Jamf Nation Community

@Phil.James thanks! Good lord that's a lotta stuff, but unfortunately we're not using CB Cloud, but using CB Response

Has anyone been able to create a working config profile to eliminate this pop-up? I built Config profiles for MDM Network Extension Web Content Filter Configuration using ProfileCreator and I still have the popup on devices that have the config profile installed prior to installing VMWare Carbon Black.

Been trying to fix for the last 3 days!

I got this from carbon black and it worked for me:

Carbon Black EDR: Granting macOS Sensor Access on
macOS 11.0+ Big Sur
Supported Product: Carbon Black EDR
Supported Sensor Version: 7.0+
Supported macOS Version: 11.0+
Sections in this document:
● Approving the System Extension and Network Filtering Component for macOS
Sensor Version 7.0+ on macOS Big Sur
○ Manually Approving the System Extension and Network Filtering
○ Approving the System Extension via MDM
○ Approving Network Filtering via MDM
● Granting the Sensor Full Disk Access
○ Manually Granting the Sensor Full Disk Access
○ Granting the Sensor Full Disk Access via MDM
As part of the transition to system extensions in macOS 11.0 and above, users need to approve
the new system extension as well as network filtering and allow Full Disk Access. While this
sounds sinister, it’s actually a similar process to when an iOS app requests access to the
camera, for example. This is similar to kernel extension approval which was added in macOS
10.13, and does not replace that process for running our EDR sensor on macOS versions prior
to 11.0.
In order to be completely effective, it is imperative that the Carbon Black EDR macOS sensor
gets approval for the system extension, network filtering, and Full Disk Access. This can be
done manually on each endpoint or for quicker and more consistent endpoint management,
these settings can be managed across your organization through the creation and deployment
of a mobile device management (MDM) profile. Read on to learn more about running the
macOS sensor unimpeded on endpoints.
Approving the System Extension and Network Filtering Component for macOS Sensor
Version 7.0+ on macOS Big Sur
Manually Approving the System Extension and Network Filtering:
VMware Carbon Black recommends submitting the applicable CB EDR System Extension IDs
for approval by MDM before install or upgrade to macOS 11 Big Sur. However, if the System
Extension is not pre-approved by MDM, you can approve System Extensions locally upon
upgrading the OS.
1. On an endpoint running macOS 11 Big Sur, after installing/upgrading the sensor on
the endpoint, navigate to the General tab in the Security & Privacy pane in System
Preferences.
2. Authenticate as an administrator and click the Allow button next to the “System
software from application “es-loader” was blocked from loading” message.
3. Click the Allow button on the “‘es-loader’ Would Like to Filter Network Content”
pop-up.
The installer will finish running and load.
Approving the System Extension via MDM:
Note:
These instructions were created using Apple documentation and ProfileCreator (found here:
https://github.com/ProfileCreator/ProfileCreator ). Field names, values, and functionality may
vary depending on the MDM framework or sensor version used.
Approving Carbon Black System Extensions via MDM is the recommended method. The
following are the manual steps to create the correct mobileconfig in your MDM. You can
accomplish this by specifying the Apple Team ID and System Extension bundle Identifier in your
Allowed System Extension configuration profile:
System Extension Types: Allowed System Extensions
Apple Team ID: 7AGZNQ2S2T
System Extension Bundle ID: com.carbonblack.es-loader.es-extension
Your configuration in Workspace One should be similar to the following image:
In JAMF, your configuration should look something like this:
Approving Network Filtering via MDM:
Approving the Carbon Black Network Extension Component of the System Extension via MDM
is the recommended method. You can grant the System Extension the ability to Filter Network
Content via a Web Content Filter configuration profile.
Note:
These instructions were created using Apple documentation and ProfileCreator (found here:
https://github.com/ProfileCreator/ProfileCreator ). Field names, values, and functionality may
vary depending on the MDM framework or sensor version used.
After creating this profile, the profile should be signed to enable distribution via MDM.
The fields should be completed exactly as follows. Please copy and paste for accuracy.
In the General payload:
Payload Scope should be set to: System
In the Web Content Filter payload:
Filter Type should be set to: Plug-In
Plug-In Bundle ID: com.carbonblack.es-loader
Check Enable Socket Filtering
Filter Data Provider System Extension Bundle ID (macOS):
com.carbonblack.es-loader.es-extension
Filter Data Provider Designated Requirement (macOS):
identifier " com.carbonblack.es-loader.es-extension " and
anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] / exists / and
certificate leaf[field.1.2.840.113635.100.6.1.13] /
exists / and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Check Enable Packet Filtering (macOS)
Filter Packet Provider System Extension Bundle ID (macOS):
com.carbonblack.es-loader.es-extension
Filter Packet Provider Designated Requirement (macOS):
identifier " com.carbonblack.es-loader.es-extension " and
anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] / exists / and
certificate leaf[field.1.2.840.113635.100.6.1.13] /
exists / and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Payload should look like this at the end:
Granting the Sensor Full Disk Access
Manually Granting the Sensor Full Disk Access:
In order for the Carbon Black EDR macOS sensor to operate at full functionality on an endpoint
running macOS 11 Big Sur the system extension must have Full Disk Access on the endpoint.
To enable Full Disk Access manually, begin by navigating to the Security & Privacy System
Preferences section and selecting the Privacy tab.
Once authenticated as an Administrator, scroll down to Full Disk Access section.
Approve the application named “ es-extension ”, if present.
Granting the Sensor Full Disk Access via MDM:
The following are the manual steps to create and distribute the necessary Privacy Preference
payload in your MDM.
Note:
Field names, values, and functionality may vary depending on the MDM framework or sensor
version used.
Granting an application full disk access is accomplished via a Privacy Preferences payload. We
are going to add 2 identifiers into this Privacy payload.
The fields should be completed exactly as follows. Please copy and paste for accuracy.
1)
Identifier: com.carbonblack.CbOsxSensorService
Identifier Type : Bundle ID
Code Requirement:
identifier "com.carbonblack.CbOsxSensorService" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]
/ exists / and certificate
leaf[field.1.2.840.113635.100.6.1.13] / exists / and
certificate leaf[subject.OU] = "7AGZNQ2S2T"
App or Service : SystemPolicyAllFiles
Access : Allow
Press the plus (‘+’) button to append an additional identifier.
2)
Identifier: com.carbonblack.es-loader.es-extension
Identifier Type : Bundle ID
Code Requirement:
identifier " com.carbonblack.es-loader.es-extension " and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]
/ exists / and certificate
leaf[field.1.2.840.113635.100.6.1.13] / exists / and
certificate leaf[subject.OU] = "7AGZNQ2S2T"
App or Service : SystemPolicyAllFiles
Access should be set to: Allow
Post Tags: macOS, 10.14, 10.15, 11, Big Sur, MDM, mobile device management, full disk
access, macOS sensor, carbon black cloud, jamf, Workspace ONE UEM, PPPC

I still get the popup "com.carbonblack.es-loader" to filter Network Content. I attached my Config Profile. Can anyone assist in getting this resolved for me?

I have the following configuration and do not see the Network Filter popup. The app itself that we have in our environment is "VMWare Carbon Black EDR".