Cyberark EPM Agent installation on macOS

New Contributor III

Hi All,

I have created the CyberArk config profile with below info and it got installed successfully.

1) Approved kernel extension with bundle id: DF8U2CCCD8

2) PPPC with the following: Identifier: com.cyberark.CyberArkEPMEndpointSecurityExtension
Code Requirement:
anchor apple generic and identifier "com.cyberark.CyberArkEPMEndpointSecurityExtension" and (certificate leaf[field.1.2.840.113635.] / exists / or certificate 1[field.1.2.840.113635.] / exists / and certificate leaf[field.1.2.840.113635.] / exists / and certificate leaf[subject.OU] = DF8U2CCCD8)
SystemPolicyAllFiles = Allow

3) System Extensions:
It will not work with the Team ID only. In my testing you must add the system extension for this to work.
Allowed System Ext: com.cyberark.CyberArkEPMEndpointSecurityExtension

I was executing the installer via below cmd as a script:
sudo /private/tmp/Install CyberArk -configuration /private/tmp/CyberArkEPMConfiguration.json -installationKey XXXXXXXX -adminUser XYZ -adminPassword XYZ -nonAdminEPMUser

But the policy got failed and received below error in logs:
Script result: Could not complete installation on this computer: ExecutionError(executablePath: "/usr/sbin/installer", arguments: Optional(["-pkg", "/private/tmp/Install CyberArk", "-target", "LocalSystem"]), terminationStatus: 1, errorMessage: Optional(""))
Remove Endpoint Security extensions Remove launchd agents Remove launchd daemons Remove kext Remove authorization rights Failed to restore authorization right '': SecurityError(status: -60005 ("The authorization was denied."), additionalInfo: ("")) Remove PAM modules Remove sudoers settings Remove files and directories Remove users and groups

Can anyone please suggest to sort out this issue?



New Contributor II

@Kapil did you ever get this sorted? I will be needing to do this as well...the only thing I can think of with your question at the end there is to push the PKG via JAMF vs a script. you could try building the pkg in composer and inserting the scripting commands into the pkg as pre/post flights.

New Contributor III

Npotter229 Sorry about late reply, Yes I found the fix and deployed successfully to all users (Big Sur and Catalina OS) from JAMF. I just did a same way above, Packaged the Cyberark and CyberArkEPMConfiguration.json file in a private/temp folder and then added a separate script in policy as below

sudo /private/tmp/Install\ CyberArk\ -configuration /private/tmp/CyberArkEPMConfiguration.json -k (installationKey) -withoutPwdRotation


Try this and it will work fine without any issues. Thanks