Skip to main content
Red Canary help

Installing and uninstalling the VMware Carbon Black EDR (formerly CB Response) sensor on macOS

  • Updated .

Prerequisites

Prior to deploying the sensor, please ensure you have accounted for the following:

Configure the necessary AV exclusions

Configure your antivirus (AV) to ignore the following directories. More details into that can be found here.

/var/lib/cb/*
/Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService
/Applications/VMware Carbon Black EDR.app/Contents/XPCServices/CbDigitalSignatureHelper.xpc
/System/Library/Extensions/CbOsxSensorNetmon.kext
/System/Library/Extensions/CbOsxSensorProcmon.kext

Configure the necessary network connectivity

The VMware Carbon Black sensor communicates with the server using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your VMware Carbon Black EDR server's sensor check-in address by clicking Endpoints > Deploy sensors > Windows > Cb Response.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing VMware Carbon Black EDR using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via MDM (mobile device management) tools such as JAMF.

To automatically install the VMware Carbon Black EDR sensor for macOS with JAMF:

  1. Log into Red Canary.
  2. Download the sensor installer from Endpoints > Deploy sensors > Windows > Cb Response > Download the default MacOS sensor.
  3. Extract the .zip file.
  4. In the JAMFconsole, set up a Configuration Profile that contains the Approved Kernel Extensions configuration.
  5. Configure the profile with the Team ID of 7AGZNQ2S2T.
  6. Create a standard deployment package within JAMF to deploy the sensor using the CarbonBlackClientSetup.pkg file within the extracted .zip file.

Installing VMware Carbon Black EDR manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the VMware Carbon Black EDR sensor for macOS:

  1. Log into Red Canary.
  2. Download the sensor installer from Endpoints > Deploy sensors > Windows > Cb Response > Download the default MacOS sensor.
  3. Copy the .zip sensor installation package to the Mac OS X endpoint.
  4. Extract the .zip file.
  5. From the extracted .zip file, run the CarbonBlackClientSetup.pkg file by double-clicking on it and following the installation prompts.

Special instructions for macOS Mojave (10.14), Catalina (10.15), Big Sur (10.16/11.x)

When installing on one of these operating systems without an MDM tool, you will receive a pop-up message from Apple that informs the sensor kernel module (kext) is blocked.

To allow the sensor’s kernel extension to execute:

  1. Open the System Preferences application. This usually can be found in the dock or within the Applications folder.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. Click Allow next to the kernel extension that requires approval. 

macOS Catalina and Big Sur requires full disk access to be granted to the sensor and a reboot after installation.

To grant full disk access to the sensor:

  1. Open the System Preferences application. This usually can be found in the dock or within the Applications folder.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. In the left pane, select Full Disk Access.
  4. In the lower-left corner of the panel, click the Lock and enter your username and password. The lock then should appear unlocked.
  5. Click + to view the file finder. Navigate to the Applications > Carbon Black directory, select the CbOsxSensorService file, and then click Open (Note: On endpoints running Big Sur the extension may appear as VMware Carbon Black EDR).
  6. In the Privacy tab, confirm that the CbOsxSensorService file appears in the list of applications that have full access permission. A reboot may be required to ensure the extension has full access to the file system.
  7. (For endpoints running Big Sur) Under Full Disk Access the file es-extension must be granted full disk access to ensure full compatibility (if both es-extension and VMware Carbon Black EDR are not granted full disk access, the sensor may not fully function). After granting the extensions full disk access, it is recommended to reboot the machine to ensure full functionality.

Uninstalling Carbon Black EDR 

To uninstall using the command line for sensor version 6.x

  1. Execute the following command on the target endpoint:
/Applications/CarbonBlack/sensoruninst.sh

To uninstall using the command line for sensor version 7.x

  1. Execute the following command on the target endpoint:
/Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Resources/sensoruninst.sh

To uninstall using JAMF:

  1. For uninstallations with JAMF, you can use the following script example (this also takes in account using a password during the install):
/Applications/CarbonBlack/sensoruninst.sh

Comments

0 comments

Please sign in to leave a comment.