Cylance Asking for Security and Privacy Approval Post-Installation (Big Sur and Monterey)

cyborghere
New Contributor II
 

Here's what I'm talking about:

 

macbigsurcylancesecurity.png

I've tried several Configuration Profile configurations and followed the instructions as provided by Cylance, but what's pictured above still appears. For now, we've been manually hitting the "Allow" button to ensure that Cylance fully installs. 

Any advice would be appreciated!

1 ACCEPTED SOLUTION

cyborghere
New Contributor II

I resolved the issue myself. After several rounds of trial and error, I came up with this configuration profile. We currently just install Protect in our MacOS environment, so the Optics parts are probably unnecessary now, but hey, it's been working for a few months at this point.  

 

 

Cylance Privacy Configuration Profile

“Content Filter” Settings

  • Filter Name: com.cylance.CyOpticsESF.extension

  • Identifier: com.cylance.CyOpticsESF.extension

  • Socket Filter

    • Socket Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
    • Socket Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
  • Network Filter

    • Network Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
    • Network Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")

“Privacy Preferences Policy Control” Settings

App Access (x3)

1 - App Access

  • Identifier: com.cylance.CylanceEndpointSecurity.extension
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.CylanceEndpointSecurity.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

2 - App Access

  • Identifier: com.cylance.Optics
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "6ENJ69K633"identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

3 - App Access

  • Identifier: com.cylance.Agent
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

“System Extensions” Settings

Allowed Team IDs and System Extensions

Display Name: Cylance Endpoint Security Optics + Protect System Extension

System Extension Types: Allowed System Extensions

Team Identifier: 6ENJ69K633

Allowed System Extensions:

  • com.cylance.CyOpticsESF.extension
  • com.cylance.CylanceEndpointSecurity.extension

Sources

  1. https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/setup/setup/Steps-to-set-up-...
  2. https://support.blackberry.com/kb/articleDetail?articleNumber=000067335&language=en_US
  3. https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/cylanceprotect-desktop-upgra...

 

View solution in original post

5 REPLIES 5

btowns
New Contributor III

I had a similar issue with Crowdstrike, nothing I did would approve what appeared to be a system extension. However, it turned out that it was being caused by the enablement of a feature that provided some scanning of the bios, or something like that, which actually was using a kernel extension. We’ve since disabled this feature (which was not actually doing anything) and the prompt has been resolved.

cyborghere
New Contributor II

Hmm good to know. Unfortunately, the attribute that requires a pre-approved Kernel Extension is a vital piece of the software. But you bringing this up has given me an idea, so I appreciate it! I know know that I need to approve legacy kernel extension in Big Sur and up.

sf-identify
New Contributor

@cyborghere Is it possible to share how this could be resolved? 

I was going to try these instructions from Apple that detail legacy kernel extension approval: https://support.apple.com/en-us/HT211860

cyborghere
New Contributor II

I resolved the issue myself. After several rounds of trial and error, I came up with this configuration profile. We currently just install Protect in our MacOS environment, so the Optics parts are probably unnecessary now, but hey, it's been working for a few months at this point.  

 

 

Cylance Privacy Configuration Profile

“Content Filter” Settings

  • Filter Name: com.cylance.CyOpticsESF.extension

  • Identifier: com.cylance.CyOpticsESF.extension

  • Socket Filter

    • Socket Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
    • Socket Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
  • Network Filter

    • Network Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
    • Network Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")

“Privacy Preferences Policy Control” Settings

App Access (x3)

1 - App Access

  • Identifier: com.cylance.CylanceEndpointSecurity.extension
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.CylanceEndpointSecurity.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

2 - App Access

  • Identifier: com.cylance.Optics
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "6ENJ69K633"identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

3 - App Access

  • Identifier: com.cylance.Agent
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.cylance.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
  • App or Service: SystemPolicyAllFiles
  • Access: Allow

“System Extensions” Settings

Allowed Team IDs and System Extensions

Display Name: Cylance Endpoint Security Optics + Protect System Extension

System Extension Types: Allowed System Extensions

Team Identifier: 6ENJ69K633

Allowed System Extensions:

  • com.cylance.CyOpticsESF.extension
  • com.cylance.CylanceEndpointSecurity.extension

Sources

  1. https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/setup/setup/Steps-to-set-up-...
  2. https://support.blackberry.com/kb/articleDetail?articleNumber=000067335&language=en_US
  3. https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/cylanceprotect-desktop-upgra...