Trend Micro Apex One - New File Location for iCore Service (PPPC Considerations)

rossmclaren
New Contributor III

Hi everyone!

Following an update to Trend Micro's Apex One SaaS platform to v.3.5.3617, they have moved the iCore service to a new location which will have significant issues for those who need to update their PPPC profiles!

The new location for the iCore service is:

/Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService

The new Code Requirement is:

identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 SystemPolicyAllFiles = Allow

Good to see that Trend Micro is getting the platform ready for supporting Big Sur from the beginning!

31 REPLIES 31

dbourdeau
New Contributor

Thanks for posting this so quickly. I've updated my previously working PPPC profile for our Apex One but I still don't see iCoreService listed after the profile applies and I've added the TrendMicroSecurity.app to the profile and that appears, but isn't checked. What am I missing?

37bd9f1f129e4792916e41a7839596f4

8b9b833f48b5405da6ba2d8e022a4016

erichughes
Contributor II

Setting it up like above I get a Failed Command in the Inventory of my test machine.

In the payload (UUID: 543F8AE3-ED19-49E8-9645-9EB3BB104268), the key 'CodeRequirement' has an invalid value.

1710c6969d3c4ea896fad7a2f2d45300

bchow
New Contributor II

Don't we also need to give Trend Micro.app full disk access as well?

rossmclaren
New Contributor III

I was only made aware of the change following an overnight update to the Apex One application and being met with the attached image:

bce11f55e48e474781bd7fb61fd84c94

So I believe that the PPPC setup for Apex One on all versions up to v.3.5.3617 will be fine, but when the Agent and Console are updated you will need to have the new location added to the PPPC profile

99889e7650cf4226acc0ff3cd0979491

swapple
Contributor III

I just pushed out the new PPPC but it does not start working until Trend is restarted. Anyone have a script for that?

erichughes
Contributor II

I must be missing something Still getting invalid value in code requirement. Can I get a copy paste of what is in one that works? Or a download of one that works? I can deal with restarting the app that's way easier than trying to get the rest done for each user.

rrouleau
Contributor

991e620095b64e65862a90a111c88e62
@erichughes Here is a screenshot of the PPPC config that works for us... Hope it helps.

Just in Case...

Identifier: com.trendmicro.tmsm.MainUI Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service: SystemPolicyAllFiles Allow

and

Identifier: com.trendmicro.icore Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service: SystemPolicyAllFiles Allow

erichughes
Contributor II

Thank you very much. Finally got it. The star characters were messing me up. Once I got that it works once the client machine is restarted. Much appreciated.

achristoforatos
Contributor II

@erichughes I am also getting the same error. when you say the star characters, what exactly do you mean?

achristoforatos
Contributor II

@erichughes Sorry. I see the star characters you were talking about. I just added them and am waiting to see if it works. Thank you all.

Heavy_D
Contributor III

We use WFBS Trendmicro and had to do the same thing last night for our macs as well.

jbryant
New Contributor II

Has anyone successfully gotten this to work on Big Sur? I've followed the above comments and created my own PPPC(using the utility). I'm always getting: the key 'Authorization' has an invalid value. Anyone willing to export their working config for Big Sur?

SAMT_WWJD77
New Contributor

How did you proceed with Kernel Extensiond Approved?
23468b829183466fadb916add9a2660e

nwitte
New Contributor

Can anyone please share their profile and Kernel Extension? I get the same screen as SAMT above.
I used the following article: https://success.trendmicro.com/solution/000277823#

jbryant
New Contributor II

I've been struggling with Trend also. Working both with JAMF and TrendMicro on this issue. Please if anyone has a PPPC that they can share, that would be most helpful.

secampbell
New Contributor

@jbryant Were you ever able to get this resolved in Big Sur? Did JAMF or TrendMicro have any feedback?

JeffBugbee
New Contributor III

We found checking the FIELD_ALLOW_NON_ADMIN_USER_APPROVALS at least allows users to authorize their own kernel extensions, but we've still been unable to completely automate it.
e77c447cfdd041b1b1f1eb6c5f2dce11

mnickels
New Contributor III

Hello everyone,

I stumbled upon this thread while trying to get TMSM upgraded to support Big Sur for my organization. I believe I have created a configuration profile to eliminate all prompts - I found the Trend documentation incomplete so I wanted to share what I put together.

I have three privacy profile settings. Two are based off of the Trend documentation, and the last one is based off the prompt from the application to give the extension full disk access (which is not in their documentation).

d87c24522a7242bd9fb3e9c66aa9b625

8acef7fcc7e848b09f7b9ed53c31ca59

0a0bd60216914c4397d6ef28b8d90c59

Next, I have a Kernel Extension payload. I did not specify the Bundle IDs, but you probably could (in Trend's documentation).

1198cafb821640a6b51ec032dd1d876d

Next is a System Extension payload. This is also not in Trend's documentation, but will suppress the "iCoreService would like to filter network content" message.

a3a95930246047aab144a960be15cd91

Even with this system extension, after Trend starts up, there will be an additional "iCoreService would like to filter network content" message. To suppress that, I had to create a content filter payload. Full disclosure - I am not sure if the Filter Order should be Inspector or Firewall. I went with Inspector as that is what another application we use uses (CrowdStrike).

bc0151f3c9d74827b4b9743de21f1ae7

78fe384ee0ab4f36a6fa6b9c6e9e3c41

With all these pieces together, I no longer get any Apple prompts. On Big Sur, Trend will still prompt to approve the system extension (even though it's already approved). When the user opens system preferences, they will get a message that they need to reboot (new behavior with Big Sur that reboots are required for system extensions). After a reboot everything should be fine without any additional prompts.

oklair
New Contributor III

Thank you @mnickels! Your recipe still works like magic with version 3.5.5855 on macOS 12.3 Monterey. The 'Content Filter' trick does the job just fine to ditch the annoying 'network content filter' pop-up message.

About PPPC App Access for 'com.trendmicro.tmsm.MainUI' and 'com.trendmicro.icore', I just allowed 'SystemPolicyAllFiles' as recommended in the official Trend Micro documentation and everything appears to work just fine, without any 'full disk access' prompt so far. Was there another specific reason to allow 'Accessibility' and 'AppleEvents' to them that I'm not aware of?
Thanks again! You made my day!

jbryant
New Contributor II

You are correct mnickels. I have worked with our Trend Support rep and he actually provided me with some "Official" PPPC's. Granted I had to fix one of them and added a few more to the allowed list(Don't forget to restart after install). I can provided if someone has need of them. Also I'd like to point out that if you have M1 computers in your future, they are NOT supported by TrendMicro. Even manually installing the client, it will not function as inteneded. I just learned that support for the Apple M1 chips is planned for Q2 2021.

nwitte
New Contributor

@jbryant Can you please share the profiles with me? We keep struggling with TM on Big Sur. Any help will be much appreciated.

allanp81
Valued Contributor

@jbryant I've had a look on Big Sur on an M1 and Trend installs fine and appears to run but there is no way to automate approval of the kernel extension like before. It's incredibly annoying.

jbryant
New Contributor II

From TrendMicro (aka Horse's Mouth):
Screenshot was modified to protect the innocent...

Here is a link to my PPPC's: Google Drive Link. There are 5 PPPC's in this .zip file. 4 are from TrendMicro and the 5th one, "Trend Micro - iCoreService v2" was mine that I had to create and test and test and test. I'm sure someone out there could combine these PPPC's and make this a more pleasant experience to upload and manage but this is how I was able to make it work.

Again, this is for INTEL Big Sur computers ONLY and REBOOT IS NEEDED after install. M1 is NOT SUPPORTED. I hope this helps!!

PS- If you are able to combine these PPPC's hit me up with a download link.

a92cab0d4a914844b01d50fc134a7a76

cbruce
New Contributor III

Hello,
I've been able to get all but browser plugin extension for -Mozilla Firefox Extension working. The download to the mobileconfig is here: https://success.trendmicro.com/solution/000277823#
when I upload the mobileconfig, nothing is shown in Custom Settings. Has anyone gotten this to work? FWIW - on the macs that I've tested, I don't even have Firefox installed.

macbofh
New Contributor III

9d542bf1a3dc4a8e98e7928cc31bba99
@ jbryant

Thanks for sharing the profiles. I had to make 1 adjustment in the "TrendMicro_-_System_Extension" profile (see attached image) .

supson
New Contributor III

@mnickels So I created all of this, looking at your screenshots and the Trend documentation, however I continually get Failed - Under Status it says: In the payload (UUID: 06BB9690-EC13-44DB-A756-B6E68A2B4135), the key 'CodeRequirement' has an invalid value.

user-CdUbDHwWrY
New Contributor II

@jbryant , the 2 netfilters are encrypted, any help on getting the non encrypted ones, or was this intentional , thanks.

user-CdUbDHwWrY
New Contributor II

i posted the question about about encrypted, then found this command to use : openssl smime -inform DER -verify -in ~/Settings.mobileconfig -noverify -out ~/Unsigned.mobileconfig

i then stripped out what i needed, but still get the "com.trendmicro.icore" Would like to Filter Network Content - Allow/Dont Allow

more tuning , but ill fix it eventually.

Anonymous
Not applicable

I wrote to the TM Support and got a PDF Manual, titled with"Suggestions for MDM regarding Apex One.pdf". At this time, I try to create a policy that will work and give it a try. I will update this thread with the results.

EDIT:
I had to edit my original posting, because it is not possible to attach files (only pictures) to a post.

swapple
Contributor III

Recently we have been getting Trend needing Icore Service.app checked in the Sec&Priv > General tab.  How do we automate this?  We have the config profiles set but this still insists on manual interaction.  Screen Shot 2021-08-30 at 10.34.34 AM.png

allanp81
Valued Contributor

Is that on an m1 mac?