Carbon Black Cloud

ImAMacGuy
Valued Contributor II

I'm trying to upgrade from Carbon Black Defense to Carbon Black Cloud. The only area I'm stuck on is the kernel kext cache rebuild section. The screenshot looks like it's in the computer record > management > management commands, but I dont see a way to send a XML 'custom command' down. I thought maybe it would be a config profile, but that wants a preference domain, so I don't know that it's what I want.

Anybody have any thoughts on how to configure it to be as seamless as possible? (the VMWare directions said it needs to get the KEXT onto the machine then run this custom XML file to reboot and rebuild the cache).

17 REPLIES 17

ctarbox
Contributor II

@jwojda, I just got the marching orders to get Carbon Black Cloud configured to install remotely. I do believe by 'custom command' they are referring to the 'Files and Processes' Policy Payload, and within that 'Execute Command', where you would issue the command (or in this case, XML) to be run.

I will be working on this this week and maybe putting our two heads together we can get this figured out.

Cheryl

My confusion is whether to create the KEXT or System Extension Profile, or both, and if they are macOS version dependent.

alexjdale
Valued Contributor III

I am working on this same thing, and have a case open with Jamf. I don't see how you can "run" this command in the shell, since it is an MDM command and should have to go through APNs. As far as I can tell, Jamf needs to build this into the product.

ctarbox
Contributor II

Yes, I do stand corrected that you cannot 'run' this via a Policy.

ctarbox
Contributor II

I followed the suggestions in this thread: https://www.jamf.com/jamf-nation/discussions/24905/carbon-black-defense by @jimderlatka and @kmathern. This worked really nice -- hat tip to you both. And, I'm not even seeing where I need to restart a Big Sur desktop, as the service starts running immediately after installation and the KEXT and System Extensions are approved. I do have all of the Configuration Profiles created and applied that are spelled out in the the MDMinstructions.txt in the confer_installer_mac-3.5.1.19.dmg provided by the vendor.

The only things I did differently is to only include the Installer and Unistaller pacakges, and the cbcloud_install_unattended.sh in the /cb directory. And included the post_install.sh script in my Policy to run 'After'.

ImAMacGuy
Valued Contributor II

I was working on it a bit on macOS 11.2 / M1 Mac and it installed and looked activated. However when I checked system preferences > privacy > full disk access the sysext was disabled. However, after I rebooted, when I go to log in I just get a black screen and a cursor. Left it for over an hour and still same result.

@ctarbox as for which extension, I setup both and installed both on the 11.2/M1 machine. though I believe KEXTs are only required for 10.13-10.14... I was gonna try just doing the SysExt for 10.15 & 11 and see where that gets me.

The install of it, I did what I did in CBDefense, I just copied the unattended install script and pasted it as a post install script with the company info, seems like it installed fine.

kwise123
New Contributor

Let me know what you find. I am in the same situation. Trying to get ready for Big Sur and Carbon Black.

alexjdale
Valued Contributor III

Something to add: Carbon Black 3.5.1.19 can operate with either kexts or system extensions, and needs special handling to use kext mode in Big Sur (configured in the unattended install script, or via a repcli command after installation). Even if the kext is whitelisted, Big Sur will not start using it until either the user approves it and restarts, or a special MDM restart command is sent to rebuild the kext cache.

This is an important distinction for Carbon Black because it has reduced functionality in system extension mode. Some information security teams will demand kext mode, at least until Carbon Black can improve their feature set with system extensions.

Phil_James
New Contributor III

I just caught this tread, wanted to share this info also. No spaces if you run the script from a Policy.

https://www.jamf.com/jamf-nation/discussions/37730/carbon-black-cloud-3-5-1-19-sensor-install-error#responseChild212298

How are you pushing out the new config profiles for Big Sur? Are you scoping the new System Extensions to a smart group for Big Sur only? and removing the kext? I'm wondering if both Kernel Extension and System Extensions will be nice to each other.

ImAMacGuy
Valued Contributor II

I think we're all set using the included profiles from the install package on an M1 / Big Sur 11.2 test machine. Full disk access doesn't show in the Security & Privacy settings, but when I query the local CBCloud agent through Terminal, it shows it's enabled and controlled by MDM. The security was also able to verify the machine was showing in the console as well.

General Info: 
    Sensor Version: 3.5.1.19
    Kernel Type: System Extension
    System Extension: Running
    Kernel File Filter: Connected
    Background Scan: Standard Scan
    Sensor Restarts: 7
    Last Reset: not set
Full Disk Access Configurations: 
    Repmgr: Configured via MDM
    System Extension: Configured via MDM
    OSQuery: Configured via MDM
    Uninstall Helper: Configured via MDM
    Uninstall UI: Configured via MDM
Sensor State: 
    State: Enabled

kwise123
New Contributor

How is the xml file run?

alexjdale
Valued Contributor III

The XML is for an MDM command (some MDM solutions let you push a custom MDM command), it's not something you can just execute in a shell or such.

Not applicable

Web filtering/monitoring would not be done using Carbon Black. If your endpoint becomes compromised then your leadership might want to look at your traffic and THEN it could be discovered that you were on Facebook. Your best bet would be to check your company's acceptable use policies regarding internet usage just to be safe.

official website

user-kmBoAKdQoc
New Contributor

There any news regarding this topic?
How can you approve the Kernel extension, There is a way to deploy the Xml via jamf?
Or other alternative way?

Did you ever get an answer for this?

ctarbox
Contributor II

I just used these instructions to update my CB Cloud Sensor to version 3.6.x, and it handled allowing the KEXT and System Extensions very nicely.

 

https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/cbc-sensor-installation-guide/GUID-58F...

I follow these instructions but for some reason sensor is not reporting back any disk read/write activity. Did you run into an issue like that? 

@acuvue14 I did not. All of my installs were fresh installs -- not upgrades, and they were all scoped to M1/Silicon chipsets.