Posted on 05-15-2017 05:59 PM
Hi guys,
Anyone know where is the plist for Traps Settings or way to set up the settings at all?
Been scanning for plist and any config file to set up the settings but couldnt find any.
Thanks
Posted on 02-02-2021 12:16 AM
@davidhiggs Hi, we are experiencing same problems with M1 macs. We have to enable kernel maunally too.
Posted on 02-23-2021 02:07 PM
@user-kVZEFdADCC not seeing any kernel here. ARM compiled kext for Cortex does not exist as far an I am aware, because Cortex has moved to using modern system extensions (kext would now be called legacy extension).
Posted on 02-23-2021 02:12 PM
For those that might want to review the health of Cortex in your environment, especially those not communicating back to the console, I am using this EA
#!/bin/sh
status="Not Installed"
if [ -f "/Library/Application Support/PaloAltoNetworks/Traps/bin/cytool" ] ; then
status=$(sudo /Library/Application Support/PaloAltoNetworks/Traps/bin/cytool opswat protected)
fi
echo "<result>$status</result>"
Now if you think you can remediate issues with modern Endpoint Security system extensions - think again. You won't be able to reload them or delete them to reinstall Cortex without user interaction. I believe this is entirely by Apple design, so send feedback to Apple if you can.
Posted on 03-04-2021 11:12 AM
@davidhiggs This is what I am looking for finally got this. I have a question using this EA can we identify which machine's cortex got disabled?
Posted on 03-04-2021 07:29 PM
I don't know what would be a disabled status, I would think that's the same as false for protected. But you can look at the whole set of options using the cytool from here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-mac/t...
Posted on 03-08-2021 07:50 AM
@davidhiggs What does it mean if the result comes back as false? I just started your EA (thanks by the way!) and so far only have one device showing as "false". Had my Security team check on it to see if anything looks wrong from their side and they said it looks good - talking with XDR console and they were able to perform a live remote terminal session successfully.
UPDATE: The "false" means it's not getting the policy. Security dived into it more and was able to see that was the case for the one I found.
Posted on 03-08-2021 02:50 PM
@bcbackes few reasons for false: I’ve seen some machines disappear from the console (server side settings can be set to remove computer after period of time of inactivity), failed agent updates, agent failure after MacOS update. Some agents require hands on to remove and reinstall.
Posted on 05-02-2021 05:23 PM
@davidhiggs have i am getting the error : The operation couldn’t be completed. (SPErrorDomain error 10.) while applying this config profile to M1 chip laptops and its failing. Do you have any suggestion on this error?
Posted on 05-02-2021 06:25 PM
you shouldn't be doing any kernel (legacy system extension) whitelisting/approvals for cortex, should just be system extensions
Posted on 05-02-2021 06:53 PM
@davidhiggs So for M1 processor how do i take it forward for the new installation and approval kernel extension?
Posted on 05-02-2021 07:15 PM
the current Jamf setup guide should be all you need, take note of the section which talks about approving kernel extension ONLY for 10.15.3 and below.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-3/cortex-xdr-agent-admin/cortex-xdr-agent-for-...
Posted on 06-09-2021 07:20 PM
@davidhiggs how we can handle the M1 processor laptop config profile setup. Because i have installed Rosetta on the M1 processor machines but the configuration profile not apply to the M1 processor
machines its failing.
Posted on 06-27-2021 03:24 AM
@davidhiggs Any reason for this.
Do we need to create two different profile for M1 and normal inter processor?
Could you please guide me to solve this, and also i have applied few user to this config profile. After apply config profile few user wifi got disconnected from the internet automatically?
Regards,
Udhaya
Posted on 06-27-2021 08:53 AM
@udhayakumar
As Apple Silicon on Big Sur does not support Configuration Profiles with Kernel extensions, you need new profiles for M1 devices.
I cloned my Cortex Configuration Profile and removed the Kernel Extensions payload. This is then scoped for the M1 devices and my existing Cortex profile excludes M1 devices in the scope. I've done the same for any Configuartion Profile that has a kernel extension payload.
Posted on 01-22-2022 07:28 AM
Anyone seeing issues with v7.6 where it's showing disabled for Protection Status? I look at the Connection and it says Not Available. I suspect it's the XDR Network Filter causing this issue. I'm seeing this on ARM based and Intel based Macs. I'm using the Unified signed config profile from the Vendor (one for ARM and a separate one for Intel). Config profiles are scoped based on processor type. My Security team has a ticket in with the vendor but haven't gotten any real answers from the vendor yet.