User is experiencing issues where they have endpoints that are reporting a status of Sensor Bypass (Admin Action).
VMware Carbon Black Cloud
Troubleshooting Windows endpoints stuck in bypass
Note: These instructions assume that there were previous attempts made to modify the cfg.ini file. If no previous attempt to enable RepCLI was ever made, please follow the instructions in the following article: How to Enable RepCLI Authentication on Existing Sensors.
- Restore the cfg.ini file back to its original state.
- After restoring the original cfg.ini file, reboot the endpoint, if possible.
- Check the CBC console to see if the endpoint has come out of bypass after the reboot (give this process about five minutes before it updates in the console).
- If the endpoint is still stuck in bypass, then reconfigure the cfg.ini as you've performed previously, but add the AuthenticatedCLIUsers parameter to the bottom of the config file and save the file (if the local Administrator SID does not work, then it is recommended to use a Domain Admin SID; it may also be necessary to reboot the endpoint after saving the changes to the file).
- After the config has been saved, open an elevated command prompt and navigate to the C:\Program Files\Confer directory
cd C:\Program Files\Confer
- Execute the following command:
- If this command is successful, then attempt to remove the endpoint from bypass:
If the command from step six was unsuccessful, reboot the endpoint and attempt again (only if this was not performed after step 4).
Troubleshooting Linux endpoints stuck in bypass
Verify if Secure Boot is enabled by running the following command on a Linux endpoint that has the VMware Carbon Black Cloud sensor installed:
Secure Boot is not supported on the VMware Carbon Black Cloud Linux sensor at this time.
Troubleshooting macOS endpoints stuck in bypass
Ensure that full disk access has been applied to endpoints running the VMware Carbon Black Cloud macOS sensor.
Also check to ensure that the installed sensor is supported on the version of macOS that is running on the endpoint.
- If an endpoint is running macOS 10.15 - 12.2 (Intel or M1), the only compatible sensor version is 188.8.131.52
- If an endpoint is running macOS 10.14 - 11.6.2 then sensor version 184.108.40.206 can be used
There are cases where rebooting the endpoint may fix this issue.
There are a number of reasons that can cause for the VMware Carbon Black Cloud sensor to get stuck in bypass:
- Upgrade process was unable to complete due to a sensor driver or process being locked up by another system process (Linux, macOS, Windows). Rebooting the endpoint may resolve this issue.
- Secure Boot preventing the kernel module from loading properly (Linux endpoints).
- Unsupported OS (macOS).
- Full disk access has not been applied properly (macOS).