Bitdefender has activated a new web content control module in the Endpoint Security app, which now results in the end user having to approve a system extension.
I have tried to add the below approved system extensions in a config profile, but they still show up. What else can I do?
@samuellarsson I got hit by the same thing today after my clients for 4.15 update of Bitdefender, here is my configuration and early testing shows it is working for now.
export the SSL cert from one of you clients keychain as .cer and add it to your payload.
Hope this helps.
@greatkemo Thank you for your step-by-step tutorial.
I managed to make it work but, is there a way to avoid having to type in the password for the certificate?
I exported the Bitdefender CA SSL certificate from my test machine and added it to JAMF. The certificate gets pushed from JAMF but then when Bitdefender starts, it ask for credentials to modify The System Certificate Trust……
@greatkemo This is driving me nuts… Still not working! Every time I have to authenticate to make changes to the certificate.
When JAMF pushes the certificate it is "Always Trust"-ed in the keychain.
As soon as Bitdefender installs, it creates another certificate that needs to be authenticated.
Is there a chance I could have your Configuration Profile for Bitdefender?
@remus this is giving me trouble now too. It seems if the client already had BD installed it does not give me a prompt, but if it is a new install, I get the prompt to trust the certificate. I need to work on it a bit more and see what is the deal with it, and maybe even open a case with Bitdefender to provide better documentation for deploying with jamf pro.
I just looked through Bitdefender support site and they have put up new documentation for jamf pro.
However, this is nothing in there about the certificate.
@greatkemo Ooooo goody… It's not just me then!
I called Bitdefender and they told me to follow the information on that document that you also linked.
Now I'm writing back to tell them that the information in that documentation is incomplete. There is no mention on how to handle the certificate.
So go ahead and open a case as well! The more the merrier! 🙂
@remus What I think is happening is when BD runs, it is adding the certificate, and it looks like they are not using the updated API through their app to trust it. It is pointless to try and add the cert using a profile because it seems to be ignored and another cert is installed with a different expiry date and all. So this needs to be fixed by the developer in a future update. Hopefully soon.
As for the add-trust using the security command, that has been changed in Big Sur and will prompt for user authentication.
@greatkemo Thank you so much for your feedback.
I also realised that the "add-trust" command thingy is not "silently" working anymore. 😞
I'll keep you posted in case I hear back from the Bitdefender people.
I wrote back that the certificate part of their documentation is missing. I haven't heard anything back yet.
Experiencing the same issues and have also gone back and forth with Bitdefender support.
Currently, I'm at a point where I have configured a Configuration Profile using the instructions provided by Bitdefender.
However, this Configuration Profile is not allowing the System Extension, nor accepting the SSL Certificate (of course nothing in the Configuration Profile that would do so)
For now I am focusing on the System Extension, waiting back on Bitdefender support.
@cmasciarelli-L You should have a working System Extension and Content Filter after following the above article. As for the certificate, we've all been bitten by it, so waiting on a reply from support. But this is something their devs would probably need to fix so could take a while. They should not have put this update out as a fix for the content control not working in Big Sur, and leave us with a whole new problem.
@greatkemo We got our answer from Bitdefender… and the answer is kind of embarrassing. It looks like a half-baked compatibility with Big Sur.
At this time we do not support importing the certificate through Jamf PRO because the certificate is unique for each station.
The certificate is generated locally on each station. For this reason they cannot be imported through Jamf PRO.
We have opened an internal case to find a solution to accept the certificate through JAMF Pro but we do not have a deadline for when it will be implemented.
@remus I also got a lame response from them, which basically said that I was doing it wrong and that I should follow the steps in all the links which I already followed anyway.
I am sure the issue is this....
When you get prompted for a password to trust the certificate do this:
ps aux | grep add-trusted-cert | grep -v grep
You should see...
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Bitdefender/AVP/antivirus.bundle/rootCA.pem
So you can see that the app is trying to add their CA to the trust using the
security command, which now in Big Sur requires users to authorize this transaction.
Instead, developers need to use Apple's API for certificates to add items to the keychain
The annoying thing is, this is not new news a surprise from Apple, this was mentioned months ago.
Use these, they are tidier and working (apart from cert of course), but don't forget these will work on Big Sur and Catalina if you have older clients then add Kernel Extension as well.
Notifications (Jamf Pro 10.27.0)
Bundle ID: com.bitdefender.endpointsecurityformac
Privacy Preference Policy Control
Identifier: com.bitdefender.EndpointSecurityforMac Identifier Type: Bundle ID Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.1136188.8.131.52.6] /* exists */ and certificate leaf[field.1.2.840.1136184.108.40.206.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y APP OR SERVICE: SystemPolicyAllFiles ACCESS: Allow
Identifier: /Library/Bitdefender/AVP/BDLDaemon Identifier Type: Path Code Requirement: identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.1136220.127.116.11.6] /* exists */ and certificate leaf[field.1.2.840.113618.104.22.168.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y APP OR SERVICE: SystemPolicyAllFiles ACCESS: Allow
Identifier: com.bitdefender.epsecurity.BDLDaemonApp Identifier Type: Bundle ID Code Requirement: anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113622.214.171.124.9] /* exists */ or certificate 1[field.1.2.840.1136126.96.36.199.6] /* exists */ and certificate leaf[field.1.2.840.1136188.8.131.52.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y) APP OR SERVICE: SystemPolicyAllFiles ACCESS: Allow
Display Name: Bitdefender System Extension Types: Allowed System Extensions Team Identifier: GUNFMW623Y ALLOWED SYSTEM EXTENSIONS: com.bitdefender.cst.net.dci.dci-network-extension
Filter Name: Bitdefender Identifier: com.bitdefender.epsecurity.BDLDaemonApp Network Filter Bundle Identifier: com.bitdefender.cst.net.dci.dci-network-extension Network Filter Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.1136184.108.40.206.9] /* exists */ or certificate 1[field.1.2.840.1136220.127.116.11.6] /* exists */ and certificate leaf[field.1.2.840.113618.104.22.168.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)
Hope this is helpful.
I've also hit this issue - Thankfully we don't actually make use of Content Control which got me wondering why the hell it was showing as a loaded module even though it's disabled!
I did a reconfigure on the client and it's now not showing the Content Control in the BEST main window.
I then created a new Package for Mac OS deployment without the CC module in there and noticed that the download URL differed from the original one I was using.
I've now updated the installer script in Jamf Pro to use that installer and hope it removes this prompt 🙂
I know it's not ideal if you do use CC but may provide some help for those who don't use it.