| VMware Carbon Black App Control 8.8.0 | 22 FEB 2023 | Build 8.8.0.227 Check for additions and updates to these release notes. |
What's New
The 8.8.0 macOS Agent Release Notes provide information for users upgrading from previous versions as well as for users new to VMware Carbon Black App Control.
Product security is our top priority for Carbon Black App Control. In this release, we have included several new enhancements to ensure that our product is prepared to keep you and your endpoints secure.
Mac Trusted Publisher Support
Trusted Publisher is now supported with the 8.8.0 macOS Agent. The 8.8.0 macOS Agent can now detect Apple-based certificates and enforce publisher rules from the 8.9.4 App Control Server. This reduces the complexity involved with approving/banning new software and updates from Apple or other third-party vendors.
On Windows agents, many customers leverage Trusted Publishers to create high-enforcement policies, allowing all trusted Windows software vendors and blocking all else. With this feature on Mac, customers will now be able to more easily lock down their endpoints, providing a high level of security, previously challenging to obtain on Apple devices.
Please note there are some differences between the macOS and Windows Agent functionality:
-
Uploading Mac certificates to the App Control Server is not supported in this release.
-
Counter Signatures are not supported on the macOS Agent.
-
The following "Advanced Options" are not yet supported in this release including:
-
Allowing expired certificates
-
Certifate Algorithm exclusions
-
Minimum Certificate Key Size For Approval limits
-
8.9.4 Server Required For Mac Trusted Publishers
Customers utilizing Mac Trusted Publishers for the first time must have the 8.9.4 Server to ensure existing publisher certificate information is sent to 8.8.0 Mac agents . The 8.9.4 Server allows you to request agents to send certificate information via a new option in the cache consistency check menu, Re-evaluate publishers.
Without the 8.9.4 Server and the administrator performing this action, the certificate information from 8.8.0 Mac agents would not be available to the server and therefore publisher rules would not be able to be created and delivered back to the agent.
For more information, see Performing a Cache Consistency Check in the 8.9.4 User Guide.
Note: Trusted Publisher will only work on 8.8.0 Agents running on system-extension based operating systems (macOS 11.x Big Sur and later) and not on KEXT based operating systems. (macOS 10.15.x and older).
For information, see Approving or Banning by Publisher in the 8.9.4 User Guide.
Additional changes include:
-
You can now copy file details from the notifier regarding a blocked execution. This includes the Target Process, Process, Path, and Machine Name. This makes it easier for users to share process infomation in organizations using external approval workflows for App Control.
-
Added a new agent config property"popup_notification_duration" that adjusts the time interval of the notification pop-up that appears when a Mac process is blocked. The default time interval is set to 5 seconds (5000ms). You can now adjust this time interval to a custom interval to ensures users do not miss block notifications.
-
Value: "popup_notification_duration_ms=<time in millisecond>"
-
Ex. popup_notification_duration_ms=5000, sets the notification duration to 5 seconds.
-
-
Resolved Issues
-
EP-17195: Fixed an issue where the b9cli --capture command would timeout randomly under certain circumstances
-
EP-16564: Fixed an issue where the b9daemon does not appear in the FDA list
Known Issues
-
EP-15756: Ban file rules are not applied to Mac agent after manually importing configlist.xml from the server
-
EP-15471: Device vendor name is not displayed on the server when a device is connected through a thunderbolt port
-
EP-15277: kernelFileOpExclusions configured on the server are not working as expected on Mac agents.
-
EP-13191: Policy name change on the server does not reflect on Mac agent
-
EP-15747: Manually importing 'configlist.xml' from the server results in a disconnected agent, even after machine reboot.
-
EP-15282: Mac agent prevents files from being modified in High Enforcement Policy
Modifying a file when in high enforcement results in the notifier being displayed, and the agent blocking the change. File modification should be allowed, unless there is rule preventing this action.
-
EP-5821: Software RAID 0/1 device control status is always “Unapproved” and cannot be manipulated through device control
-
EP-6055: The macOS agent does not capture extended file attributes
-
EP-13191: If you change the name of a policy after it is assigned to an agent, the updated policy name does not display on the details page of that agent
-
EP-14175: In the case of System Extensions, the first execution of process is always denied unless it is approved by the user.
In the case of a custom rule execution prompt, even if the user approves, App Control prompts the user with the termination of process. This is expected behaviour.
-
EP-15300: In medium enforcement, notifier freezes when multiple, unapproved, interesting files are executed on MacOS BigSur and higher
This issue is on MacOS version 11.X and above. If file must be approved, you can create a path exclusion rule for that interesting file.
-
EP-15323: KernelSupport and SystemProxy kexts are loaded after upgrading from Catalina to Monterey
When agent version 8.7.2 is installed on an endpoint and the OS is upgraded from ‘Catalina or below’ to ‘Big Sur or above’, 2 kexts [com.bit9.KernelSupport, com.bit9.SystemProxy ] out of 4 are found still loaded.
-
EP-15327: Delete action through finder is not displaying a prompt
Custom rule for 'file creation control' is created where 'write action' is 'prompt' and specific directory path is provided. When delete action using finder is performed on a file which is in directory mentioned in path parameter of rule, a prompt does not display and delete action is allowed.
