This topic describes how to create configuration profiles for Carbon Black App Control macOS agent version 8.7 or later on macOS Big Sur (macOS 11) or later. The method uses an MDM configuration with Jamf to deploy the agent on multiple endpoints.

Procedure

  1. In Jamf, create the Configuration Profile:
    • Name: We recommend that you include the Extension (Kernel or System) method that is being used.
    • Description: Optional.
    • Category: None
    • Level: Computer Level
    • Distribution Method: Install Automatically

    The Configuration Profile showing the General section

  2. In the Privacy Preferences Policy Control section, enter the following App Access sub-payloads:

    To ensure full functionality of the macOS agent, enter each App Access sub-payload from the following table. For all sub-payloads, the Identifier Type is Bundle ID, and the Application or Service is SystemPolicyAllFiles with Access set to Allow.

    Identifier Identifier Type Code Requirement App or Service
    com.vmware.carbonblack.appc-es-loader.appc-es-extension Bundle ID 
    identifier "com.vmware.carbonblack.appc-es-loader.appc-es-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
    		 SystemPolicyAllFiles Access: Allow
    com.bit9.b9notifier Bundle ID 
    identifier "com.bit9.b9notifier" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
    		 SystemPolicyAllFiles Access: Allow
    /Applications/Bit9/Daemon/b9daemon Path 
    identifier "com.bit9.b9daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
    		 SystemPolicyAllFiles Access: Allow

    Ensure each of the App Access sub-payloads are entered from the preceding table. Without the access specified, various parts of the Carbon Black App Control agent will not function properly.

    The Privacy Preferences Policy control sub-payloads should look like this:

    The Privacy Preferences Policy Control section with the first App Access sub-payload added from the details in the table above The Privacy Preferences Policy Control section with the second App Access sub-payload added from the details in the table above The Privacy Preferences Policy Control section with the last App Access sub-payload added from the details in the table above The Configuration Profile showing the System Extensions section