Skip to main content
Red Canary help

Installing and uninstalling the Carbon Black Cloud sensor on macOS

  • Updated .

Prerequisites

Prior to deploying the Carbon Black Cloud sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

The Carbon Black sensor communicates with the Carbon Black cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your Carbon Black cloud’s IP addresses on this page.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Configure sensor groups and policy assignments

Each sensor is assigned a policy that determines what policy rules apply to the sensor. By default, each new sensor is assigned the Standard policy unless you define an alternate policy during a command-line installation or you have previously created sensor groups and the installed sensor matches a sensor group’s criteria.

Prepare for kernel extension approvals

macOS v3.1 sensor installations on macOS High Sierra (10.13) and beyond require approval of the product kernel extension by administrative policy or user. This requirement is enforced by Apple. 

Carbon Black recommends that you preconfigure High Sierra endpoints with pre-approved drivers by using MDM policy, netboot, or pre-configured images. This approach simplifies sensor installation, especially during a command-line installation. A CLI message occurs during the install, and requires the –kext flag to skip and finish the install. If drivers are not pre-approved before sensor installation, the behavior results as follows: 

  • Command-line installation: Installation finalizes and returns success, but logs a warning to installation logs. Because drivers cannot load, the sensor enters Bypass state and reports this state to the cloud. After the kernel extension is approved, the sensor recovers within one hour and enters the full protection state.

  • Direct installation is handled similarly to a command-line installation, with two differences: (1) sensor installation displays a dialog message that requests the user to approve the kernel extension by using system preferences; (2) installer stalls for up 10 minutes to give the user the opportunity to approve the kernel extension. 

Installing Carbon Black Cloud using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via mobile device management (MDM) tools such as JAMF.

To automatically install the Carbon Black Cloud sensor for macOS with JAMF:

  1. Log into your Carbon Black Cloud console.
  2. Retrieve a company code from Endpoints > Sensor Options > Company Codes.
  3. Download a sensor kit for the target operating system from Endpoints > Sensor Options > Download sensor kits.
  4. In the JAMF console, set up a Configuration Profile that contains the Approved Kernel Extensions configuration.
  5. Configure the profile with the Team ID of 7AGZNQ2S2T.
  6. Follow the instructions specified in the Carbon Black documentation.

Installing Carbon Black Cloud manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the Carbon Black Cloud sensor for macOS:

  1. Log into your Carbon Black Cloud console.
  2. Retrieve a company code from Endpoints > Sensor Options > Company Codes.
  3. Download a sensor kit for the target operating system from Endpoints > Sensor Options > Download sensor kits.
  4. The Cb Defense Install.pkg and cbdefense_install_unattended.sh scripts are part of the macOS sensor release and are embedded in the Cb Defense DMG. Both files are required for command-line installations on macOS endpoints. 
  5. Transfer the downloaded sensor installer DMG file to the target endpoint.
  6. Extract the files from the DMG file. 
  7. Install the sensor using the company code noted above:
     
    sudo /tmp/cbdefense_install_unattended.sh -i '/tmp/CBDefense Install.pkg' -c '<COMPANY CODE>' 

Special instructions for macOS Mojave (10.14) and Catalina (10.15)

When installing on one of these operating systems without an MDM tool, you will receive a pop-up message from Apple that informs the sensor kernel module (kext) is blocked.

To allow the sensor’s kernel extension to execute:

  1. Open the System Preferences application. This usually can be found in the dock or within the Applications folder.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. Click Allow next to the kernel extension that requires approval. 

MacOS Catalina requires full disk access to be granted to the sensor and a reboot after installation.

To grant full disk access to the sensor:

  1. Open the System Preferences application. This usually can be found in the dock or within the Applications folder.
  2. Click Security and Privacy. On the Security and Privacy panel, select the Privacy tab.
  3. In the left pane, select Full Disk Access.
  4. In the lower-left corner of the panel, click the Lock and enter your username and password. The lock then should appear unlocked.
  5. Click + to view the file finder. Navigate to the /Applications directory, select the Confer.app file, and then click Open.
  6. In the Privacy tab, confirm that the Confer.app file appears in the list of applications that have full access permission. The sensor now has full access to the file system.

How can I identify sensors that have unapproved kernel extensions?

You can use your Carbon Black console to identify sensors that are running on unsupported operating systems or have unapproved kernel extensions:

To identify devices with sensors that are running on unsupported operating systems or have unapproved kernel extensions:

  1. Login to your Carbon Black Cloud console.
  2. Click Endpoints.
  3. Change the Status filter to All, and use each of these queries to identify problematic sensors: 
    sensorStates:UNSUPPORTED_OS 
    sensorStates:DRIVER_INIT_ERROR 

Note: You can also use a variable in the search query, such as sensorStates:DRIVER* 

Uninstalling the Carbon Black Cloud sensor

For uninstalling using command line for sensor version 3.5.1.19 or later:

  1. Execute the following command on the targeted endpoint: 
    sudo /Applications/VMware\ Carbon\ Black\ Cloud/uninstall.bundle/Contents/MacOS/uninstall -y
  2. If an uninstall code is required based on sensor policy, use the following command: 
    sudo /Applications/VMware\ Carbon\ Black\ Cloud/uninstall.bundle/Contents/MacOS/uninstall -y -c <Uninstall Code>

For uninstalling using command line for sensor version 3.x prior to 3.5.1.19:

  1. Execute the following command on the targeted endpoint: 
    sudo /Applications/Confer.app/uninstall -y
  2. If an uninstall code is required based on sensor policy, use the following command: 
    sudo /Applications/Confer.app/uninstall -y -c <Uninstall Code>

If the sensor was installed in KEXT mode, you will need to reboot the endpoint to complete the KEXT removal.

See Require Codes to uninstall Sensors at an Endpoint for more information on the uninstall code or company deregistration code.

 

Comments

0 comments

Please sign in to leave a comment.