Scribd Logo
Upload

Welcome to Scribd!

  • MDM Instructions

    Uploaded by

    miyoc10543
    10 views4 pages
    The document provides instructions for configuring Carbon Black sensors on Mac devices using mobile device management (MDM). It describes how to configure MDM payloads to approve Carbon Black kernel extensions (KEXTs), system extensions, and network extensions as well as granting various Carbon Black applications full disk access. The recommended approach is to upload the provided configuration files but it also provides details for manually constructing the required MDM payloads and settings.

    Original Description:

    instruct

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides instructions for configuring Carbon Black sensors on Mac devices using mobile device management (MDM). It describes how to configure MDM payloads to approve Carbon Black kernel extensions (KEXTs), system extensions, and network extensions as well as granting various Carbon Black applications full disk access. The recommended approach is to upload the provided configuration files but it also provides details for manually constructing the required MDM payloads and settings.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    10 views4 pages

    MDM Instructions

    Uploaded by

    miyoc10543
    The document provides instructions for configuring Carbon Black sensors on Mac devices using mobile device management (MDM). It describes how to configure MDM payloads to approve Carbon Black kernel extensions (KEXTs), system extensions, and network extensions as well as granting various Carbon Black applications full disk access. The recommended approach is to upload the provided configuration files but it also provides details for manually constructing the required MDM payloads and settings.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 4

    -----------------------------------------------------------------------------------

    -------------------------------
    VMware, Inc.
    -----------------------------------------------------------------------------------
    -------------------------------
    Carbon Black Cloud Sensor MDM-instructions.txt (August 18, 2020)
    -----------------------------------------------------------------------------------
    -------------------------------

    I. MDM Kext Approval Configuration

    Approving Carbon Black KEXTs via MDM can be accomplished via a KEXT Approval
    Configuration Payload.
    The recommended way to deliver this configuration is through the provided MDM-KEXT-
    approval.mobileconfig file.
    This mobileconfig provides the necessary configuration which can be uploaded to
    your organization's
    MDM-compatible software deployment tool.

    To construct this configuration manually, you must specify the Apple Team ID and
    KEXT bundle in your configuration profile

    Apple Team ID: 7AGZNQ2S2T

    KEXT Bundle ID: com.carbonblack.defense.kext

    -----------------------------------------------------------------------------------
    -------------------------------

    KEXT post install approval on Big Sur (Introduced in Big Sur Beta 10):

    In order to allow the KEXT to load on MacOS Big Sur, the OS either requires a local
    action from an admin to approve the KEXT after install, or a customized reboot
    command from your MDM, to rebuild the Kernel Cache. Please see Apple documentation
    here:
    https://developer.apple.com/documentation/devicemanagement/restartdevicecommand/
    command

    The recommended way to deliver this configuration is through


    the provided MDM-KEXT-reboot-command.xml file. This XML file should be uploaded as
    a Custom Command and sent to endpoints after KEXT install. Note that this will
    reboot the target machine without warning, and that this distribution method is a
    temporary workflow until MDM providers update their reboot protocols to support
    RebuildKernelCache.

    -----------------------------------------------------------------------------------
    -------------------------------

    II. MDM System Extension Approval Configuration

    Approving Carbon Black System Extensions via MDM can be ac#complished via a System
    Extension Approval Configuration
    Payload. The provided MDM-SYSEXT-approval-mobileconfig-sample.txt provides a
    snippet of an example mobileconfig
    that correctly implements this profile.

    To construct the correct configuration, you must specify the Apple Team ID and
    System Extension bundle in your
    configuration profile

    System Extension Types: Allowed System Extensions

    Apple Team ID: 7AGZNQ2S2T

    System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension

    -----------------------------------------------------------------------------------
    -------------------------------

    III. MDM Network Extension Web Content Filter Configuration


    Granting the Network Extension component of the Carbon Black System Extension
    access to filter network content
    can be accomplished via a Web Content Filter Payload. The recommended way to
    deliver this configuration is through
    the provided MDM-SYSEXT-network-extension-approval.mobileconfig file. This
    mobileconfig provides the necessary
    configuration which can be uploaded to your organization's MDM-compatible software
    deployment tool after it is
    signed by your organization's signing tool.

    These instructions were created using Apple documentation


    and ProfileCreator (found here: https://github.com/ProfileCreator/ProfileCreator)
    When exporting this profile, the profile should be signed to enable distribution
    via MDM.

    To construct this configuration manually:


    The fields should be completed exactly as follows. Please copy and paste for
    accuracy.

    In the General payload:

    Payload Scope should be set to: System

    In the Web Content Filter payload:

    Filter Type should be set to: Plug-In

    Plug-In Bundle ID: com.vmware.carbonblack.cloud.se-agent

    Check Enable Socket Filtering

    Filter Data Provider System Extension Bundle ID (macOS):


    com.vmware.carbonblack.cloud.se-agent.extension

    Filter Data Provider Designated Requirement (macOS):


    identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor
    apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = "7AGZNQ2S2T"

    Check Enable Packet Filtering (macOS)

    Filter Packet Provider System Extension Bundle ID (macOS):


    com.vmware.carbonblack.cloud.se-agent.extension

    Filter Packet Provider Designated Requirement (macOS):


    identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor
    apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = "7AGZNQ2S2T"

    -----------------------------------------------------------------------------------
    -------------------------------
    IV. MDM Privacy Preferences Payload Configuration

    Granting an application full disk access via MDM can be accomplished via a Privacy
    Preferences Payload.
    The recommended way to deliver this configuration is through the provided MDM-
    privacy-config.mobileconfig file.
    This mobileconfig provides the necessary configuration which can be uploaded to
    your organization's
    MDM-compatible software deployment tool.

    To construct this configuration manually, we must add four identifiers into this
    Privacy payload.

    The fields should be completed exactly as follows. Please copy and paste for
    accuracy.
    1)
    Identifier: com.vmware.carbonblack.cloud.daemon

    Identifier Type should be set to: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and


    certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU]
    = "7AGZNQ2S2T"

    App or Service should be set to: SystemPolicyAllFiles

    Access should be set to: Allow

    2)
    Identifier: com.vmware.carbonblack.cloud.se-agent.extension

    Identifier Type should be set to: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple


    generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = "7AGZNQ2S2T

    App or Service should be set to: SystemPolicyAllFiles

    Access should be set to: Allow

    3)
    Identifier: com.vmware.carbonblack.cloud.osqueryi

    Identifier Type should be set to: Bundle ID


    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic and


    certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU]
    = "7AGZNQ2S2T"

    App or Service should be set to: SystemPolicyAllFiles

    Access should be set to: Allow

    4)
    Identifier: com.vmware.carbonblack.cloud.uninstall

    Identifier Type should be set to: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and


    certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU]
    = "7AGZNQ2S2T"

    App or Service should be set to: SystemPolicyAllFiles

    Access should be set to: Allow

    5)
    Identifier: com.vmware.carbonblack.cloud.uninstallerui

    Identifier Type should be set to: Bundle ID

    Code Requirement:

    identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic


    and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU]
    = "7AGZNQ2S2T"

    App or Service should be set to: SystemPolicyAllFiles

    Access should be set to: Allow

    You might also like