Posted on 01-19-2021 09:18 AM
I'm trying to upgrade from Carbon Black Defense to Carbon Black Cloud. The only area I'm stuck on is the kernel kext cache rebuild section. The screenshot looks like it's in the computer record > management > management commands, but I dont see a way to send a XML 'custom command' down. I thought maybe it would be a config profile, but that wants a preference domain, so I don't know that it's what I want.
Anybody have any thoughts on how to configure it to be as seamless as possible? (the VMWare directions said it needs to get the KEXT onto the machine then run this custom XML file to reboot and rebuild the cache).
Posted on 02-01-2021 08:40 AM
@jwojda, I just got the marching orders to get Carbon Black Cloud configured to install remotely. I do believe by 'custom command' they are referring to the 'Files and Processes' Policy Payload, and within that 'Execute Command', where you would issue the command (or in this case, XML) to be run.
I will be working on this this week and maybe putting our two heads together we can get this figured out.
My confusion is whether to create the KEXT or System Extension Profile, or both, and if they are macOS version dependent.
Posted on 02-01-2021 09:48 AM
I am working on this same thing, and have a case open with Jamf. I don't see how you can "run" this command in the shell, since it is an MDM command and should have to go through APNs. As far as I can tell, Jamf needs to build this into the product.
Posted on 02-01-2021 10:18 AM
Yes, I do stand corrected that you cannot 'run' this via a Policy.
Posted on 02-02-2021 08:59 AM
I followed the suggestions in this thread: https://www.jamf.com/jamf-nation/discussions/24905/carbon-black-defense by @jimderlatka and @kmathern. This worked really nice -- hat tip to you both. And, I'm not even seeing where I need to restart a Big Sur desktop, as the service starts running immediately after installation and the KEXT and System Extensions are approved. I do have all of the Configuration Profiles created and applied that are spelled out in the the MDMinstructions.txt in the confer_installer_mac-188.8.131.52.dmg provided by the vendor.
The only things I did differently is to only include the Installer and Unistaller pacakges, and the cbcloud_install_unattended.sh in the /cb directory. And included the post_install.sh script in my Policy to run 'After'.
Posted on 02-02-2021 10:58 AM
I was working on it a bit on macOS 11.2 / M1 Mac and it installed and looked activated. However when I checked system preferences > privacy > full disk access the sysext was disabled. However, after I rebooted, when I go to log in I just get a black screen and a cursor. Left it for over an hour and still same result.
@ctarbox as for which extension, I setup both and installed both on the 11.2/M1 machine. though I believe KEXTs are only required for 10.13-10.14... I was gonna try just doing the SysExt for 10.15 & 11 and see where that gets me.
The install of it, I did what I did in CBDefense, I just copied the unattended install script and pasted it as a post install script with the company info, seems like it installed fine.
Posted on 02-03-2021 01:19 PM
Let me know what you find. I am in the same situation. Trying to get ready for Big Sur and Carbon Black.
Posted on 02-03-2021 01:23 PM
Something to add: Carbon Black 184.108.40.206 can operate with either kexts or system extensions, and needs special handling to use kext mode in Big Sur (configured in the unattended install script, or via a repcli command after installation). Even if the kext is whitelisted, Big Sur will not start using it until either the user approves it and restarts, or a special MDM restart command is sent to rebuild the kext cache.
This is an important distinction for Carbon Black because it has reduced functionality in system extension mode. Some information security teams will demand kext mode, at least until Carbon Black can improve their feature set with system extensions.
Posted on 02-03-2021 03:02 PM
I just caught this tread, wanted to share this info also. No spaces if you run the script from a Policy.
How are you pushing out the new config profiles for Big Sur? Are you scoping the new System Extensions to a smart group for Big Sur only? and removing the kext? I'm wondering if both Kernel Extension and System Extensions will be nice to each other.
Posted on 02-04-2021 07:17 AM
I think we're all set using the included profiles from the install package on an M1 / Big Sur 11.2 test machine. Full disk access doesn't show in the Security & Privacy settings, but when I query the local CBCloud agent through Terminal, it shows it's enabled and controlled by MDM. The security was also able to verify the machine was showing in the console as well.
General Info: Sensor Version: 220.127.116.11 Kernel Type: System Extension System Extension: Running Kernel File Filter: Connected Background Scan: Standard Scan Sensor Restarts: 7 Last Reset: not set Full Disk Access Configurations: Repmgr: Configured via MDM System Extension: Configured via MDM OSQuery: Configured via MDM Uninstall Helper: Configured via MDM Uninstall UI: Configured via MDM Sensor State: State: Enabled
Posted on 02-09-2021 02:03 PM
How is the xml file run?
Posted on 02-09-2021 02:59 PM
The XML is for an MDM command (some MDM solutions let you push a custom MDM command), it's not something you can just execute in a shell or such.
Posted on 02-09-2021 10:37 PM
Web filtering/monitoring would not be done using Carbon Black. If your endpoint becomes compromised then your leadership might want to look at your traffic and THEN it could be discovered that you were on Facebook. Your best bet would be to check your company's acceptable use policies regarding internet usage just to be safe.
Posted on 02-22-2021 08:13 AM
There any news regarding this topic?
How can you approve the Kernel extension, There is a way to deploy the Xml via jamf?
Or other alternative way?
Posted on 04-28-2022 08:23 AM
Did you ever get an answer for this?
Posted on 04-28-2022 08:53 AM
I just used these instructions to update my CB Cloud Sensor to version 3.6.x, and it handled allowing the KEXT and System Extensions very nicely.
Posted on 05-09-2022 01:25 PM
I follow these instructions but for some reason sensor is not reporting back any disk read/write activity. Did you run into an issue like that?
Posted on 05-10-2022 05:58 AM
@acuvue14 I did not. All of my installs were fresh installs -- not upgrades, and they were all scoped to M1/Silicon chipsets.