Jamf Nation Community

@user-kVZEFdADCC not seeing any kernel here. ARM compiled kext for Cortex does not exist as far an I am aware, because Cortex has moved to using modern system extensions (kext would now be called legacy extension).

For those that might want to review the health of Cortex in your environment, especially those not communicating back to the console, I am using this EA

#!/bin/sh

status="Not Installed"

if [ -f "/Library/Application Support/PaloAltoNetworks/Traps/bin/cytool" ] ; then
    status=$(sudo /Library/Application Support/PaloAltoNetworks/Traps/bin/cytool opswat protected)
fi

echo "<result>$status</result>"

Now if you think you can remediate issues with modern Endpoint Security system extensions - think again. You won't be able to reload them or delete them to reinstall Cortex without user interaction. I believe this is entirely by Apple design, so send feedback to Apple if you can.

@davidhiggs This is what I am looking for finally got this. I have a question using this EA can we identify which machine's cortex got disabled?

I don't know what would be a disabled status, I would think that's the same as false for protected. But you can look at the whole set of options using the cytool from here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-mac/t...

@davidhiggs What does it mean if the result comes back as false? I just started your EA (thanks by the way!) and so far only have one device showing as "false". Had my Security team check on it to see if anything looks wrong from their side and they said it looks good - talking with XDR console and they were able to perform a live remote terminal session successfully.

UPDATE: The "false" means it's not getting the policy. Security dived into it more and was able to see that was the case for the one I found.

@bcbackes few reasons for false: I’ve seen some machines disappear from the console (server side settings can be set to remove computer after period of time of inactivity), failed agent updates, agent failure after MacOS update. Some agents require hands on to remove and reinstall.

@davidhiggs have i am getting the error : The operation couldn’t be completed. (SPErrorDomain error 10.) while applying this config profile to M1 chip laptops and its failing. Do you have any suggestion on this error?

you shouldn't be doing any kernel (legacy system extension) whitelisting/approvals for cortex, should just be system extensions

@davidhiggs So for M1 processor how do i take it forward for the new installation and approval kernel extension?

the current Jamf setup guide should be all you need, take note of the section which talks about approving kernel extension ONLY for 10.15.3 and below.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-3/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

@davidhiggs how we can handle the M1 processor laptop config profile setup. Because i have installed Rosetta on the M1 processor machines but the configuration profile not apply to the M1 processor
machines its failing.

@davidhiggs Any reason for this.

Do we need to create two different profile for M1 and normal inter processor?

Could you please guide me to solve this, and also i have applied few user to this config profile. After apply config profile few user wifi got disconnected from the internet automatically?

Regards,
Udhaya

@udhayakumar As Apple Silicon on Big Sur does not support Configuration Profiles with Kernel extensions, you need new profiles for M1 devices.
I cloned my Cortex Configuration Profile and removed the Kernel Extensions payload. This is then scoped for the M1 devices and my existing Cortex profile excludes M1 devices in the scope. I've done the same for any Configuartion Profile that has a kernel extension payload.

Anyone seeing issues with v7.6 where it's showing disabled for Protection Status? I look at the Connection and it says Not Available. I suspect it's the XDR Network Filter causing this issue. I'm seeing this on ARM based and Intel based Macs. I'm using the Unified signed config profile from the Vendor (one for ARM and a separate one for Intel). Config profiles are scoped based on processor type. My Security team has a ticket in with the vendor but haven't gotten any real answers from the vendor yet.