Deploying VMware Carbon Black Cloud Sensor with Workspace ONE UEM

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial introduces you to the deployment of the Carbon Black Sensor manually and through Workspace ONE UEM on managed Windows 10 and macOS devices.

Carbon Black Cloud Sensor is a lightweight agent that protects the endpoint against threats and is part of the  VMware Carbon Black Cloud™, a cloud-native endpoint protection platform (EPP). Carbon Black Cloud Sensor combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

There are several methods to install Carbon Black Sensor on Windows 10 and macOS, including:

  • Manual installation using an MSI file
  • Installation using the Workspace ONE Intelligent Hub Catalog
  • Over-the-air installation using the Workspace ONE UEM

Audience

This operational tutorial is intended for IT security professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with VMware Workspace ONE® UEM and VMware Carbon Black Cloud™, and knowledge of endpoint security and networking is assumed.

Prerequisites

Before you can perform the procedures in this exercise, verify that you have access to the following components:

  • Workspace ONE UEM with permissions to manage devices and applications
  • VMware Carbon Black Cloud management console access and admin account credentials
  • A Windows 10 or macOS device to test the integration

Obtaining installer and activation codes

Introduction

As the first step to deploying Carbon Black Sensor on an endpoint, you are required to obtain a code from the Carbon Black Cloud Console, and optionally a separate code to remove the software. The installation code represents the identifier used to connect the endpoint with the respective VMware Carbon Black Cloud environment tenant. 

There are three types of code:

  • Registration Code - A single code to install the sensor in multiple devices only via command line or distribution tools like Workspace ONE UEM
  • Activation Code - A unique code for a specific user to install the sensor via UI; the company code does not work when installing the sensor via UI
  • Deregistration Code - A unique code used to allow the Carbon Black sensor to be uninstalled

These codes are required later in this operational tutorial. Ensure that you have copied the codes or have them easily accessible.

Logging in to the VMware Carbon Black Cloud Console

To perform most of the steps in this exercise, you must first log in to the VMware Carbon Black Cloud Console.

1. Launch Chrome Browser

Launch Chrome Browser (confer app, security risk, suspicious activity, suspicious package

On your desktop, double-click the Google Chrome icon.

3. Authenticate to the VMware Carbon Black Cloud Console

confer app, security risk, suspicious activity, suspicious package
  1. Enter your email address, for example, admin@company.com.
  2. Enter your password.
  3. Click Sign In.

Downloading Registration and Activation Codes

The following steps explain how to obtain the code required to install the Carbon Black Sensor.

1. Access Registration Codes

  1. Click Inventory.
  2. Click Endpoints.
  3. Click Sensor Options.
  4. Click Company Codes.

2. Copy Company Code

  1. (OPTIONAL) If the registration or deregistration code is missing, click the appropriate Generate New Code button.
  2. Copy the Registration Code, which is required for a later exercise to perform the installation via Workspace ONE.
  3. Copy the Deregistration Code, which is required for a later exercise to configure uninstallation via Workspace ONE.

3. (Optional) Request Activation Code for Sensor Deployment via UI Installer

This step is optional and is included to guide you through the required steps to install Carbon Black Cloud Sensor via UI Installer.

Configure Sensor options in VMware Carbon Black
  1. Click Inventory.
  2. Click Endpoints.
  3. Click Sensor Options.
  4. Click Send installation request.

3.1. Send Installation Request

Sensor Management in VMware Carbon Black
  1. Enter the First Name.
  2. Enter the Last Name.
  3. Enter an Email that will receive the activation code and link to download the installer.
  4. Click Send.
Sensor installation activation code in VMware Carbon Black

The user receives an email similar to the example shown, which includes the unique Activation Code to be used during the UI installation.

Downloading Sensor Kits

Download the Carbon Black Cloud Sensor installer for multiple platforms from the VMware Carbon Black Cloud Console, or email the sensor installer directly to the end user as part of the installation request process. 

The following steps illustrate how to download the Carbon Black sensors for macOS and Windows 10.

1. Access the Sensor Download

Download Sensor Kits on VMware Carbon Black Cloud console
  1. Expand Inventory and click Endpoints.
  2. Click Sensor Options.
  3. Click Download Sensor Kits.

2. Download the latest Carbon Black Sensor for macOS and Windows 10

Download Sensors for macOS and Windows 10 on VMware Carbon Black Cloud console.
  1. Click Download Kit for Windows 64-bit to obtain the installer for Windows 10.
  2. Click Download Kit for macOS 10.10-10.15, 11 to obtain the installer for macOS.
  3. Click Close.

Deploying Carbon Black Sensor for Windows 10

Introduction

To protect a Windows 10 endpoint, the Carbon Black Cloud Sensor for Windows 10 must be installed.

VMware Carbon Black Cloud Sensor (formerly CB Defense) acts as an agent on the endpoint. It communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

This section of the tutorial details how to deploy the Carbon Black sensor for Windows 10 through Workspace ONE UEM and manually.

Carbon Black Documentation

This section is specific to the scenario covered by the tutorial. As such, you may need to refer to Carbon Black documentation for scenarios outside the scope of this tutorial. You can find more information about the Windows 10 sensor at Carbon Black Cloud Sensor Installation Guide.

Deploying Carbon Black Cloud Sensor Manually on Windows 10

Launch the Carbon Black Cloud Sensor MSI to initiate the installation process and click Next until you receive a request to enter the activation code (Company Code). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

Install Carbon Black Cloud Sensor

Deploying Carbon black sensor on Windows 10
  1. Enter the Activation Code as obtained in Send Installation Request.
  2. Click Install.

After the installation is complete, the Carbon Black Cloud sensor runs as a service. Open Windows Services to confirm.

Note: The Registration Code cannot be used with this type of installation. You must use the Activation code sent via email.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

The Carbon Black Cloud sensor can be deployed as a managed application with Workspace ONE UEM, allowing the administrator to silently deploy the sensor across all managed devices.

From the Workspace ONE UEM Console, upload the Carbon Black Cloud Sensor MSI as an internal application.

Configure Sensor Deployment Options

Configure carbon black Sensor deployment options in Workspace ONE UEM console

Add the Carbon Black Cloud sensor as an internal application and configure the deployment options as follows:

  1. Set the Install Command as msiexec /i "installer_vista_win7_win8-64-3.5.0.1523.msi" /qn COMPANY_CODE=<REPLACE WITH YOUR REGISTRATION CODE> 
    Note
    : You can add /L*vx <file name> after /qn to the Install Command to obtain the installation log file to help with troubleshooting.
  2. Ensure Admin Privileges is set to YES. The Carbon Black Cloud sensor requires admin privileges for installation.
  3. Update the MSI file name as needed and replace the <REPLACE WITH YOUR CODE> tag with the previously obtained Company Code.
    All the other parameters related to the How to Install section are automatically set by Workspace ONE UEM.
  4. Click Save & Assign and assign the Carbon Black Cloud sensor application to the Assignment Groups that represent the devices that should have the sensor installed.

Note: The Company Code refers to the registration code as obtained in Access Registration Codes.

Deploying Carbon Black Sensor for macOS

Introduction

To protect a macOS endpoint, the Carbon Black Cloud Sensor for macOS must be installed. VMware Carbon Black Cloud Sensor (formerly CB Defense) acts as an agent on the endpoint. It communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

This section of the tutorial details how to deploy the Carbon Black sensor for macOS through Workspace ONE UEM and manually.

Note: The content in this portion of the Operational Tutorial might vary based on the specific version of macOS, Carbon Black Cloud, and Workspace ONE UEM. The content in this guide was created using macOS Big Sur 11.1, Workspace ONE UEM 2101, and the Carbon Black sensor version 3.5.1.19.

Notes on Extension Types

Starting with macOS 11, the Carbon Black Cloud macOS Sensor (v3.5.1) will operate by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) used in prior versions of the agent. As a result of this change, some functionality will be temporarily unavailable when using the sensor in System Extension mode on macOS 11 and later. Using the sensor in KEXT mode achieves the same functionality on macOS 11 as seen in older operating systems. A list of the differences in functionality can be found at macOS Big Sur Functionality Overview [Carbon Black].

Carbon Black Documentation

This section is specific to the scenario covered by the tutorial. As such, you may need to refer to Carbon Black documentation for any scenarios outside the scope of this guide. You can find more information about the macOS sensor at macOS Big Sur Documentation [Carbon Black]. Additionally, you can find more information in the Carbon Black Cloud Sensor Release Notes for version 3.5.1.19.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor

By default, the Carbon Black sensor for macOS version 3.5.1.19 and later installs System Extensions on macOS Big Sur 11.0 and later. Prior to deploying the Carbon Black sensor for macOS, Workspace ONE administrators must configure a few prerequisites within macOS. These prerequisites ensure that the Carbon Black sensor has appropriate permissions granted prior to installation.

1. Add Profile

Add Profile for Carbon Black sensor in Workspace ONE UEM admin console.
  1. Click Add.
  2. Click Profile.

2. Select macOS Profile

Select macOS profile in Workspace ONE UEM admin console

Select macOS.

3. Select Device Profile

Select device profile in Workspace ONE UEM admin console.

Select Device Profile.

4. Configure General Tab

Configure Carbon black sensor profile in Workspace ONE UEM admin console.

Configure the General profile settings as necessary, but include the following:

  1. Enter a Name for the profile (such as Carbon Black Settings).
  2. Select Auto as the Assignment Type.
  3. Select an appropriate Smart Group.

Note: The smart groups that you select here should match the smart groups used for deploying the Carbon Black sensor installer to macOS Big Sur 11.0 (and later).

5. (If Required) Configure Kernel Extension Policy Payload

Configure Kernel Extension Policy in Workspace ONE UEM admin console

If you are deploying the Carbon Black cloud sensor in KEXT mode, Carbon Black recommends submitting the applicable Carbon Black Defense KEXT IDs for approval by Workspace ONE UEM before installing or upgrading macOS sensor version 3.5 and later.

  1. Enter kernel in the search box.
  2. Click Kernel Extension Policy.
  3. Click Configure.

6. (If Required) Enter Kernel Extension Policy Settings

Configure Kernel extensions in Workspace ONE UEM Admin console

If you are deploying the Carbon Black Cloud sensor in KEXT mode, complete the Kernel Extension Policy payload as follows:

  1. Enter the Carbon Black team identifier: 7AGZNQ2S2T
  2. Enter the Carbon Black Kernel Extension Bundle ID:  com.carbonblack.defense.kext

7. Configure System Extension Policy Payload

Configure Kernel Extension Policy in Workspace ONE UEM admin console

Carbon Black recommends submitting the applicable Carbon Black Defense System Extension IDs for approval by Workspace ONE UEM before installing or upgrading macOS sensor version 3.5 and later.  

  1. Enter system in the search box.
  2. Click System Extensions.
  3. Click Configure.

Note: If you are deploying the Sensor in KEXT mode, pre-staging the System Extension settings will prepare you for a later migration from KEXT to System Extensions.

8. Enter System Extension Policy Settings

Configure Kernel extensions in Workspace ONE UEM Admin console
  1. Enter the Carbon Black team identifier: 7AGZNQ2S2T
  2. Enter the Carbon Black System Extension Bundle ID:  com.vmware.carbonblack.cloud.se-agent.extension

9. Configure Privacy Preferences Payload

  1. Enter Privacy in the search box.
  2. Click Privacy Preferences.
  3. Click Configure.

10. Add App Privacy Preferences

Click Add App.

11. Configure Privacy Preferences

Configure privacy preferences for macOS profile in Workspace ONE UEM admin console

For the macOS sensor to operate at full functionality on an endpoint, the sensor must have full disk access on the endpoint. This payload grants the macOS sensor full disk access.

  1. Enter one Bundle Identifier from the following table.
  2. Select Bundle ID.
  3. Copy and paste the corresponding Code Identifier from the following table.
  4. Scroll down to the list of Services.
  5. Select Allow for System Policy All Files.
  6. Click Save.
  7. Repeat the process starting at Add App Privacy Preferences and define each additional Bundle Identifier and Code Requirement in the following table.
Bundle Identifier Code Requirement
com.vmware.carbonblack.cloud.daemon identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" 
com.vmware.carbonblack.cloud.se-agent.extension identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" 
com.vmware.carbonblack.cloud.osqueryi identifier "com.vmware.carbonblack.osqueryi" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
com.vmware.carbonblack.cloud.uninstall identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
com.vmware.carbonblack.cloud.uninstallerui identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

12. Review the Privacy Preferences

Getting Started > Getting Started

Ensure that all five Privacy Preferences have been added.

13. Configure Custom Settings Payload

Getting Started > Getting Started
  1. Enter Custom in the search box.
  2. Click Custom Settings.
  3. Click Configure.

14. Paste Custom Settings for Network Extension

Getting Started > Getting Started
  1. Copy and paste the following Custom Settings XML for the sensor's network extension.
  2. Click Save and Publish.
<dict>
    <key>FilterDataProviderBundleIdentifier</key>
    <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
    <key>FilterDataProviderDesignatedRequirement</key>
    <string>identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"</string>
    <key>FilterPacketProviderBundleIdentifier</key>
    <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
    <key>FilterPacketProviderDesignatedRequirement</key>
    <string>identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"</string>
    <key>FilterPackets</key>
    <true/>
    <key>FilterSockets</key>
    <true/>
    <key>FilterType</key>
    <string>Plugin</string>
    <key>PayloadDisplayName</key>
    <string>Web Content Filter</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.webcontent-filter.71C289AC-7ACF-44BC-AB5E-580736C634DF</string>
    <key>PayloadType</key>
    <string>com.apple.webcontent-filter</string>
    <key>PayloadUUID</key>
    <string>71C289AC-7ACF-44BC-AB5E-580736C634DF</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PluginBundleID</key>
    <string>com.vmware.carbonblack.cloud.se-agent</string>
    <key>UserDefinedName</key>
    <string>Carbon Black Network Extension Filter</string>
</dict>

15. Publish the Profile

Publish the macOS profile in Workspace ONE UEM admin console

Click Publish.

Deploying Carbon Black Cloud Sensor Manually on macOS with System Extensions

Launch the Carbon Black Cloud Sensor installation package to initiate the installation process. Click Next until you receive a request to enter the activation code (from the activation email, as shown in Request Activation Code for Sensor deployment via UI Installer). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

1. Launch Installer

Run VMware Carbon Black Cloud sensor installer on macOS
  1. Double-click the downloaded dmg, and then launch CbCloud Install.
  2. Click Allow in the run a program prompt.
  3. Click OK at the Privacy Preferences Prompt and grant the installer access to the necessary folder.
  4. Click Continue twice.

2. Accept Terms of Use

Agree to terms of use to install VMware Carbon Black Cloud sensor on macOS

Click Agree.

3. Enter Activation Code

  1. Enter the Activation Code from Send Installation Request.
  2. Click Continue then click Install.

Note: If prompted, enter the password for an administrative user.

4. Allow System Extensions (if not MDM Managed)

Robert’s Mac mini

Important: Steps 1-4 are required only if the device does not have the prerequisite MDM profile applied as specified in macOS Prerequisites for Deploying Carbon Black Cloud Sensor.

  1. Click Open Security Preferences on the System Extension Blocked message.
  2. Click the lock and enter administrative credentials to unlock the Security & Privacy screen.
  3. Click Allow to enable system extensions required by the sensor.
  4. Click Allow to enable network extensions required by the sensor.

5. Close the Installer

Close VMware Carbon Black cloud sensor installer on macOS

Click Close.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor as a Managed Application

When creating a non-store, managed application for macOS in Workspace ONE, admins must supply the icon file, installer (dmg or pkg), and metadata file. The metadata file contains details allowing the Workspace ONE Intelligent Hub for macOS to determine if the managed application is installed and if the installed application is the correct version.  

Before configuring the Sensor kit deployment, you must generate the required icon and metadata file with the Workspace ONE Admin Assistant application. Additionally, the sensor kit deployment package structure requires some additional modification to the metadata (PLIST) file before deployment. 

This section demonstrates how to parse the sensor kit and modify the PLIST file to correctly distribute the Carbon Black Cloud sensor as a managed application.

1. Drag and Drop Sensor Kit to Workspace ONE Admin Assistant

Place Sensor Kit onto Workspace ONE Administrative Assistant in macOS

Open the Workspace ONE Administrative Assistant, and drag the Sensor Kit (confer_installer_mac-<version>.dmg) downloaded from the Carbon Black cloud onto the Workspace ONE Admin Assistant.

2. Reveal Output in Finder

Click Reveal in Finder when complete.

3. Open the PLIST for Modifications

  1. Expand the CBCloud Install-<version> folder and right-click CBCloud Install-<version>.plist.
  2. Click Open With.
  3. Select the editor of your choice, such as BBEdit, Visual Studio Code, Xcode, or TextEdit.

Note: For the remainder of this tutorial, text editing and manipulation examples are shown in BBEdit.

4. Make Modifications to the PLIST

Add the following XML snippets to the file between the outer <dict></dict> tags as shown in the previous screenshot.

Installs Array:

  • Modify the values for CFBundleShortVersionString and CFBundleVersion to match the version you are deploying.
	
<key>installs</key>
	<array>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.vmware.carbonblack.cloud.se-agent</string>
			<key>CFBundleName</key>
			<string>VMware CBCloud</string>
			<key>CFBundleShortVersionString</key>
			<string>3.5.1fc19</string>
			<key>CFBundleVersion</key>
			<string>3.5.1fc19</string>
			<key>minosversion</key>
			<string>10.15</string>
			<key>path</key>
			<string>/Applications/VMware Carbon Black Cloud/VMware CBCloud.app</string>
			<key>type</key>
			<string>application</string>
			<key>version_comparison_key</key>
			<string>CFBundleShortVersionString</string>
		</dict>
	</array>

Note
You must replace the
CFBundleShortVersionString and CFBundleVersion values in the installs array if those are different for the particular version of the sensor you are deploying. 

Alternatively, you can generate the installs array in one of the following ways:

  1. Export VMware CBCloud.app from the installer package (using an app such as Suspicious Package) and run VMware CBCloud.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.
  2. If the Carbon Black sensor kit is installed on the machine with Workspace ONE Admin Assistant, copy VMware CBCloud.app to your ~/Downloads directory (cp -R /Applications/VMware\ Carbon\ Black\ Cloud\VMware CBCloud.app ~/Downloads) and then parse ~/Downloads/VMware CBCloud.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.

If you use VMware CBCloud.app to generate an installs array, ensure you only copy the installs array (and no other key-value pairs) into the CBCloud Install-<version>.plist file.

5. Save and Close

Save and Close the modified PLIST in your editor of choice.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

With the PLIST file modified and the prerequisites deployed, a Workspace ONE administrator is ready to deploy the Carbon Black cloud sensor to an enrolled macOS device.

1. Add Application

Add application for Carbon Black cloud sensor in Workspace ONE UEM admin console

In the Workspace ONE UEM admin console, perform the following steps:

  1. Click Resources.
  2. Expand Apps and click Native.
  3. Click Internal.
  4. Click Add.
  5. Click Application File.

2. Upload App

Click Upload.

3. Choose and Save File

Select Carbon Black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Choose File. Browse to the confer_installer_mac-<version>.dmg  file generated by the Workspace ONE Admin Assistant and click Choose.
  2. Click Save.
  3. Click Continue.

4. Upload Metadata File

Select the PLIST file for Carbon black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Upload.
  2. Click Choose File. Browse to the CbDefense Install-<version>.plist  file generated by the Workspace ONE Admin Assistant and click Choose.
  3. Click Save.
  4. Click Continue.

5. Add Image for App Install

Drag the CBCloud Install.png graphic to the Workspace ONE UEM console.

6. Add Preinstall Script

Edit script to install Carbon black cloud sensor for macOS
  1. Select the Scripts tab.
  2. Paste the following Script into the Pre-Install Script making sure to replace the Code value with your Registration Code as obtained in Access Registration Codes.

Note: The pre-install script is used to populate a configuration file that is read/consumed by the Carbon Black sensor kit installation.  

Option 1:  Basic Pre-Install Script For System Extension Install

This option includes the bare minimum required information (the Registration Code) to install the Carbon Black Cloud Sensor for macOS.  

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=12345
DisableSysextNetworkExtension=false
KernelType=2
EOM

Option 2:  Basic Pre-Install Script For Kernel Extension Install

This option includes the bare minimum required information (the Registration Code) to install the Carbon Black Cloud Sensor for macOS.  

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=12345
KernelType=1
EOM

Option 3: Advanced Pre-Install Script 

The following contains a pre-install script with additional values that can be used to customize the Sensor installation. Use these at your discretion and refer to the Carbon Black documentation for the proper usage and parameter values.

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code={COMPANY_CODE}
ProxyServer={PROXY_SERVER}
ProxyServerCredentials={PROXY_CREDS}
LastAttemptProxyServer={LAST_ATTEMPT_PROXY_SERVER}
PemFile={customer.pem}
AutoUpdate={true|false}
AutoUpdateJitter={true|false}
InstallBypass={true|false}
FileUploadLimit={FILE_UPLOAD_LIMIT}
GroupName={GROUP_NAME}
EmailAddress={USER_NAME}
BackgroundScan={true|false}
RateLimit={RATE_LIMIT}
ConnectionLimit={CONNECTION_LIMIT}
QueueSize={QUEUE_SIZE}
LearningMode={LEARNING_MODE}
{POC=1}
CbLRKill={true|false}
HideCommandLines={true|false}
DisableSysextNetworkExtension={true|false}
KernelType={1|2} #1=KEXT,2=SysExt
EOM

7. Add Uninstall Script

Define uninstall script for carbon black cloud sensor for macOS in Workspace ONE UEM admin console
  1. Scroll to the Uninstall Scripts section.
  2. Choose Uninstall Script as the uninstall method.
  3. Ensure your script is ready, then paste the uninstall script (including the Deregistration Code found in Access Registration Codes) in the Uninstall Script section.

Uninstall Script:

#!/bin/sh
/Applications/VMware\ Carbon\ Black\ Cloud/uninstall.bundle/Contents/MacOS/uninstall -y -y -c {Deregistration_Code}

8. Set Deployment Options

  1. Select No for Blocking Applications.
  2. If deploying the sensor with System Extensions, select None for the Restart Action. If deploying the sensor using KEXTs, choose the appropriate restart action.
  3. Click Save and Assign.

Note: Blocking Apps should be set to NO as the end user does not need to be prompted to close any Carbon Black applications. This is all handled by the Workspace ONE Intelligent Hub and the Carbon Black sensor installer.

9. Configure Distribution

Distribution settings for Carbon Black cloud sensor for macOS
  1. Enter a name for the Distribution, such as All Macs.
  2. Select Assignment Groups containing the devices that should receive the Carbon Black cloud sensor.
  3. Select Auto.
  4. Determine if you want the user to see the Carbon Black install in their App Catalog. In most cases, this can be Disabled.

10. Configure Restrictions and Create

Configure Restrictions for carbon black cloud sensor for macOS
  1. Click Restrictions.
  2. Enable Remove on Unenroll.
  3. Enable Desired State Management.
  4. Click Create.

11. Save Assignment

Configure exclusions and assignments for Carbon Black cloud sensor for macOS
  1. If required, click Exclusions to add exclusions to the assignments.
  2. If required, click Add Assignment and repeat the steps starting at Configure Distribution.
  3. If required, adjust the priority for the assignments.
  4. Click Save.

12. Publish Assignment

Publish assignments for Carbon Black Cloud sensor for macOS

Review the assignment Preview and click Publish.

Confirming Carbon Black Sensor Installation

Introduction

In this section, confirm that the Carbon Black Cloud Sensor has deployed successfully to chosen devices.

Using Carbon Black Console to confirm installation

In this activity, use the VMware Carbon Black Cloud Console to confirm that the Carbon Black Cloud sensor was deployed to the endpoints.

1. Confirm Sensor Deployment in VMware Carbon Black Cloud Console

Confirm deployment of Carbon Black cloud sensor

To confirm the installation of Carbon Black Cloud sensor on the endpoints, log in to the VMware Carbon Black Cloud Console and under Inventory/EndPoints, review the list of the endpoints that checked-in with Carbon Black.

You can identify the endpoint status for each. Green means the device is in communication with VMware Carbon Black Cloud.

Using Workspace ONE UEM to confirm installation

In this activity, you use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

1. Confirm Sensor Installed as a Managed Application

Confirm carbon black cloud sensor installed as a managed application in Workspace ONE UEM admin console
Confirm carbon black cloud sensor installed as a managed application in Workspace ONE UEM admin console
  1. In the Workspace ONE UEM Console, navigate to Devices > List View.
  2. Select a device and click Apps to confirm that the Carbon Black Cloud Sensor is installed as a managed application on the devices you assigned.

Confirming Sensor Install on Windows 10

In this activity, validate that the Carbon Black Cloud Sensor for Windows has installed successfully.

1. Validate UI for Sensor Install

Locate carbon black cloud sensor on Windows task bar

Locate the Carbon Black Cloud Sensor on the Windows Task Bar.

2. Review Logging

The installation log is available under the temp folder defined for the endpoint. You can access this folder using the %TEMP% variable through Windows Explorer or command line. The default name for the log file is log.txt or the named defined when using the /L parameter during installation.

Review the log for a note about the Install of CbDefense was successful.

A confer-temp.log file is also generated under the temp folder, which shows the sensor registration attempts to the cloud. These two log files are required for troubleshooting installation and upgrade issues.

Confirming VMware Carbon Black Sensor Install on macOS

In this activity, validate that the Carbon Black Cloud Sensor for macOS has installed successfully.

1. Validate UI for Sensor Install

Open Confer app in macOS to confirm installation of Carbon Black Cloud sensor for macOS
  1. Open Finder and click Applications.
  2. Ensure that the VMware Carbon Black Cloud folder is present and contains the Sensor app and bundles.
  3. You might also see the Confer menulet in the menu bar.

2. Review Logging

Review log to confirm if the Carbon Black Cloud sensor for macOS was installed
  1. Open Terminal.App and enter the following command:   tail -50 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log
  2. Review the log for a note stating that the Install of CbDefense was successful.

If the sensor appears to not be installing, or is installing repeatedly, you may need to adjust the metadata PLIST to include an installs array (as covered in Make Modifications to the PLIST).

3. Review RepCLI Output

  1. Open Terminal.app and enter the following command:   cd /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS
  2. Enter the following command (and the administrative password if prompted):  sudo ./repcli status
  3. Observe the values for System Extension Status, Sensor State, and Cloud Registration Status.

If the System Extensions are not loading, ensure that you have staged the correct profile payloads as covered in macOS Prerequisites for Deploying Carbon Black Cloud Sensor.

If the Kernel Extensions are not loading in macOS Big Sur, you might need to rebuild the kernel cache as shown in the next step.

4. Rebuild Kernel Cache (If Necessary)

If you have installed the Carbon Black Cloud Sensor for macOS in KEXT mode and the KEXTs are not loading, you can try to load them by Rebuilding the Kernel Extension Cache.  

  1. Click Devices.
  2. Click List View.
  3. Select the device that needs the kernel cache rebuilt.
  4. Click More Actions.
  5. Click Custom Command.
  6. Paste the command XML from the following example, making sure to add the full list of KextPaths into the array, or remove the key and the array of values.
  7. Click Send.

Note: If you send the KextPaths key, you must include the Carbon Black KEXT path, as well as any other paths you want to include in the Kernel Cache Rebuild. If you do not specify the KextPaths key, macOS attempts to rebuild the cache with any known kernel extensions (for example, from Apps that have been launched and attempted to load a KEXT).

CUSTOM COMMAND TO REBUILD THE KERNEL CACHE WITH A SPECIFIC LIST OF KEXTS:


<dict>
	<key>RebuildKernelCache</key>
	<true/>
	<key>KextPaths</key>
	<array>
		<string>/Library/Extensions/CbDefenseSensor.kext</string>
		<string>/Library/Extensions/SomeOtherExtension.kext</string>
	</array>
	<key>RequestType</key>
	<string>RestartDevice</string>
</dict>
CUSTOM COMMAND TO REBUILD THE KERNEL CACHE WITH CURRENTLY KNOWN KEXTS:


<dict>
	<key>RebuildKernelCache</key>
	<true/>
	<key>RequestType</key>
	<string>RestartDevice</string>
</dict>

Summary and Additional Resources

Conclusion

This operational tutorial provided steps on how to protect Windows 10 and macOS devices by deploying Carbon Black Sensor manually, and as a managed application with Workspace ONE UEM.

Procedures included:

  • Configuring prerequisites
  • Deploying the Carbon Black Cloud Sensor on Windows 10 and macOS
  • Validating the installation

For more information about Workspace ONE, see Workspace ONE Documentation.

Additional Resources

As a next step, check out the Integrating Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial and learn how to integrate Carbon Black Cloud and Workspace ONE Intelligence to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine. 

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture, which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:

For more information on Managing macOS Devices with Workspace ONE, see the Understanding macOS Management activity path. The content in this path helps you establish a basic understanding of macOS management in the following categories:

Change Log

The following updates were made to this guide:

Date Change
2021/04/29
  • First release

About the Authors and Contributors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware

Contributors to this tutorial:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User Computing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Carbon Black Cloud Workspace ONE Intelligence Workspace ONE UEM Document Operational Tutorial Intermediate macOS Windows 10 Deploy Windows Delivery