We have computers in our environment that have Cylance installed prior to 10.13.2 when the requirement to consent via System Preferences was Required
Currently all computers get Cylance Protect upon enrollment. If a computer is fresh out of the box it typically comes with 10.13.1, so we haven't had to enable this setting before.
10.13.4. came out today, and the attached error message appears prior to the upgrade.
Is there a way from a root level to consent to this application?
I've already alerted our vendor of Cylance that this issue happens upon upgrade of 10.13.4. Since I have consented to Cylance running on this machine, I have closed and re-opened the application but it still does not function. I have not yet restarted.
Solved! Go to Solution.
I believe in 10.13 Kernel Extensions were automatically loaded if a device was enrolled in MDM. This changed with 10.13.4 and you are now required to allow the extensions. These 2 articles might help you.
We are seeing this same issue with Avast on the 10.13.4 beta, to be clear Avast is installed by Jamf in our environment, according to Apple's own documentation from https://developer.apple.com/library/content/technotes/tn2459/_index.html (Note this doc hasn't been updated since 2017-09-08)
"For workflows that leverage mobile device management (MDM), all systems with a valid MDM profile installed will not require user approval to load any properly-signed kernel extension."
I take this to mean Avast, Cylance, etc.. should be able to load a kernel extension with Jamf's MDM profile installed on the system but this doesn't appear to be the case in 10.13.4, at least in the beta. Hopefully, Apple will provide a path forward when 10.13.4 is released.
@KSchroeder I have not been able to successfully deploy this MDM payload as a custom setting, which makes sense based on what we know about the strictness of the security framework. Some people say they've done it, but I think they very likely tested it incorrectly. For example, a user approval of a kext will live in the NVRAM and survive a reimage, so a person testing whitelisting on a device might think it's working but it's actually using an old approval from before a wipe/reinstall.
Thanks...but I need to see how to do it for 10.1.1, we haven't upgraded yet (and are a bit gun-shy, after the 9.98 --> 10.1.1 upgrade completely broke out LDAP configuration, which is admittedly non-standard). We're working to figure this out on the version we're on currently using a Custom payload. Even more urgent now, as 10.13.4 un-approved some of the existing pre-installed KEXTs (our current AV) and now any users will be prompted to approve them again!
Is anybody seeing that the driver gets blocked again even if the config profile is loaded, and then an upgrade to Mojave happens?
We are going from 10.13.3 to 10.14.3 and seeing that Cylance Kernel extensions needs to approved again, and reinstalling Cylance doesn't solve it. I have to uninstall and re-install.
OK, my test wasn't a perfect copy of yours. I just realized that I went from 10.13.6 to 10.14.3. Everything worked for me, but I'm wondering that since you started just before 10.13.4, things got wonky on you. However, with that said, all of my approved kernel extensions (including Cylance) worked just fine in a single test.