I'm trying to upgrade from Carbon Black Defense to Carbon Black Cloud. The only area I'm stuck on is the kernel kext cache rebuild section. The screenshot looks like it's in the computer record > management > management commands, but I dont see a way to send a XML 'custom command' down. I thought maybe it would be a config profile, but that wants a preference domain, so I don't know that it's what I want.
Anybody have any thoughts on how to configure it to be as seamless as possible? (the VMWare directions said it needs to get the KEXT onto the machine then run this custom XML file to reboot and rebuild the cache).
@jwojda, I just got the marching orders to get Carbon Black Cloud configured to install remotely. I do believe by 'custom command' they are referring to the 'Files and Processes' Policy Payload, and within that 'Execute Command', where you would issue the command (or in this case, XML) to be run.
I will be working on this this week and maybe putting our two heads together we can get this figured out.
My confusion is whether to create the KEXT or System Extension Profile, or both, and if they are macOS version dependent.
I followed the suggestions in this thread: https://www.jamf.com/jamf-nation/discussions/24905/carbon-black-defense by @jimderlatka and @kmathern. This worked really nice -- hat tip to you both. And, I'm not even seeing where I need to restart a Big Sur desktop, as the service starts running immediately after installation and the KEXT and System Extensions are approved. I do have all of the Configuration Profiles created and applied that are spelled out in the the MDMinstructions.txt in the confer_installer_mac-22.214.171.124.dmg provided by the vendor.
The only things I did differently is to only include the Installer and Unistaller pacakges, and the cbcloud_install_unattended.sh in the /cb directory. And included the post_install.sh script in my Policy to run 'After'.
I was working on it a bit on macOS 11.2 / M1 Mac and it installed and looked activated. However when I checked system preferences > privacy > full disk access the sysext was disabled. However, after I rebooted, when I go to log in I just get a black screen and a cursor. Left it for over an hour and still same result.
@ctarbox as for which extension, I setup both and installed both on the 11.2/M1 machine. though I believe KEXTs are only required for 10.13-10.14... I was gonna try just doing the SysExt for 10.15 & 11 and see where that gets me.
The install of it, I did what I did in CBDefense, I just copied the unattended install script and pasted it as a post install script with the company info, seems like it installed fine.
Something to add: Carbon Black 126.96.36.199 can operate with either kexts or system extensions, and needs special handling to use kext mode in Big Sur (configured in the unattended install script, or via a repcli command after installation). Even if the kext is whitelisted, Big Sur will not start using it until either the user approves it and restarts, or a special MDM restart command is sent to rebuild the kext cache.
This is an important distinction for Carbon Black because it has reduced functionality in system extension mode. Some information security teams will demand kext mode, at least until Carbon Black can improve their feature set with system extensions.
I just caught this tread, wanted to share this info also. No spaces if you run the script from a Policy.
How are you pushing out the new config profiles for Big Sur? Are you scoping the new System Extensions to a smart group for Big Sur only? and removing the kext? I'm wondering if both Kernel Extension and System Extensions will be nice to each other.
I think we're all set using the included profiles from the install package on an M1 / Big Sur 11.2 test machine. Full disk access doesn't show in the Security & Privacy settings, but when I query the local CBCloud agent through Terminal, it shows it's enabled and controlled by MDM. The security was also able to verify the machine was showing in the console as well.
General Info: Sensor Version: 188.8.131.52 Kernel Type: System Extension System Extension: Running Kernel File Filter: Connected Background Scan: Standard Scan Sensor Restarts: 7 Last Reset: not set Full Disk Access Configurations: Repmgr: Configured via MDM System Extension: Configured via MDM OSQuery: Configured via MDM Uninstall Helper: Configured via MDM Uninstall UI: Configured via MDM Sensor State: State: Enabled
Web filtering/monitoring would not be done using Carbon Black. If your endpoint becomes compromised then your leadership might want to look at your traffic and THEN it could be discovered that you were on Facebook. Your best bet would be to check your company's acceptable use policies regarding internet usage just to be safe.