and setting up Malware detection.
Upgrading FE is easy. Push out profiles, push out HX client (we are using HX Console for agent. Anyways if you need the pdf there must be away I can send it to you.
p.
Hey Folks,
I have resolved our issue of receiving the System Extension "content" block and also the FireEye Network Filter pop up. After many hours of research, testing and a phone call to FireEye I finally have the ingredients to silently upgrade/install version 33.51.10 to Big Sur.
**Note - we do not use BitDefender
** These are not all of my notes**.
I also left my previous PPPC profile on which allowed Full Disk Access to xagt. Which basically included every service. It does not hurt to have more than you needed. You can also check with your CSIRT team to see what they needed scanned.
System Extension Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
The Team ID for FireEye as of writing is P2BNL68L2C.
You can get this ID from drawing the FE client into PPPC Utility. It will reveal the code and Team ID, which then you can use for deployment.
To whitelist this we need to create a configuration profile. The specific extension name for the xagt that should be whitelisted is com.fireeye.system-extension
Malware Detection
For malware detection FireEye leverages Bitdefender’s AV engine which has its own System Extension. This must be whitlisted also or users will get the below prompt:
The team ID for Bitdefender is GUNFMW623Y and the whitelisting is similar to before but should allow all Driver Extensions, Endpoint Security Extensions and Network Extensions.
Socket Filter Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
From MacOS Big Sur onwards there is a requirement for the agent to have a network socket filter. Upon installation the agent will trigger this prompt to the user:
The entries are as follows:
| Setting | Value |
| Filter Name | FireEye Helper |
| Identifier | P2BNL68L2C.com.fireeye.helper |
| Filter Order | Firewall |
| Socket Filter Bundle Identifier | com.fireeye.system-extension |
| Socket Filter Designated Requirements | identifier "com.fireeye.system-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L2C |
| | |
| FilterSockets | True |
Great write-up... Thank you!
Hey Folks,
I have resolved our issue of receiving the System Extension "content" block and also the FireEye Network Filter pop up. After many hours of research, testing and a phone call to FireEye I finally have the ingredients to silently upgrade/install version 33.51.10 to Big Sur.
**Note - we do not use BitDefender
** These are not all of my notes**.
I also left my previous PPPC profile on which allowed Full Disk Access to xagt. Which basically included every service. It does not hurt to have more than you needed. You can also check with your CSIRT team to see what they needed scanned.
System Extension Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
The Team ID for FireEye as of writing is P2BNL68L2C.
You can get this ID from drawing the FE client into PPPC Utility. It will reveal the code and Team ID, which then you can use for deployment.
To whitelist this we need to create a configuration profile. The specific extension name for the xagt that should be whitelisted is com.fireeye.system-extension
Malware Detection
For malware detection FireEye leverages Bitdefender’s AV engine which has its own System Extension. This must be whitlisted also or users will get the below prompt:
The team ID for Bitdefender is GUNFMW623Y and the whitelisting is similar to before but should allow all Driver Extensions, Endpoint Security Extensions and Network Extensions.
Socket Filter Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
From MacOS Big Sur onwards there is a requirement for the agent to have a network socket filter. Upon installation the agent will trigger this prompt to the user:
The entries are as follows:
| Setting | Value |
| Filter Name | FireEye Helper |
| Identifier | P2BNL68L2C.com.fireeye.helper |
| Filter Order | Firewall |
| Socket Filter Bundle Identifier | com.fireeye.system-extension |
| Socket Filter Designated Requirements | identifier "com.fireeye.system-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L2C |
| | |
| FilterSockets | True |
This is a really useful write up and thank you for that. I do have one question. I go to add the Socket Filter Whitelisting and all the fields you identified are there, with the exception of FilterSockets. I'm entering it in the payload for Content Filtering in the configuration profile, but perhaps I'm supposed to be entering it elsewhere.
Again, thanks so much.
This is a really useful write up and thank you for that. I do have one question. I go to add the Socket Filter Whitelisting and all the fields you identified are there, with the exception of FilterSockets. I'm entering it in the payload for Content Filtering in the configuration profile, but perhaps I'm supposed to be entering it elsewhere.
Again, thanks so much.
Hello Mlarsen
Glad the write up helped.
You need to add the entry under Custom Data
You add the FilterSockets under Key then add True under Value.
Good luck,
Cheers
Hello Mlarsen
Glad the write up helped.
You need to add the entry under Custom Data
You add the FilterSockets under Key then add True under Value.
Good luck,
Cheers
Hi Pueo,
Got it, and thanks so much again.
No problem. There is more. After more than a few emails to FE they eventually gave me updated documentation with the exact procedure a MDM Admin needs to follow in order to successfully deploy FireEye v33.51.0.
One of the bigger changes was adding more settings to the PPPC (whitelist) setting. The previous documentation only had ALLsystemfiles but they now suggest to have quite a few more. They also provide screen shots for Whitelisting and setting up Malware detection.
Upgrading FE is easy. Push out profiles, push out HX client (we are using HX Console for agent. Anyways if you need the pdf there must be away I can send it to you.
p.
Hi @pueo
Can you tell me the name of the PDF you got from FireEye/Mandiant so I can try to get it from support, or put it up in a place I can grab it? Unfortunately, when I try to distribute the config profile, I get the error "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." so I want to verify that I'm setting it up correctly.
Thanks,
Michael
Hi @pueo
Can you tell me the name of the PDF you got from FireEye/Mandiant so I can try to get it from support, or put it up in a place I can grab it? Unfortunately, when I try to distribute the config profile, I get the error "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." so I want to verify that I'm setting it up correctly.
Thanks,
Michael
Sorry for the delay Michael. Sent to you private messages.
ash
Sorry for the delay Michael. Sent to you private messages.
ash
Got it going! Thanks for all your help!
Hi @pueo
Can you tell me the name of the PDF you got from FireEye/Mandiant so I can try to get it from support, or put it up in a place I can grab it? Unfortunately, when I try to distribute the config profile, I get the error "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." so I want to verify that I'm setting it up correctly.
Thanks,
Michael
@pueo / @mlarsen
Any chance I could grab a copy of that PDF as well?
I'm trying to deploy the same version of FireEye and am running into similar issues with building my profiles.
Thanks 🙂
I'm struggling with the System Extension approval popup and PPPC Payload but FireEye support claim they have no resources on this to help and that it's up to me to figure out...
If someone could post their PPPC payload for xagt that would help greatly or If anyone happens to have a copy of the MDM deployment PDF that @pueo was sent from FireEye i would be forever in your debt if you could send it to me as well.
The FireEye docs talk about packaging and installing it, but nothing about getting it to silently install/upgrade.
I'm struggling with the System Extension approval popup and PPPC Payload but FireEye support claim they have no resources on this to help and that it's up to me to figure out...
If someone could post their PPPC payload for xagt that would help greatly or If anyone happens to have a copy of the MDM deployment PDF that @pueo was sent from FireEye i would be forever in your debt if you could send it to me as well.
The FireEye docs talk about packaging and installing it, but nothing about getting it to silently install/upgrade.
Hi @johnsz_tu - I apologize for not responding sooner. I never did get the PDF. I did find a a page on the FireEye community which gave me the details I needed though. The page is here - https://community.fireeye.com/CustomerCommunity/s/article/000003689
I'm struggling with the System Extension approval popup and PPPC Payload but FireEye support claim they have no resources on this to help and that it's up to me to figure out...
If someone could post their PPPC payload for xagt that would help greatly or If anyone happens to have a copy of the MDM deployment PDF that @pueo was sent from FireEye i would be forever in your debt if you could send it to me as well.
The FireEye docs talk about packaging and installing it, but nothing about getting it to silently install/upgrade.
Hello. Sorry for the delay in replying. I am happy to help with screen shots to get you moving along with your FE deployment. The first two screen shots are taken from the Documentation. The differences between the previous FE installer and the current one (33.51) is you now need a Content Filter.
Again, apologies for the tardiness.
Cheers.
Our Profiles.
System Extension
Content Filter.
FE Documentation
Hi @johnsz_tu - I apologize for not responding sooner. I never did get the PDF. I did find a a page on the FireEye community which gave me the details I needed though. The page is here - https://community.fireeye.com/CustomerCommunity/s/article/000003689
@mlarson Sorry I didn't follow up with documentation.
Do the attachments I just added to the post resolve your issue?
Cheers,
@mlarson Sorry I didn't follow up with documentation.
Do the attachments I just added to the post resolve your issue?
Cheers,
Hi @pueo, The screenshots look good and I was able to get it resolved from the FireEye community page I linked to earlier. Thanks again for all the help you've provided.
Hello. Sorry for the delay in replying. I am happy to help with screen shots to get you moving along with your FE deployment. The first two screen shots are taken from the Documentation. The differences between the previous FE installer and the current one (33.51) is you now need a Content Filter.
Again, apologies for the tardiness.
Cheers.
Our Profiles.
System Extension
Content Filter.
FE Documentation
@pueo Thank you so much!!
That will help so much.
I managed to get through the System Extension dialog yesterday, and have started battling with the Popup for the Network Filter
Going to try to build based on the screenshots above today
Really appreciate it 🙂
Hello. Sorry for the delay in replying. I am happy to help with screen shots to get you moving along with your FE deployment. The first two screen shots are taken from the Documentation. The differences between the previous FE installer and the current one (33.51) is you now need a Content Filter.
Again, apologies for the tardiness.
Cheers.
Our Profiles.
System Extension
Content Filter.
FE Documentation
Hi @pueo ,
We've been trying to get this upgrade to v.33.51.1 for more than a month and it's still failing for us...Engaged some FireEye tech for this issue and he sent the same guide that you provided the screenshots from, but it doesn't seem to go through the installation, failing somewhere while running the xagtSetup (see below):
"Installing FireEyewPostinstall v.33.51.1 PROD.pkg...
Successfully installed FireEyewPostinstall v.33.51.1 PROD.pkg.
Running script FireeyePostinstall v.33.51.1...
Script exit code: 1
Script result: installer: Package name is FireEye Agent
installer: Installing at base path /
installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “xagtSetup_33.51.1.pkg”.)
Error running script: return code was 1."
Again, I've already created the required Config Profiles as per the FireEye guide, still No Bueno! 😞
Any ideas?
Thanks,
CC
Hello @cc_rider
I can't see the contents of your package or any scripts. So I have posted what I did and I works for us.
For new/reimaged Macs we deploy the FE Agent as part of our DEP Notify script. This is not important.
My post install script for FE is posted below:
--
#!/bin/sh
## postinstall
sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent
--
I packaged this small script using Composer. It took many attempts to get it working.
Does you script work locally? You should be able to run it locally after moving the pkg into whatever directory it loads from.
Remove spaces from you pkg file or use _ or - to join words. This will help simplify things and help trouble shooting. maybe use one name like FEAgent.pkg, test then build up from there.
check jamf.log and install.log.
Test locally..then jamf..
Good luck!
Cheers,
a.
Hi @pueo ,
We've been trying to get this upgrade to v.33.51.1 for more than a month and it's still failing for us...Engaged some FireEye tech for this issue and he sent the same guide that you provided the screenshots from, but it doesn't seem to go through the installation, failing somewhere while running the xagtSetup (see below):
"Installing FireEyewPostinstall v.33.51.1 PROD.pkg...
Successfully installed FireEyewPostinstall v.33.51.1 PROD.pkg.
Running script FireeyePostinstall v.33.51.1...
Script exit code: 1
Script result: installer: Package name is FireEye Agent
installer: Installing at base path /
installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “xagtSetup_33.51.1.pkg”.)
Error running script: return code was 1."
Again, I've already created the required Config Profiles as per the FireEye guide, still No Bueno! 😞
Any ideas?
Thanks,
CC
Hello
**Sorry for the double reply. A few lost screens a re write and I can't figure out how to remove a old post**
-
We keep our FE Agent very basic when it comes to deployment.
For new machines Jamf will install the repackaged client using the following post install script (we use DEPNotify for deployments):
#!/bin/sh
## postinstall
sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent
--
After this, once the agent checks in with HX the agent will receive any other configurations it needs. Keep it simple
I packaged this small script using Composer. It took many attempts to get it working.
Things to try
- Test script locally
- Remove spaces from pkg name
- check jamf and install.log files.
As a reminder: Think locally first..:-)
a.
Hello
**Sorry for the double reply. A few lost screens a re write and I can't figure out how to remove a old post**
-
We keep our FE Agent very basic when it comes to deployment.
For new machines Jamf will install the repackaged client using the following post install script (we use DEPNotify for deployments):
#!/bin/sh
## postinstall
sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent
--
After this, once the agent checks in with HX the agent will receive any other configurations it needs. Keep it simple
I packaged this small script using Composer. It took many attempts to get it working.
Things to try
- Test script locally
- Remove spaces from pkg name
- check jamf and install.log files.
As a reminder: Think locally first..:-)
a.
Hi @pueo,
Thanks for the suggestions. And, you are right, the best test is to try it locally, which I've already done that...I've got the .dmg copied locally and tried to go through the normal installation, but it failed at the end. So, I'm not sure if I'm doing something wrong or if this package received from FireEye has some problems with it.
Thanks,
CC
Hi @pueo,
Thanks for the suggestions. And, you are right, the best test is to try it locally, which I've already done that...I've got the .dmg copied locally and tried to go through the normal installation, but it failed at the end. So, I'm not sure if I'm doing something wrong or if this package received from FireEye has some problems with it.
Thanks,
CC
Try using a pkg instead. I rarely if ever use a DMG.
