Skip to main content
Skip table of contents

EDR Big Sur Install

Overview

EDR uses the Kernel Extension (KEXT) installation for macOS installs, which requires either a KEXT approval via Mobile Device Management (MDM) or an attended installation by a local admin on the machine. Big Sur does not allow KEXT installation without MDM pre-approval, which requires extra steps.

Those extra steps are provided here.

It is recommended that users install EDR to Big Sur with CLI and not schedule the task with the Armor Toolbox.

Step 1: MDM KEXT pre-approval on macOS 11

The easiest way to distribute the necessary MDM payload to approve the KEXT is to upload the MDM-KEXT-approval.mobileconfig file, found in the mounted DMG of the installer, in the docs folder.

It is also possible to recreate the attached mobileconfig in your MDM tool. You can accomplish this by specifying the Apple Team ID and KEXT Bundle ID in your Kernel Extension configuration profile:

  • Apple Team ID: 7AGZNQ2S2T

  • KEXT Bundle ID: com.carbonblack.defense.kext

Step 2: Local KEXT approval and endpoint reboot (two options)

On macOS 11 a local approval of the KEXT (user will be prompted) and a reboot are required to complete approval of the KEXT. This is in addition to the pre-approval in Step 1. There are two ways of doing it, one of which relies on the endpoint user, and the other is accomplished via MDM.

Option 1: Local approval

After the sensor has been installed, the user will be prompted to approve the KEXT. To approve it, they can go to the Security & Privacy preferences pane, unlock the pane with their credentials, and approve the KEXT.

They will then be prompted to restart. Upon reboot the KEXT will load as expected.

Option 2: MDM kernel cache rebuild via custom reboot command (if supported)

To avoid relying on local user approval, you can use your MDM to issue a customized reboot command to rebuild the Kernel Cache.

Custom reboot commands are not supported by all MDM providers.

Please see Apple documentation here: https://developer.apple.com/documentation/devicemanagement/restartdevicecommand/command

The easiest way to distribute the necessary MDM command to finish approving the KEXT is to upload the MDM-KEXT-reboot-command.xml file, found in the docs folder of the sensor installation DMG. The command is also copied below. The XML file should be uploaded as a Custom Command and sent to endpoints after KEXT install.

This will reboot the target machine without warning, and that this distribution method is a temporary workflow until MDM providers update their reboot protocols to support RebuildKernelCache.

CODE 
<dict>
<key>RebuildKernelCache</key>
<true/>
<key>KextPaths</key>
<string>/Library/Extensions/CbDefenseSensor.kext</string>
<key>RequestType</key>
<string>RestartDevice</string>
</dict>

Example:


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close