After updating Carbon Black Cloud sensor to version 184.108.40.206 the endpoint status will show as bypassed. After attempting to remove the endpoints from bypass the endpoints will loop back to the same status.
Carbon Black Endpoint Standard (CB Defense)
macOS 10.15.X and higher
Reboot the endpoint to complete the KEXT (also check system extensions for macOS 10.16 to 11.x "Big Sur") approval for the Kernel. Then follow the steps below to enable permissions for the Network extensions:
1. From Terminal Run the following Command:
$ sudo /Applications/VMware\ Carbon\ Black\ Cloud/VMware\CBCloud.app/Contents/MacOS/VMware\CBCloud -ne
Title: Carbon Black Cloud: How to approve network extension after manual install in System Extension mode
Title: Carbon Black Cloud: What is the impact of not approving the network extension (macOS)
Also please check to see if Full Disk Access is already approved:
Title: [Carbon Black Cloud] Granting the macOS Sensor Full Disk Access (v3.5.1+)
From the Sensor diagnostics from at least one of the affected endpoints you can see the following from the confer logs:
03/02/21 09:36:45 [WARN] a78d failed to rebuild kextcache
03/02/21 09:37:06 [INFO] a78d detected not loaded kext com.carbonblack.defense.kext
03/02/21 09:37:07 [INFO] a78d KextManagerLoadKextWithIdentifier returns -603946981
03/02/21 09:37:07 [WARN] a78d system policy prevents loading the sensor kernel extension
03/02/21 09:39:21 [WARN] a78d failed to load com.carbonblack.defense.kext (attempt 1)
03/02/21 09:39:23 [INFO] a78d KextManagerLoadKextWithIdentifier returns -603946981
03/02/21 09:39:23 [WARN] a78d system policy prevents loading the sensor kernel extension
03/02/21 09:39:50 [INFO] a78d loaded kext com.carbonblack.defense.kext
Carbon Black Cloud support confirmed that the logs above show that the KEXT was not approved or not working for the sensor.
Carbon Black also reviewed the Server and noticed that the Network Extension was not approved for the endpoints. This causes the sensor to not provide full data to the server.