Cylance: Protect - Installing Agent: MacOS Big Sur

Description

  • With the macOS Big Sur release, the command line profiles tool is no longer supported. To install configuration profiles on remote macOS systems without user interaction (silent install), Apple Mobile Device Management (MDM) is required. This means that macOS devices should be enrolled with an MDM vendor before upgrading to macOS Big Sur. Devices not enrolled prior to the upgrade requires user interaction (with administrative privileges).
  • BlackBerry recommends using MDM to deploy a Configuration Profile that contains approval and full disk access for BlackBerry Cylance's system extension. However, macOS Big Sur does not support remote silent installations of an MDM profile onto a system with a new installation of the Big Sur operating system.

Table of Contents

Remote Silent Installation

Complete the following steps to support remote silent installations:

  1. Install macOS Catalina
  2. Apply the MDM profile
  3. Download the profiles onto the Catalina device
  4. Upgrade the device to macOS Big Sur

By first installing macOS Catalina, the BlackBerry Protect Desktop Agent version 1580 contains both the kernel driver and the new Endpoint Security System Extension. The kernel driver only functions on macOS Catalina or earlier. The Endpoint Security System Extension is required by macOS Big Sur and is only supported in BlackBerry Protect Desktop Agent version 1580 and later. This is why macOS Catalina is required to bridge the gap between the differences in the operating systems.

Product version and extension type:

  • BlackBerry Protect (CylancePROTECT) Agent version 1570 or earlier
    • Kernel extension, supports macOS Catalina or earlier
  • BlackBerry Protect (CylancePROTECT) Agent version 1580 and later
    • Kernel extension, supports macOS Catalina or earlier, System Extension supports macOS Big Sur and later

How to create a configuration profile that approves the BlackBerry Protect System Extension using Jamf Pro

The following example uses Jamf Pro for applying the MDM profile to a macOS Catalina system. These steps allow administrators to deploy the configuration profile that approves the BlackBerry Protect System Extension to a targeted scope of enrolled computers.

NOTE: This is the recommended method for preparing devices to upgrade to macOS Big Sur.

  1. Install macOS Catalina or upgrade the device to macOS Catalina.
  2. In Jamf Pro, create an MDM profile that automatically allows the Cylance system extension.
  3. In Jamf Pro, select Computers > Configuration Profiles
    Image
  4. Click New
  5. For Distribution Method, select Install Automatically
  6. For level, select Computer Level
  7. Under Options, select the System Extensions option.
    Image
  8. Click Configure
  9. In the Name field, enter CylanceSystemExtension
  10. In the Description Field, enter Allows CylancePROTECT System Extension
  11. Under System Extension Types, select Allow System Extensions
    Image
  12. For Team Identifier, enter 6ENJ69K633
  13. For Allowed Systems Extensions, click Add
  14. Under Allowed System Extensions, add com.cylance.CylanceEndpointSecurity.extension
  15. click Save
    Image
  16. Click the Scope tab and configure the scope to apply to any devices that will be running BlackBerry Protect on macOS Big Sur and later
  17. Install the BlackBerry Protect Desktop Agent version 1580 or update to the BlackBerry Protect Desktop Agent version 1580. This agent version has both the existing kernel driver (that runs in Catalina or earlier)
  18. Upgrade to macOS Big Sur
  •  Permissions granted via MDM do not display under System Preferences > Security & Privacy > Privacy tab.
  •  Although the Configuration Profile with FDA allowed for CylanceEsExtension is properly configured, Full Disk Access does not display as checked for CylanceEsExtension under System Preferences > Security & Privacy > Privacy tab > Full Disk Access.
    • To verify that CylanceEsExtension has been given Full Disk Access, open System Preferences > Profiles and verify it.

How to create a PPPC to provide Full Disk Access for the BlackBerry Protect system extension using Jamf Pro

Complete the following steps to create a PPPC configuration profile that provides Full Disk Access for the BlackBerry Protect system extension using Jamf Pro. These steps allow administrators to deploy the PPPC configuration profile that provides Full Disk Access for the BlackBerry Protect system extension to a targeted scope of enrolled computers.

  1. In Jamf Pro, select Computers > Configuration Profiles
    Image
  2. Click New
  3. In the name field, enter CylanceEndpointSecurity (PPPC)
  4. In the description field, enter Allow CylanceEndpointSecurity Full Disk Access
  5. For distribution method, select Install Automatically
  6. For level, select Computer Level
  7. Under options, select Privacy Preferences Policy Control
    Image
  8. Click Configure
  9. In the Identifier field, enter com.cylance.CylanceEndpointSecurity.extension
  10. For Identifier Type, select Bundle ID
  11. In the code requirement field, enter the following:
    identifier "com.cylance.CylanceEndpointSecurity.extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6ENJ69K633")
  12. Leave Validate the Static Code Requirement unchecked
  13. Click Add
    Image
  14. Under App or Service, select SystemPolicyAllFiles
    Image
  15. Under Access, select Allow
  16. Click Save
    Image
  17. Click the Scope tab at the top of the page
    Image
  18. Verify that the Configuration Profile is properly scoped and is applied to any macOS device running BlackBerry Protect
  19. Click Save
  20. Click Done

Manual Install - How to approve the Cylance System Extension and provide Full Disk Access

Complete the following steps to approve the Cylance System Extension and provide Full Disk Access.

  1. Install Cylance Protect for MacOS version 3.1.1000 or newer.
  2. During the install you should be prompted to approve the CylanceES Systems Extension.
       a) If you are not prompted you still need to take steps 3 through 4
    Image
  3. Click Open Security Preferences.
       b) This opens the System Preferences > Security & Privacy > General tab.
  4. Click the lock to authenticate if needed, then click Allow.
    Image
  5. Enable Full Disk Access:
        a) Select System Preferences > Security & Privacy > Privacy tab.
        b) Click the lock to authenticate if needed, then click Allow.
        c) Scroll down and click Full Disk Access.
        d) Check CylanceESExtension
        e) If showing, also check CylanceSvc.app
    Image
  6. CylanceUI requests permission to provide notifications.
    Image
  7. Click the notification to open the System Preferences > Notifications pane.
  8. Select Cylance UI, then toggle Allow Notifications.
    Image

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community