Apple has announced a known issue with MacOS 13 that impacts third-party products in non-MDM deployments.

All non-MDM Carbon Black customers should refer to Apple’s 13.1 Beta Release Notes Known Issue 100857507 for details and a workaround that our team has independently verified.

macOS Ventura 13.1 Beta Release Notes | Apple Developer Documentation

Sensor version 3.7.2 is macOS Ventura-ready via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS Ventura.

For customers who plan to upgrade macOS 11 Big Sur endpoints running the Kernel Extension to macOS Ventura, we recommend using a management tool such as Workspace ONE, Jamf, or similar MDM solution to deploy the 3.7.2 sensor. Carbon Black Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 13.

To ensure full sensor enablement, we recommend that endpoints are preconfigured with System Extension pre-approval using MDM before deployment of the sensor.

macOS 13 Ventura added service management user interface, which allows admin users to disable essential background sensor services. Following MDM configuration is required to disable this user option.

MDM configuration payload type : com.apple.servicemanagement

RuleType : TeamIdentifier

RuleValue : 7AGZNQ2S2T

*Validated on macOS Ventura Beta

Note: MDM product support is required to use new configuration payload type. VMware Workspace ONE "Custom Settings" supports configuration of new payload types.

This release adds two enhancements around known malware prevention capabilities for the SysEXT sensor with Endpoint Standard enabled.

1. Script Engine improvements in classifying, blocking and alerting on execution of malicious scripts (by reputation) in additional execution contexts (on load, on access).

2. File In-Place Quarantine feature that prevents access to files identified as malware, preventing malware spread across networks and external storage devices.

These enhancements are automatically enabled by the presence of the base malware prevention rules on the Policy Page: (Known Malware | Suspect Malware | PUP) => Tries to Run => (Deny | Terminate).

This release completes the parity with the KEXT-based sensor around reporting modload (for dylds) and scriptload events for the Enterprise EDR product.

This release adds compatibility improvements that allow for a flexible handling of future macOS versions. The resulting approach reduces the number of sensor releases needed to maintain core sensor features across future major and minor macOS releases and reduces time to macOS major version support. This approach is also more aligned with the Apple SysEXT compatibility model.

macOS sensor 3.7.2 includes a change to improve proxy server information storage utilizing the latest macOS Keychain APIs.

In the event of sensor downgrade from 3.7.2 (or newer) to 3.7.1 (or older): 

As a result of the change, for sensors that require proxy credentials to connect to the CBC Cloud, proxy settings must be repopulated on downgrade. 

• If macOS System Preferences was used for the proxy configuration, the sensor attempts to repopulate the proxy information after the sensor downgrade. 

• If proxy configuration cannot be retrieved from the macOS System Preferences, the sensor unattended installer options -p PROXY_SERVER:PORT and -x PROXY_USER:PASSWORD must be used to repopulate the proxy settings during the sensor downgrade. 

A previous issue with network connectivity symptoms on macOS 11 - macOS 12 with SysEXT sensor has been addressed by Apple in the macOS 12.4 release. Endpoints running any macOS12.4 - compatible sensor (3.6.2 or newer) can now be upgraded to macOS 12.4 to resolve the issue where the network becomes unresponsive using multiple network extensions or a network extension with an Ethernet adapter. See Apple’s macOS Monterey 12.4 release update and our article link regarding this issue for more information:

• What's new for Enterprise in macOS Monterey 12.4

• Carbon Black Cloud: Network is Slow or Disconnects after Sensor Installed on MacOS

Due to a compatibility-related change Apple has made in version 12.3 with regards to their internal protocols, all sensor versions 3.6.1 or prior will not support macOS 12.3 or greater. 

Systems that upgrade to macOS 12.3 or greater before installing the 3.6.2 sensor or later will incorrectly display the sensor as active from the console; however, the sensor will be in a bypass state causing a lapse in endpoint protection.

To maintain endpoint protection, install sensor version 3.6.2 or later before upgrading to macOS 12.3 or greater.

Please see these KB articles for more information:

• Carbon Black Cloud: Significant decrease in alerts and events from Mac sensor after upgrade to MacOS 12.3

• Carbon Black Cloud: Is Mac OS 12.3 supported by sensor version 3.6.1.10?

If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.

Running the command line uninstall utility from within a Carbon Black directory causes a crash (after successfully uninstalling the sensor).

If downgrading from 3.7.2 to 3.7.1 (or older) sensor and using proxy credentials to communicate with the Carbon Black Cloud backend, any existing proxy credentials will not persist to the downgraded sensor and must be resupplied

3.6.1.10 was the first GA version supporting the Apple Silicon chipset. Sensor downgrade to 3.5.x versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode. 

Note that downgrade behavior/expectations on Intel machines does not change.

Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.