Granting the Sensor Full Disk Access

For the Carbon Black EDR macOS sensor to operate at full functionality on an endpoint running macOS 11 Big Sur, the system extension must have Full Disk Access on the endpoint.

Manually Grant the Sensor Full Disk Access

Follow this procedure to manually enable Full Disk Access on an endpoint that is running macOS 11 Big Sur.

Procedure

In the Security & Privacy System Preferences section, click the Privacy tab.
Authenticate as an administrator.
Scroll to Full Disk Access.
If it exists, approve the application es-extension.

Grant the Sensor Full Disk Access with MDM

Perform the following procedure to create and distribute the Privacy Preference payload in your MDM for Full Disk Access.

Granting an application full disk access is accomplished via a Privacy Preferences payload. This procedure adds two identifiers to the payload. Complete the fields exactly as documented here. Copy and paste for accuracy.

Prerequisites

Note: Field names, values, and functionality can vary depending on the MDM framework or sensor version used.

Procedure

Set the following values:

Identifier:

com.carbonblack.CbOsxSensorService

Identifier Type:

Bundle ID

Code Requirement:

identifier "com.carbonblack.CbOsxSensorService" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service:

SystemPolicyAllFiles

Access:

Allow

Press the plus (+) button to append an additional identifier.

Identifier:

com.carbonblack.es-loader.es-extension

Identifier Type:

Bundle ID

Code Requirement:

identifier "com.carbonblack.es-loader.es-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service:

SystemPolicyAllFiles

Access:

Allow