VMware Carbon Black App Control macOS Agent 8.7.0.128.193 | 11 NOV 2021

Check for additions and updates to these release notes.

What's New

  • Platform specific support

    KEXTs are supported for OS with versions lower than macOS 11.0 BigSur. System Extensions are supported for macOS 11.0 BigSur and higher versions.

  • M1 Support

    System extension support is provided for M1 (Apple Silicon) and Intel Hardware starting with macOS 11.0 BigSur & onwards.

  • New Binaries for System Extension support

    The following files were introduced to support system extensions:

    • /Applications/Bit9/Agent/appc-es-loader.app - Application Control system extension loader
    • /Applications/Bit9/Agent/appc-es-loader.app/Contents/Library/SystemExtensions/com.vmware.carbonblack.appc-es-loader.appc-es-extension.systemextension – Application Control system extension binary

  • Process blocking & user Approval flow

    There is change in the process blocking and user approval flow in the medium enforcement level:

    • User approval flow before App Control 8.7 :

      On execution of interesting executable file or script, respective process execution is paused for user's approval. If User allows from notifier, process continues execution and its always allowed to execute later. If user denies on prompt, process gets terminated and this flow repeats on next execution.

    • User approval flow in App Control 8.7 :

      On execution of interesting executable file or script, respective process gets terminated. If User allows from notifier, on next executions it will always be allowed to execute. If user denies on prompt, this flow will repeat on next execution.

    Note: Due to this new approval flow, we recommend adding custom notifier text to inform end users that programs must be run again after they are approved. Instructions on how to add custom notifier text can be found in the 8.7 App Control User Guide.

    For example, you can share: "Due to a new App Control update, any first time approval of a file or program with this notifier will result in a block." After this initial approval, the file or program will be able to run just as before the update.

  • Full Disk Access

    After installation or upgrade to App Control 8.7, the user must give full disk access to system extension and other agent binaries to make production function properly.

    For detailed instructions, see step 7 of the macOS Agent Installation Instructions - Manual located at the bottom of these release notes.

  • Installation using BSX on Monterey Platform

    In case of manual or MDM based installation using BSX file on MacOS 12 Monterey, use the command line ”sudo LC_ALL=C bash <bsx path>” if “sudo bash <bsx path>” is not working.

Resolved Issues

  • EP-14541: Resolved an issue where write operation was blocked from approved devices on Mac agent

Known Issues

  • EP-805: Users cannot disable or replace the App Control logo in Notifiers

    If you disable the logo, you may observe computer management events indicating “Computer failed to receive Notifier Logo: Source[…/GenericLogo.gif]”. These should be disregarded.

  • EP-3392: Starting the agent through CLI using /Applications/Bit9/Tools/b9cli --startup fails to start the b9Notifier

  • EP-4044: Unwanted blocks relating to system updates generated from a macOS upgrade

    To avoid unwanted blocks relating to system updates generated from a Mac upgrade, we recommend using the Updater Mac System Updates.

    Please see the “Approving by Updater” topic in the VMware Carbon Black App Control User Guide for more information.

  • EP-5820: Thunderbolt devices do not display Vendor Names

  • EP-5821: Software RAID 0/1 device control status is always “Unapproved” and cannot be manipulated through device control

  • EP-5960: Removable devices previously attached on the macOS endpoint may produce a “Never Seen” CLI message

    This occurs when you run the /Applications/Bit9/Tools/b9cli --devices command if that removable device approval state has been changed while it was unattached.

    Reinitializing the agent updates the device information appropriately.

  • EP-5965: While a removable device is banned (with writes and executes blocked), the user can still run touch on existing files and modify the modification timestamp

  • EP-5967: A “new device found” message displays anytime a removable device is attached to an agent-managed macOS computer, even if it is a known, removable device

  • EP-5983: Removable devices attached on the Mac endpoint may produce a “Pending” approval state when running the CLI command, /Applications/Bit9/Tools/b9cli --devices

    This occurs when the device approval state has changed after previously being “Approved”.

    We recommend you use the Device Details page of the App Control console to obtain this information.

  • EP-5986: When you run the CLI command: /Applications/Bit9/Tools/b9cli --devices, the results may produce the volume name of the previously attached removable device instead of the currently attached device

    Reinitializing the agent updates the device information appropriately.

  • EP-5992: Symbolic links can be created on a banned removable device (with writes and executions blocked) and executed when pointing to binaries stored off of the removable device

  • EP-6055: The macOS agent does not capture extended file attributes

  • EP-6078: On macOS endpoints, an interoperability issue exists with certain versions of Trend Micro’s endpoint security products

    You must run Trend Micro’s TMSM version 1.5 SP4 (or higher) to avoid this issue.

  • EP-6079: The default uninstall behavior is to remove all App Control agent data

    Some older releases required an additional parameter (“-d”) for this data to be removed.

    You must use the (“-d”) parameter to prevent data removal.

  • EP-6080: On macOS endpoints, when chroot is used, the patterns for script processors may need to be changed to patterns that will be appropriately matched in the re-rooted environment

    For example, in place of “/bin/bash”, you may want to use “*/bin/bash”. Contact Carbon Black Support for additional assistance.

  • EP-6081: When EDR is integrated with App Control, no information from EDR sensors (including their presence or absence) is reported to the App Control server from macOS endpoints

    Integration with EDR works only on systems running a App Control Windows agent.

  • EP-6082: When you run a Custom Rule to test an execution block on a macOS endpoint, the agent may report that the process for the blocked execution is xpcproxy

    This is a normal condition based on the implementation of the macOS endpoint.

    When creating a rule that applies to applications invoked from the typical launching mechanisms of Finder and/or launched on a macOS endpoint, it is best to also include /usr/lib/dyld as a potential parent for the application.

  • EP-7320: The agent erroneously lists the hard drive along with removable devices in macOS endpoints running macOS 10.13.6 (or later)

    You cannot alter the state of the hard drive, nor is there any impact to agent functionality.

  • EP-11562: Logging out of the console does not stop the notifier from running

  • EP-13191: If you change the name of a policy after it is assigned to an agent, the updated policy name does not display on the details page of that agent

  • Beginning with 10.13.4 High Sierra, Apple’s Secure Kext Loading feature now extends to MDM deployments

    As such, Carbon Black kernel extensions will need to be approved ahead of MDM deployment using our Team and Bundle IDs.

    Please see https://community.carbonblack.com/docs/DOC-13277 for more information.

  • When approving the CB Protection Kext (Kernel Extension) on 10.14.5 Mojave a warning will appear noting “One or more system extensions that you have approved will be incompatible with a future version of macOS

    Please contact support. This warning can be ignored.

  • EP-14175: In the case of System Extensions, the first execution of process is always denied unless it is approved by the user.

    In the case of a custom rule execution prompt, even if the user approves, App Control prompts the user with the termination of process. This is expected behaviour.

  • EP-14383: Prompt does not display when copying a file at 'path or file' mentioned in the 'File creation control' the custom rule.

macOS Agent Installation Instructions - Manual

This section describes how to manually install App Control macOS agent version 8.7 on macOS Big Sur (macOS 11) or later.

Download the macOS Agent Installer

  1. Navigate to Rules -> Policies and select the download url at the top of the page.

    Alternatively, you can access publicly accessible URL for this page using the following format:

    https://<server_name>/hostpkg

  2. On the Download Install Packages page, click the Mac platform name and save the file.

    When the download is complete, you can install the agent.

Install the App Control macOS Agent

  1. Open the Bit9Agent.dmg file that you downloaded in the previous step.
  2. Open the pkg file Install Bit9 Security Platform.pkg.
  3. On the Introduction page, click Continue.
  4. On the Installation Type page, click Install.

    When prompted, provide user credentials, and then select Install Software.

  5. When the installation is complete, a prompt displays that "The installation was successful." however, an additional prompt states: System Extension Blocked.

    Select the Open Security Preferences tab.

  6. In the Security & Privacy pane of the System Preferences app, click on the lock to authorize and then allow the appc_es_loader app that was blocked from loading.

  7. Some binaries from the package need Full Disk Access (FDA) to function correctly. To provide that access:
    1. Open System Preferences app and navigate to the Security & Privacy pane.
    2. On the Privacy tab, locate Full Disk Access in the list.

      FDA is needed by appc_es_extension, b9notifier and b9daemon. Appc_es_extension will be already in the list, likewise the other two need to be added. Provide the authorization by clicking on the lock and then click on the ‘+’ sign.

      Clicking on the ‘+’ sign opens Finder where b9notifier and b9daemon binaries need to be located and opened.

      NOTE: Providing FDA access to b9notifier requires it to be restarted. When the OS prompt this, select Quit & Reopen.

      Repeat this process for all the three binaries that require FDA.

  8. Restart the agent using one of the following methods:
    • Reboot the agent system
    • Manually stop and start the agent using the following steps in a terminal:
    cd /Applications/Bit9/Tools
./b9cli --password <password>
./b9cli --tamperprotect 0
./b9cli --shutdown
sudo ./b9cli --startup

macOS Agent Installation Instructions - MDM with Jamf

This section describes how to install App Control macOS agent version 8.7 on macOS Big Sur (macOS 11) or later using an MDM configuration with Jamf to deploy the sensor on multiple endpoints.

Configuration Profile Creation

Create the Configuration Profile as follows.

General

Name: Arbitrary, however should be descriptive. It is advisable to include which Extension (Kernel or System) method is being used Description and Category: Also arbitrary

Level: Computer Level

Distribution Method: Install Automatically

For example:

Privacy Preferences Policy Control

There are 3 App Access entries needed:

Identifier Identifier Type Code Requirement App or service
com.vmware.carbonblack.appc-es-loader.appc-es-extension Bundle ID identifier "com.vmware.carbonblack.appc-es-loader.appc-es-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" SystemPolicyAllFiles Access: Allow
com.bit9.b9notifier Bundle ID identifier "com.bit9.b9notifier" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" SystemPolicyAllFiles Access: Allow
/Applications/Bit9/Daemon/b9daemon Path identifier "com.bit9.b9daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" SystemPolicyAllFiles Access: Allow

Ensure each of the App Access sub-payloads are entered from the table above. Without the access specified, various parts of the App Control agent will not function properly.

The Privacy Preferences Policy control sub-payloads should look like this:

System Extensions

We support System extension for macOS BigSur and subsequent platforms. For platforms prior to macOS BigSur, we support KEXT..

Allow Users to approve system extensions (optional) – Depending upon whether the Jamf administrator wants to allow System Extensions from other products to be user-approved. If enabled, users can approve additional system extensions that are not explicitly allowed by this policy.

  • As shown in example image below, you can toggle ‘Allow users to approve system extension’ to control the users approval action for any System Extension of any product.
  • You can add System Extensions under ‘Allowed Team ID and System Extensions’ tab. These SEs do not require users approval. In the example shown below, we explicitly added App Control System Extension payload, which does not require users approval. Jamf Admin can add similar entries for other products supporting SEs.

The following parameters were used in the example image shown below:

  • Display Name: Application Control macOS System Extensions
  • System Extension Types: Allowed System Extensions
  • Team Identifier: 7AGZNQ2S2T
  • Allowed System Extensions: com.vmware.carbonblack.appc-es-loader.appc-es-extension

Example:

check-circle-line exclamation-circle-line close-line
Scroll to top icon