Jamf Nation Community

cyborghere · ‎09-29-2022

Here's what I'm talking about:

I've tried several Configuration Profile configurations and followed the instructions as provided by Cylance, but what's pictured above still appears. For now, we've been manually hitting the "Allow" button to ensure that Cylance fully installs.

Any advice would be appreciated!

cyborghere · ‎03-20-2023

I resolved the issue myself. After several rounds of trial and error, I came up with this configuration profile. We currently just install Protect in our MacOS environment, so the Optics parts are probably unnecessary now, but hey, it's been working for a few months at this point.

Cylance Privacy Configuration Profile

“Content Filter” Settings

Filter Name: com.cylance.CyOpticsESF.extension
Identifier: com.cylance.CyOpticsESF.extension
Socket Filter
- Socket Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
- Socket Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
Network Filter
- Network Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
- Network Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")

“Privacy Preferences Policy Control” Settings

App Access (x3)

1 - App Access

Identifier: com.cylance.CylanceEndpointSecurity.extension
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.CylanceEndpointSecurity.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
App or Service: SystemPolicyAllFiles
Access: Allow

2 - App Access

Identifier: com.cylance.Optics
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "6ENJ69K633"identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
App or Service: SystemPolicyAllFiles
Access: Allow

3 - App Access

Identifier: com.cylance.Agent
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
App or Service: SystemPolicyAllFiles
Access: Allow

“System Extensions” Settings

Allowed Team IDs and System Extensions

Display Name: Cylance Endpoint Security Optics + Protect System Extension

System Extension Types: Allowed System Extensions

Team Identifier: 6ENJ69K633

Allowed System Extensions:

com.cylance.CyOpticsESF.extension
com.cylance.CylanceEndpointSecurity.extension

Sources

View solution in original post

btowns · ‎10-08-2022

I had a similar issue with Crowdstrike, nothing I did would approve what appeared to be a system extension. However, it turned out that it was being caused by the enablement of a feature that provided some scanning of the bios, or something like that, which actually was using a kernel extension. We’ve since disabled this feature (which was not actually doing anything) and the prompt has been resolved.

cyborghere · ‎10-20-2022

Hmm good to know. Unfortunately, the attribute that requires a pre-approved Kernel Extension is a vital piece of the software. But you bringing this up has given me an idea, so I appreciate it! I know know that I need to approve legacy kernel extension in Big Sur and up.

sf-identify · ‎11-08-2022

@cyborghere Is it possible to share how this could be resolved?

cyborghere · ‎11-14-2022

I was going to try these instructions from Apple that detail legacy kernel extension approval: https://support.apple.com/en-us/HT211860

cyborghere · ‎03-20-2023

I resolved the issue myself. After several rounds of trial and error, I came up with this configuration profile. We currently just install Protect in our MacOS environment, so the Optics parts are probably unnecessary now, but hey, it's been working for a few months at this point.

Cylance Privacy Configuration Profile

“Content Filter” Settings

Filter Name: com.cylance.CyOpticsESF.extension
Identifier: com.cylance.CyOpticsESF.extension
Socket Filter
- Socket Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
- Socket Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
Network Filter
- Network Filter Bundle Identifier: com.cylance.CyOpticsESF.extension
- Network Filter Designated Requirement: anchor apple generic and identifier "com.cylance.CyOpticsESF.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")

“Privacy Preferences Policy Control” Settings

App Access (x3)

1 - App Access

Identifier: com.cylance.CylanceEndpointSecurity.extension
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.CylanceEndpointSecurity.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
App or Service: SystemPolicyAllFiles
Access: Allow

2 - App Access

Identifier: com.cylance.Optics
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "6ENJ69K633"identifier "com.cylance.Optics" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
App or Service: SystemPolicyAllFiles
Access: Allow

3 - App Access

Identifier: com.cylance.Agent
Identifier Type: Bundle ID
Code Requirement: identifier "com.cylance.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "6ENJ69K633"
App or Service: SystemPolicyAllFiles
Access: Allow

“System Extensions” Settings

Allowed Team IDs and System Extensions

Display Name: Cylance Endpoint Security Optics + Protect System Extension

System Extension Types: Allowed System Extensions

Team Identifier: 6ENJ69K633

Allowed System Extensions:

com.cylance.CyOpticsESF.extension
com.cylance.CylanceEndpointSecurity.extension

Jamf Nation Community

Cylance Asking for Security and Privacy Approval Post-Installation (Big Sur and Monterey)

Cylance Privacy Configuration Profile

“Content Filter” Settings

“Privacy Preferences Policy Control” Settings

“System Extensions” Settings

Sources

Cylance Privacy Configuration Profile

“Content Filter” Settings

“Privacy Preferences Policy Control” Settings

“System Extensions” Settings

Sources