Integrating Workspace ONE Intelligence and VMware Carbon Black: Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. VMware Workspace ONE® Intelligence™ is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give you complete visibility into the entire environment, including automated workflow process leveraging the Automation engine to take actions against the devices managed by Workspace ONE UEM and integrated actions with third-party tools.

The VMware Carbon Black Cloud™ is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

In today’s environment, merely blocking known malware is obsolete. Cybercriminals continually learn how to obscure their actions amid the ever-growing activity within your organization. Polymorphic ransomware and file-less attacks are growing in prevalence, so legacy approaches to prevention leave you vulnerable.

In this tutorial, learn how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.

Watch the Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine -Technical Overview video which discusses all the steps you will go through in this tutorial.

Audience

This operational tutorial is intended for IT security professionals and Workspace ONE administrators of existing production environments. Familiarity with Workspace ONE Intelligence, Workspace ONE UEM, VMware Carbon Black Cloud, and knowledge of endpoint security and networking is assumed. Knowledge of additional tools and technologies such as Postman and REST API and are also helpful.

Prerequisites

Before you can perform the procedures in this exercise, verify that you have access to the following components:

  • Workspace ONE UEM with permissions to manage device and applications, and Workspace ONE Intelligence enabled.
  • Workspace ONE Intelligence with admin account credentials and the Administrator role assigned.
  • VMware Carbon Black Cloud management console and admin account credentials with permissions to configure API Keys and Notifications.
  • A Windows 10 device to test the integration.            

Configuring VMware Carbon Black Cloud Prerequisites

Introduction

The integration between VMware Carbon Black Endpoint Standard and Workspace ONE Intelligence is based on REST API, which requires the creation of two sets of API Keys in VMware Carbon Black Cloud Console to allow Workspace ONE Intelligence to extract the list of reported alerts (threats).

The types of alerts to be reported are configured in VMware Carbon Black as notifications, allowing the administrator to specify the types of alerts to be reported to Workspace ONE Intelligence.

In this activity, you validate and configure the prerequisites on VMware Carbon Black Cloud Console that will be used to integrate with Workspace ONE Intelligence in a later exercise.

Logging In to the VMware Carbon Black Cloud Console

To perform most of the steps in this exercise, you must first log in to the VMware Carbon Black Cloud Console.

1. Launch Chrome Browser

Launch Chrome Browser (confer app, security risk, suspicious activity, suspicious package

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the VMware Carbon Black Cloud Console

confer app, security risk, suspicious activity, suspicious package
  1. Enter your email address, for example, admin@company.com.
  2. Enter your password.
  3. Click Sign In.

Creating API Keys

The VMware Carbon Black Open API platform enables you to integrate with a variety of security products including SIEMs (security information and event management), ticket tracking systems, and your own custom scripts.

When creating your API keys, you should understand the following limitations and implications:

  • SIEM API keys can receive notifications only through the notifications API. Use a SIEM API key to configure the Intelligence integration.
  • API keys can call any API except for the notifications and Live Response API. Live Response API keys can call any API except for the notifications API.
  • API keys inherit the permissions that are available to the user. Treat the API ID and API secret keys on the API keys page the same as your VMware Carbon Black Cloud console login password.

To integrate with Workspace ONE Intelligence, two sets of API Keys are required; one with API Level Access and another one with SIEM API Level Access.

Workspace ONE Intelligence uses only the SIEM API Key to connect with VMware Carbon Black to obtain the threat information, the second key (API Key) will not be used during that communication. However, the second key still required by Workspace ONE Intelligence during the configuration to integrate with VMware Carbon Black.

 

1. Add API Key with SIEM Access Level

confer app, security risk, suspicious activity, suspicious package
  1. Click Settings.
  2. Click API Keys.
  3. Click + Add API Key.

2. Configure SIEM API Key

API Keys (confer app, security risk, suspicious activity, suspicious package
  1. Enter SIEM Key for Workspace ONE Intelligence integration for API Key Name.
  2. Select SIEM for Access Level.
  3. Click Save.

3. Save SIEM API Key information

API Keys (confer app, security risk, suspicious activity, suspicious package

A dialog box appears with the API ID and API Secret Key generated. Save both in a file and name it SIEM API Key; the keys will be used later in Workspace ONE Intelligence.

Click X to close the dialog box.

The SIEM API Key is listed as part of the API KEYS List.

4. Add API Key with API Access Level

confer app, security risk, suspicious activity, suspicious package

Click + Add API Key.

5. Configure API Key

API Keys (confer app, security risk, suspicious activity, suspicious package
  1. Enter API-WS1 for API Key Name.
  2. Ensure API is set for Access Level.
  3. Click Save.

6. Save API Key information

API Keys (confer app, security risk, suspicious activity, suspicious package

A dialog box appears with the API ID and API Secret Key generated. Save both in a file and name it API Key; the keys will be used later in Workspace ONE Intelligence.

Click X to close the dialog box.

7. Confirm that API and SIEM Key Creation

confer app, security risk, suspicious activity, suspicious package

Confirm that both API Keys are listed under the API Keys page.

Configuring Notifications

Workspace ONE Intelligence obtains the threats generated in VMware Carbon Black Cloud through notifications, which can be configured to send emails to individuals or to connected systems via API keys like Workspace ONE Intelligence.

Notifications are generated based on the detection of an alert or policy action. Workspace ONE Intelligence obtains the alerts based on the notification that your SIEM API Key is subscribed to.

In this activity, you learn how to subscribe the API Keys to notifications for Alerts and Policy Actions.

1. Add Notification

  1. Click Settings.
  2. Click Notifications.
  3. Click + Add Notification.

In the following steps, you create three different types of notifications. For each one, you must use the + Add Notification button.

2. Add Notifications for Policy Actions Terminated

Notifications
  1. Enter Global Policy Action Terminate Notification for Notification Name.
  2. Select Policy Action is enforced for When do you want to be notified?
  3. Select Terminate.
  4. Select All policies for Policy.
  5. Add your SIEM API Key  previously created for How do you want to be notified?
  6. Click Add.

3. Add Notifications for Policy Actions Denied

Notifications
  1. Enter Global Policy Action Denied Notification for Notification Name.
  2. Select Policy Action is enforced for When do you want to be notified?
  3. Select Deny.
  4. Select All policies for Policy.
  5. Add your SIEM API Key previously created for How do you want to be notified?
  6. Click Add.

4. Add Notifications for Alert Crosses a Threshold

Notifications
  1. Enter Global Alert Notification for Notification Name.
  2. Select Alert crosses a threshold for When do you want to be notified?
  3. Select Threat, Observed, and set Alert Severity to 1.
  4. Select All policies for Policy.
  5. Add your SIEM API Key  previously created for How do you want to be notified?
  6. Click Add.

5. Confirm Notifications are Created

Notifications

Confirm that you have the three notifications created as part of the Notifications List. They will be used by Workspace ONE Intelligence to query the respective notifications and report the generated alerts to Workspace ONE Intelligence.

Troubleshooting Tips

You can access the notification history for each notification policy and identify the events generated. Workspace ONE Intelligence queries the notifications once to obtain the threat details and store the data.

Consider the following steps if you do not see the threat events in Workspace ONE Intelligence after the integration has finalized and has generated threat events on the endpoint.

1. Access the Notification History

Click the Notification History icon to identify the respective notification for events generated.

2. Filter the Notification Status

A filter can be used to display the notifications and respective status based on the time frame.

  • SCHEDULED status - notification was created but not yet queried by Workspace ONE Intelligence.
  • SENT status - notification was queried by Workspace ONE Intelligence.

Integrating Workspace ONE Intelligence and VMware Carbon Black

Introduction

Workspace ONE Intelligence extracts the events from VMware Carbon Black based on the alerts subscribed by the previously configured API SIEM key. This key allows the administrator to get insights through dashboards on threats reported, and also allows the administrator to leverage Intelligence automation to take action against the device and expand the threat remediation.

In this activity, you configure the VMware Carbon Black integration with Workspace ONE Intelligence.

Configuring VMware Carbon Black Integration in Workspace ONE Intelligence

Before you can integrate VMware Carbon Black with Workspace ONE Intelligence, you must launch the Workspace ONE Intelligence console. The VMware Carbon Black integration is available as part of the Trust Network integration in Workspace ONE Intelligence.

1. Launch Workspace ONE Intelligence Console

Devices > Dashboard (confer app, security risk, suspicious activity, suspicious package

From the Workspace ONE UEM Console:

  1. Click the Square menu icon.
  2. Select Workspace ONE Intelligence.

2. Set Up VMware Carbon Black Integration

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package
  1. Click Integrations under Settings.
  2. Click Trust Network.
  3. Click Set Up on the Carbon Black card.

3. Configure the Carbon Black Integration

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package
  1. Enter the Base URL, which is the API URL for your respective VMware Carbon Black environment. To obtain the correct API URL, see PSC: What URLs are used to access the APIs? in the VMwareCarbon Black Community.

Next, add the API Key information related to the previously created SIEM API Key:

  1. For the SIEM Connector ID, add the SIEM API Key – this is the key that has SIEM API Access Level.
  2. For the SIEM Key, add the SIEM API Secret Key related to the SIEM API Key.

Finally, add the API Key information related to the API Key previously created with API Access Level:

  1. For the API Connector ID, add the API Key with API Access Level Key - this is the key that has API Access Level.
  2. For the API Key, add the API Secret Key related to the API Key with API Access Level.
  3. Click Authorize.

Note: Workspace ONE Intelligence uses only the SIEM Keys; the API Keys requested today are reserved for future use.

4. Confirm that the Integration is Successful

Workspace ONE Intelligence (confer app, security risk, suspicious activity, suspicious package

An Authorized Status displays on the Carbon Black card – this confirms that Workspace ONE Intelligence can communicate with the respective VMware Carbon Black Cloud environment.

From this point Workspace ONE Intelligence will query Carbon Black Notifications using REST API to obtain threat alerts generated on the devices.

Note: If multiple communication attempts from Workspace ONE Intelligence to Carbon Black fail, the connection is automatically deauthorized by Workspace ONE Intelligence and the administrator must access the console to reauthorize.

Downloading Codes and Sensor Kits

Introduction

The sensor install and removal processes require a code. This code represents the identifier used to connect the endpoint with the respective VMware Carbon Black Cloud environment tenant. 

There are three types of code:

  • Registration Code - a single code to install the sensor in multiple devices only via command line or distribution tools like Workspace ONE UEM.
  • Activation Code - a unique code for a specific user to install the sensor via UI; the company code does not work when installing the sensor via UI.
  • Deregistration Code - a unique code used to allow the uninstall of the Carbon Black sensor.

These codes are required later in this operational tutorial. Ensure that you have copied the codes or have them easily accessible.

Downloading Registration and Activation Codes

The following steps explain how to obtain the code required to install the Carbon Black Sensor.

1. Access Registration Codes

  1. Click Inventory.
  2. Click Endpoints.
  3. Click Sensor Options.
  4. Click Company Codes.

2. Copy Company Code

  1. OPTIONAL: If the registration or deregistration code is missing, click the appropriate Generate New Code button.
  2. Copy the Registration Code which is required for a later exercise to perform the installation via Workspace ONE.
  3. Copy the Deregistration Code which is required for a later exercise to configure uninstallation via Workspace ONE.

3. (Optional) Request Activation Code for Sensor deployment via UI Installer

This step is optional and is included to guide you through the required steps to install Carbon Black Cloud Sensor via UI Installer.

Configure Sensor options in VMware Carbon Black
  1. Click Inventory.
  2. Click Endpoints.
  3. Click Sensor Options.
  4. Click Send installation request.

3.1. Send Installation Request

Sensor Management in VMware Carbon Black
  1. Enter the First Name.
  2. Enter the Last Name.
  3. Enter an Email that will receive the activation code and link to download the installer.
  4. Click Send.
Sensor installation activation code in VMware Carbon Black

The user receives an email similar to the example shown, which includes the unique Activation Code to be used during the UI installation.

Downloading Sensor Kits

Download the Carbon Black Cloud Sensor installer for multiple platforms from the VMware Carbon Black Cloud Console or email the sensor installer directly to the end user as part of the installation request process. 

The following steps illustrate how to download the Carbon Black sensors for macOS and Windows 10.

1. Access the Sensor Download

Download Sensor Kits on VMware Carbon Black Cloud console
  1. Expand Inventory and click Endpoints.
  2. Click Sensor Options.
  3. Click Download Sensor Kits.

2. Download the latest Carbon Black Sensor for macOS and Windows 10

Download Sensors for macOS and Windows 10 on VMware Carbon Black Cloud console.
  1. Click Download Kit for Windows 64-bit to obtain the installer for Windows 10.
  2. Click Download Kit for macOS 10.10-10.15, 11 to obtain the installer for macOS.
  3. Click Close.

Deploying Carbon Black Sensor for Windows 10

Introduction

To protect the endpoint, the Carbon Black Cloud sensor must be installed.

VMware Carbon Black Cloud sensor (formerly CB Defense) acts as an agent on the endpoint; it communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

Deploying Carbon Black Cloud Sensor Manually on Windows 10

Launch the Carbon Black Cloud Sensor MSI to initiate the installation process and click Next until you receive a request to enter the activation code (Company Code). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

Install Carbon Black Cloud Sensor

Deploying Carbon black sensor on Windows 10
  1. Enter the Activation Code as obtained in Send Installation Request.
  2. Click Install.

After the installation is complete, the Carbon Black Cloud sensor runs as a service. Open Windows Services to confirm.

Note: The Registration Code cannot be used with this type of installation. You must use the Activation code sent via email.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

The Carbon Black Cloud sensor can be deployed as a managed application with Workspace ONE UEM allowing the administrator to silently deploy the sensor across all managed devices.

From the Workspace ONE UEM Console, upload the Carbon Black Cloud Sensor MSI as an internal application.

Configure Sensor Deployment Options

Configure carbon black Sensor deployment options in Workspace ONE UEM console

Add the Carbon Black Cloud sensor as an internal application and configure the deployment options as follows:

  1. Set the Install Command as msiexec /i "installer_vista_win7_win8-64-3.5.0.1523.msi" /qn COMPANY_CODE=<REPLACE WITH YOUR REGISTRATION CODE> Note: You can add /log <file name> to the Install Command to obtain the installation log file to help with troubleshooting.
  2. Ensure Admin Privileges is set to YES - Carbon Black Cloud sensor requires admin privileges for installation.
  3. Update the MSI file name as needed and replace the <REPLACE WITH YOUR CODE> tag with the previously obtained Company Code.
    All the other parameters related to the How to Install section are automatically set by Workspace ONE UEM.
  4. Click Save & Assign and assign the Carbon Black Cloud sensor application to the Assignment Groups that represent the devices that should have the sensor installed.

Note: The Company Code refers to the registration code as obtained in Access Registration Codes.

Deploying Carbon Black Sensor for macOS

Introduction

To protect the endpoint, the Carbon Black Cloud sensor must be installed. VMware Carbon Black Cloud sensor (formerly CB Defense) acts as an agent on the endpoint; it communicates with the VMware Carbon Black Cloud to provide data to the analytics engine.

This section of the tutorial details how to deploy the Carbon Black sensor for macOS through Workspace ONE UEM and manually.

Note: The content in this portion of the Operational Tutorial might vary based on the specific version of macOS, Carbon Black cloud, and Workspace ONE UEM. The content in this guide was created using macOS Big Sur 11.1, Workspace ONE UEM 2101, and the Carbon Black sensor version 3.5.1.19.

Notes on Extension Types

Starting with macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) will operate by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) used in prior versions of the agent. As a result of this change, some functionality will be temporarily unavailable when using the sensor in System Extension mode on macOS 11 and later. Using the sensor in KEXT mode achieves the same functionality on macOS 11 as seen in older operating systems.  A list of the differences in functionality can be found at macOS Big Sur Functionality Overview [Carbon Black].

Carbon Black Documentation

This section of the tutorial is meant as a guide for installation specific to the scenario covered by the tutorial. As such, you may need to refer to Carbon Black's official documentation for any installation scenarios outside the design of this guide. You can find more information about the macOS sensor at macOS Big Sur Documentation [Carbon Black]. Additionally, you can find more information in the Carbon Black Cloud Sensor Release Notes for version 3.5.1.19.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor

By default, the Carbon Black sensor for macOS version 3.5.1.19 and later installs System Extensions on macOS Big Sur 11.0 and later. Prior to deploying the Carbon Black sensor for macOS, Workspace ONE administrators must configure a few prerequisites within macOS. These prerequisites ensure that the Carbon Black sensor has appropriate permissions granted prior to installation.

1. Add Profile

Add Profile for Carbon Black sensor in Workspace ONE UEM admin console.
  1. Click Add.
  2. Click Profile.

2. Select macOS Profile

Select macOS profile in Workspace ONE UEM admin console

Select macOS.

3. Select Device Profile

Select device profile in Workspace ONE UEM admin console.

Select Device Profile.

4. Configure General Tab

Configure Carbon black sensor profile in Workspace ONE UEM admin console.

Configure the General profile settings as necessary, but include the following:

  1. Enter a Name for the profile (such as Carbon Black Settings).
  2. Select Auto as the Assignment Type.
  3. Select an appropriate Smart Group.

Note: The smart groups that you select here should match the smart groups used for deploying the Carbon Black sensor installer to macOS Big Sur 11.0 (and later).

5. (If Required) Configure Kernel Extension Policy Payload

Configure Kernel Extension Policy in Workspace ONE UEM admin console

If you are deploying the Carbon Black cloud sensor in KEXT mode, Carbon Black recommends submitting the applicable Carbon Black Defense KEXT IDs for approval by Workspace ONE UEM before installing or upgrading macOS sensor version 3.5 and later.

  1. Enter kernel in the search box.
  2. Click Kernel Extension Policy.
  3. Click Configure.

6. (If Required) Enter Kernel Extension Policy Settings

Configure Kernel extensions in Workspace ONE UEM Admin console

If you are deploying the Carbon Black cloud sensor in KEXT mode, complete the Kernel Extension Policy payload as follows:

  1. Enter the Carbon Black team identifier: 7AGZNQ2S2T
  2. Enter the Carbon Black Kernel Extension Bundle ID:  com.carbonblack.defense.kext

7. Configure System Extension Policy Payload

Configure Kernel Extension Policy in Workspace ONE UEM admin console

Carbon Black recommends submitting the applicable Carbon Black Defense System Extension IDs for approval by Workspace ONE UEM before installing or upgrading macOS sensor version 3.5 and later.  

  1. Enter system in the search box.
  2. Click System Extensions.
  3. Click Configure.

Note: If you are deploying the Sensor in KEXT mode, pre-staging the System Extension settings will prepare you for a later migration from KEXT to System Extensions.

8. Enter System Extension Policy Settings

Configure Kernel extensions in Workspace ONE UEM Admin console
  1. Enter the Carbon Black team identifier: 7AGZNQ2S2T
  2. Enter the Carbon Black System Extension Bundle ID:  com.vmware.carbonblack.cloud.se-agent.extension

9. Configure Privacy Preferences Payload

  1. Enter Privacy in the search box.
  2. Click Privacy Preferences.
  3. Click Configure.

10. Add App Privacy Preferences

Click Add App.

11. Configure Privacy Preferences

Configure privacy preferences for macOS profile in Workspace ONE UEM admin console

For the macOS sensor to operate at full functionality on an endpoint, the sensor must have full disk access on the endpoint. This payload grants the macOS sensor full disk access.

  1. Enter one Bundle Identifier from the following table.
  2. Select Bundle ID.
  3. Copy and paste the corresponding Code Identifier from the following table.
  4. Scroll down to the list of Services.
  5. Select Allow for System Policy All Files.
  6. Click Save.
  7. Repeat the process starting at Add App Privacy Preferences and define each additional Bundle Identifier and Code Requirement in the following table.
Bundle Identifier Code Requirement
com.vmware.carbonblack.cloud.daemon identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" 
com.vmware.carbonblack.cloud.se-agent.extension identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T" 
com.vmware.carbonblack.cloud.osqueryi identifier "com.vmware.carbonblack.osqueryi" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
com.vmware.carbonblack.cloud.uninstall identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
com.vmware.carbonblack.cloud.uninstallerui identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

12. Review the Privacy Preferences

Getting Started > Getting Started

Ensure that all five Privacy Preferences have been added.

13. Configure Custom Settings Payload

Getting Started > Getting Started
  1. Enter Custom in the search box.
  2. Click Custom Settings.
  3. Click Configure.

14. Paste Custom Settings for Network Extension

Getting Started > Getting Started
  1. Copy and paste the following Custom Settings XML for the sensor's network extension.
  2. Click Save and Publish.
<dict>
    <key>FilterDataProviderBundleIdentifier</key>
    <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
    <key>FilterDataProviderDesignatedRequirement</key>
    <string>identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"</string>
    <key>FilterPacketProviderBundleIdentifier</key>
    <string>com.vmware.carbonblack.cloud.se-agent.extension</string>
    <key>FilterPacketProviderDesignatedRequirement</key>
    <string>identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"</string>
    <key>FilterPackets</key>
    <true/>
    <key>FilterSockets</key>
    <true/>
    <key>FilterType</key>
    <string>Plugin</string>
    <key>PayloadDisplayName</key>
    <string>Web Content Filter</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.webcontent-filter.71C289AC-7ACF-44BC-AB5E-580736C634DF</string>
    <key>PayloadType</key>
    <string>com.apple.webcontent-filter</string>
    <key>PayloadUUID</key>
    <string>71C289AC-7ACF-44BC-AB5E-580736C634DF</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PluginBundleID</key>
    <string>com.vmware.carbonblack.cloud.se-agent</string>
    <key>UserDefinedName</key>
    <string>Carbon Black Network Extension Filter</string>
</dict>

15. Publish the Profile

Publish the macOS profile in Workspace ONE UEM admin console

Click Publish.

Deploying Carbon Black Cloud Sensor Manually on macOS with System Extensions

Launch the Carbon Black Cloud Sensor installation package to initiate the installation process. Click Next until you receive a request to enter the activation code (from the activation email, as shown in Request Activation Code for Sensor deployment via UI Installer). Although a unique code can be sent directly to the end user via email, this activity uses the global company code.

1. Launch Installer

Run VMware Carbon Black Cloud sensor installer on macOS
  1. Double-click the downloaded dmg, and then launch CbCloud Install.
  2. Click Allow in the run a program prompt.
  3. Click OK at the Privacy Preferences Prompt and grant the installer access to the necessary folder.
  4. Click Continue twice.

2. Accept Terms of Use

Agree to terms of use to install VMware Carbon Black Cloud sensor on macOS

Click Agree.

3. Enter Activation Code

  1. Enter the Activation Code from Send Installation Request.
  2. Click Continue then click Install.

Note: If prompted, enter the password for an administrative user.

4. Allow System Extensions (if not MDM Managed)

Robert’s Mac mini

Important: Steps 1-4 are only required if the device does not have the prerequisite MDM profile applied as specified in macOS Prerequisites for Deploying Carbon Black Cloud Sensor.

  1. Click Open Security Preferences on the System Extension Blocked message.
  2. Click the lock and enter administrative credentials to unlock the Security & Privacy screen.
  3. Click Allow to enable system extensions required by the sensor.
  4. Click Allow to enable network extensions required by the sensor.

5. Close the Installer

Close VMware Carbon Black cloud sensor installer on macOS

Click Close.

macOS Prerequisites for Deploying Carbon Black Cloud Sensor as a Managed Application

When creating a non-store, managed application for macOS in Workspace ONE, admins must supply the icon file, installer (dmg or pkg), and metadata file. The metadata file contains details allowing the Workspace ONE Intelligent Hub for macOS to determine if the managed application is installed and if the installed application is the correct version.  

Before configuring the Sensor kit deployment, you must generate the required icon and metadata file with the Workspace ONE Admin Assistant application. Additionally, the sensor kit deployment package structure requires some additional modification to the metadata (PLIST) file before deployment. 

This section demonstrates how to parse the sensor kit and modify the PLIST file to correctly distribute the Carbon Black Cloud sensor as a managed application.

1. Drag and Drop Sensor Kit to Workspace ONE Admin Assistant

Place Sensor Kit onto Workspace ONE Administrative Assistant in macOS

Open the Workspace ONE Administrative Assistant, then drag the Sensor Kit (confer_installer_mac-<version>.dmg) downloaded from the Carbon Black cloud onto the Workspace ONE Admin Assistant.

2. Reveal Output in Finder

Click Reveal in Finder when complete.

3. Open Plist for Modifications

  1. Expand the CBCloud Install-<version> folder and right-click CBCloud Install-<version>.plist.
  2. Click Open With.
  3. Select the editor of your choice, such as BBEdit, Visual Studio Code, Xcode, or TextEdit.

Note: For the remainder of this tutorial, text editing and manipulation examples are shown in BBEdit.

4. Make Modifications to the Plist

Add the following XML snippets to the file between the outer <dict></dict> tags as shown in the previous screenshot.

Installs Array:

  • Modify the values for CFBundleShortVersionString and CFBundleVersion to match the version you are deploying.
	
<key>installs</key>
	<array>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>com.vmware.carbonblack.cloud.se-agent</string>
			<key>CFBundleName</key>
			<string>VMware CBCloud</string>
			<key>CFBundleShortVersionString</key>
			<string>3.5.1fc19</string>
			<key>CFBundleVersion</key>
			<string>3.5.1fc19</string>
			<key>minosversion</key>
			<string>10.15</string>
			<key>path</key>
			<string>/Applications/VMware Carbon Black Cloud/VMware CBCloud.app</string>
			<key>type</key>
			<string>application</string>
			<key>version_comparison_key</key>
			<string>CFBundleShortVersionString</string>
		</dict>
	</array>

Note
You must replace the CFBundleShortVersionString and CFBundleVersion values in the installs array if those are different for the particular version of the Sensor you are deploying. 

Alternatively, you can generate the installs array in one of the following ways:

  1. Export VMware CBCloud.app from the installer package (using an app such as Suspicious Package) and run VMware CBCloud.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.
  2. If the Carbon Black sensor kit is installed on the machine with Workspace ONE Admin Assistant, copy VMware CBCloud.app to your ~/Downloads directory (cp -R /Applications/VMware\ Carbon\ Black\ Cloud\VMware CBCloud.app ~/Downloads) and then parse ~/Downloads/VMware CBCloud.app through the Workspace ONE Admin Assistant app. The PLIST generated in this instance contains the appropriate installs array information.

If you use VMware CBCloud.app to generate an installs array, ensure you only copy the installs array (and no other key-value pairs) into the CBCloud Install-<version>.plist file.

5. Save and Close

Save and Close the modified PLIST in your editor of choice.

Deploying Carbon Black Cloud Sensor as a Managed Application with Workspace ONE UEM

With the PLIST file modified and the prerequisites deployed, a Workspace ONE administrator is ready to deploy the Carbon Black cloud sensor to an enrolled macOS device.

1. Add Application

Add application for Carbon Black cloud sensor in Workspace ONE UEM admin console

In the Workspace ONE UEM admin console, perform the following steps:

  1. Click Resources.
  2. Expand Apps and click Native.
  3. Click Internal.
  4. Click Add.
  5. Click Application File.

2. Upload App

Click Upload.

3. Choose and Save File

Select Carbon Black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Choose File. Browse to the confer_installer_mac-<version>.dmg  file generated by the Workspace ONE Admin Assistant and click Choose.
  2. Click Save.
  3. Click Continue.

4. Upload Metadata File

Select the PLIST file for Carbon black cloud sensor for macOS in the Workspace ONE UEM admin console
  1. Click Upload.
  2. Click Choose File. Browse to the CbDefense Install-<version>.plist  file generated by the Workspace ONE Admin Assistant and click Choose.
  3. Click Save.
  4. Click Continue.

5. Add Image for App Install

Drag the CBCloud Install.png graphic to the Workspace ONE UEM console.

6. Add Preinstall Script

Edit script to install Carbon black cloud sensor for macOS
  1. Select the Scripts tab.
  2. Paste the following Script into the Pre-Install Script making sure to replace the Code value with your Registration Code as obtained in Access Registration Codes.

Note: The pre-install script is used to populate a configuration file that is read/consumed by the Carbon Black sensor kit installation.  

Option 1:  Basic Pre-Install Script For System Extension Install

This option includes the bare minimum required information (the Registration Code) to install the Carbon Black Cloud Sensor for macOS.  

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=12345
DisableSysextNetworkExtension=false
KernelType=2
EOM

Option 2:  Basic Pre-Install Script For Kernel Extension Install

This option includes the bare minimum required information (the Registration Code) to install the Carbon Black Cloud Sensor for macOS.  

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code=12345
KernelType=1
EOM

Option 3: Advanced Pre-Install Script 

The following contains a pre-install script with additional values that can be used to customize the Sensor installation. Use these at your discretion and refer to the Carbon Black documentation for the proper usage and parameter values.

#!/bin/bash
PATH="/var/cbcloud-install"
/bin/mkdir -p "$PATH"
/usr/bin/touch "$PATH/cfg.ini"
/bin/cat > "$PATH/cfg.ini" <<- EOM
[customer]
Code={COMPANY_CODE}
ProxyServer={PROXY_SERVER}
ProxyServerCredentials={PROXY_CREDS}
LastAttemptProxyServer={LAST_ATTEMPT_PROXY_SERVER}
PemFile={customer.pem}
AutoUpdate={true|false}
AutoUpdateJitter={true|false}
InstallBypass={true|false}
FileUploadLimit={FILE_UPLOAD_LIMIT}
GroupName={GROUP_NAME}
EmailAddress={USER_NAME}
BackgroundScan={true|false}
RateLimit={RATE_LIMIT}
ConnectionLimit={CONNECTION_LIMIT}
QueueSize={QUEUE_SIZE}
LearningMode={LEARNING_MODE}
{POC=1}
CbLRKill={true|false}
HideCommandLines={true|false}
DisableSysextNetworkExtension={true|false}
KernelType={1|2} #1=KEXT,2=SysExt
EOM

7. Add Uninstall Script

Define uninstall script for carbon black cloud sensor for macOS in Workspace ONE UEM admin console
  1. Scroll to the Uninstall Scripts section.
  2. Choose Uninstall Script as the uninstall method.
  3. Ensure your script is ready, then paste the uninstall script (including the Deregistration Code found in Access Registration Codes) in the Uninstall Script section.

Uninstall Script:

#!/bin/sh
/Applications/VMware\ Carbon\ Black\ Cloud/uninstall.bundle/Contents/MacOS/uninstall -y -y -c {Deregistration_Code}

8. Set Deployment Options

  1. Select No for Blocking Applications.
  2. If deploying the sensor with System Extensions, select None for the Restart Action.   If deploying the sensor using KEXTs, choose the appropriate restart action.
  3. Click Save and Assign.

Note: Blocking Apps should be set to NO as the end-user does not need to be prompted to close any Carbon Black applications. This is all handled by the Workspace ONE Intelligent Hub and the Carbon Black sensor installer.

9. Configure Distribution

Distribution settings for Carbon Black cloud sensor for macOS
  1. Enter a name for the Distribution. For example, All Macs.
  2. Select Assignment Groups containing the devices which should receive the Carbon Black cloud sensor.
  3. Select Auto.
  4. Determine if you want the user to see the Carbon Black install in their App Catalog. In most cases, this can be Disabled.

10. Configure Restrictions and Create

Configure Restrictions for carbon black cloud sensor for macOS
  1. Click Restrictions.
  2. Enable Remove on Unenroll.
  3. Enable Desired State Management.
  4. Click Create.

11. Save Assignment

Configure exclusions and assignments for Carbon Black cloud sensor for macOS
  1. If required, click Exclusions to add exclusions to the assignments.
  2. If required, click Add Assignment and repeat the steps starting at Configure Distribution.
  3. If required, adjust the priority for the assignments.
  4. Click Save.

12. Publish Assignment

Publish assignments for Carbon Black Cloud sensor for macOS

Review the assignment Preview and click Publish.

Confirming Carbon Black Sensor Installation

Introduction

In this section, confirm that the Carbon Black Cloud Sensor has deployed successfully to chosen devices.

Confirming Carbon Black Sensor Deployment in Carbon Black Console

In this activity, use the VMware Carbon Black Cloud Console to confirm that the Carbon Black Cloud sensor was deployed to endpoints.

1. Confirm Sensor Deployment in VMware Carbon Black Cloud Console

Confirm deployment of Carbon Black cloud sensor

To confirm the installation of Carbon Black Cloud sensor on the endpoints, log in to the VMware Carbon Black Cloud Console and under Inventory/EndPoints, review the list of the endpoints that checked-in with Carbon Black.

You can identify the endpoint status for each; green means the device is in communication with VMware Carbon Black Cloud.

Confirming Carbon Black Sensor Deployment in Workspace ONE UEM

In this activity, use the Workspace ONE UEM Admin Console to confirm that the sensor was installed as a managed application on assigned devices.

1. Confirm Sensor Installed as a Managed Application

Confirm carbon black cloud sensor installed as a managed application in Workspace ONE UEM admin console
Confirm carbon black cloud sensor installed as a managed application in Workspace ONE UEM admin console

In the Workspace ONE UEM Console, navigate to Devices > List View. Select a device and click Apps to confirm that the Carbon Black Cloud Sensor is installed as a managed application on the devices you assigned.

Confirming Sensor Install on Windows 10

In this activity, validate that the Carbon Black Cloud sensor for Windows has installed successfully.

1. Validate UI for Sensor Install

Locate carbon black cloud sensor on Windows task bar

Locate the Carbon Black Cloud Sensor on the Windows Task Bar.

2. Review Logging

The installation log is available under the temp folder defined for the endpoint, you can access this folder using the %TEMP% variable through Windows Explorer or command line. The default name for the log file is log.txt or the named defined when using the /L parameter during installation.

Review the log for a note about the Install of CbDefense was successful.

A confer-temp.log file is also generated under the temp folder, which shows the sensor registration attempts to the cloud. These two log files are required for troubleshooting installation and upgrade issues.

Confirming Carbon Black Sensor Install on macOS

In this activity, validate that the Carbon Black Cloud sensor for macOS has installed successfully.

1. Validate UI for Sensor Install

Open Confer app in macOS to confirm installation of Carbon Black Cloud sensor for macOS
  1. Open Finder and click Applications.
  2. Ensure that the VMware Carbon Black Cloud folder is present and contains the Sensor app and bundles.
  3. You might also see the Confer menulet in the menu bar.

2. Review Logging

Review log to confirm if the Carbon Black Cloud sensor for macOS was installed
  1. Open Terminal.App and type the following command:   tail -50 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log
  2. Review the log for a note stating that the Install of CbDefense was successful.

If the sensor appears to not be installing, or is installing repeatedly, you may need to adjust the metadata plist to include an installs array (as covered in Make Modifications to the Plist).

3. Review RepCLI Output

  1. Open Terminal.app and enter the following command:   cd /Applications/VMware\ Carbon\ Black\ Cloud/repcli.bundle/Contents/MacOS
  2. Enter the following command (and enter the administrative password if prompted):  sudo ./repcli status
  3. Observe the values for System Extension Status, Sensor State, and Cloud Registration Status.

If the System Extensions are not loading, ensure that you have staged the correct profile payloads as covered in macOS Prerequisites for Deploying Carbon Black Cloud Sensor.

If the Kernel Extensions are not loading in macOS Big Sur, you might need to rebuild the kernel cache as shown in the next step.

4. Rebuild Kernel Cache (If Necessary)

If you have installed the Carbon Black Cloud sensor for macOS in KEXT mode and the KEXTs are not loading, you can attempt to load them by Rebuilding the Kernel Extension Cache.  

  1. Click Devices.
  2. Click List View.
  3. Select the device which needs the kernel cache rebuilt.
  4. Click More Actions.
  5. Click Custom Command.
  6. Paste the command XML from the following example, making sure to add the full list of KextPaths into the array, or remove the key and the array of values.
  7. Click Send.

Note: If you send the KextPaths key, you must include the Carbon Black KEXT path, as well as any other paths you want to include in the Kernel Cache Rebuild. If you do not specify the KextPaths key, macOS attempts to rebuild the cache with any known kernel extensions (for example, from Apps that have been launched and attempted to load a KEXT).

CUSTOM COMMAND TO REBUILD THE KERNEL CACHE WITH A SPECIFIC LIST OF KEXTS:


<dict>
	<key>RebuildKernelCache</key>
	<true/>
	<key>KextPaths</key>
	<array>
		<string>/Library/Extensions/CbDefenseSensor.kext</string>
		<string>/Library/Extensions/SomeOtherExtension.kext</string>
	</array>
	<key>RequestType</key>
	<string>RestartDevice</string>
</dict>
CUSTOM COMMAND TO REBUILD THE KERNEL CACHE WITH CURRENTLY KNOWN KEXTS:


<dict>
	<key>RebuildKernelCache</key>
	<true/>
	<key>RequestType</key>
	<string>RestartDevice</string>
</dict>

Simulating Threat Events and Validating the Integration

Introduction

You can easily validate the integration between VMware Carbon Black and Workspace ONE Intelligence by simulating suspicious activities on the endpoint. The activities are identified and remediated by the Carbon Black Cloud sensor, which reports back to VMware Carbon Black Cloud and makes those available as alerts. Based on the notification settings previously configured, the alerts are available and extracted by Workspace ONE Intelligence every 30 seconds.

In this activity, you learn how to generate suspicious activities on the endpoint to generate alerts in VMware Carbon Black Cloud, and get those as insights into Workspace ONE Intelligence.

Simulating Suspicious Activities on the Endpoint

In this activity, learn how to generate suspicious activity on the endpoint to create alerts, and identify corresponding alerts in VMware Carbon Black and Workspace ONE Intelligence.

Open an Internet Browser on Windows 10 Device

Windows 10 E 1803 Jan-2019 - Intelligence Bootcam

On the Windows 10 device where the Carbon Black Cloud Sensor is installed, open an Internet Browser and access the following URL https://www.eicar.org/?page_id=3950, download the Anti Malware Test File eicar.com located on that page.

The download will be blocked by Carbon Black Sensor, it will generate an alert in VMware Carbon Black Cloud and later syncs with Workspace ONE Intelligence.

Identifying Alerts in the VMware Carbon Black Cloud Console

The generated threats are first available in Carbon Black Cloud and can be visualized through the Carbon Black Console.

Alerts indicate known threats and suspicious behavior across endpoints.

Alerts
Alerts

In the VMware Carbon Black Cloud Console, click Alerts. You should see multiple Alerts generated by the activity on the endpoint classified as Severity 6, the first and last seen time for each of the events, and so on.

Identifying Alerts in the Workspace ONE Intelligence Console

As a result of the Workspace ONE Intelligence integration with Carbon Black, the threat data is synchronized and available as insights using the dashboard on Workspace ONE Intelligence.

Identify alerts from Carbon Black in Workspace ONE Intelligence
Workspace ONE Intelligence

For a list of all available alerts in the Workspace ONE Intelligence Console, go to the Threat Summary dashboard under Dashboards / Security Risk and click View

You can order the result by clicking the Event Time column. 

You should see at least two events. Compare the Event Time occurrence for both alerts – in Workspace ONE Intelligence, check the Event Time column, and in the VMware Carbon Black Console, check the First Seen column.

 

Carbon Black Dashboards and Automation in Workspace ONE Intelligence

Introduction

In this activity, you review the custom dashboards available for threats and learn how to extend threat remediation with automation.

Reviewing Custom Dashboards for Threats

In addition to the out-of-the-box dashboard, administrators can take advantage of the custom dashboard and create customized visualizations and personalized widgets.

Workspace ONE Intelligence includes a set of template widgets for VMware Carbon Black threats to help you to easily create a dashboard.

Create Custom Dashboards for Threats

Workspace ONE Intelligence

Extending Threat Remediation and Device Quarantine with Automation

The integration of VMware Carbon Black and Workspace ONE Intelligence enables automation based on threats, where the administrator can take actions against the device or third-party tools based on the incoming threats reported by VMware Carbon Black.

Workspace ONE Intelligence

As an example, you can quarantine devices in VMware Carbon Black when high threats are detected on Windows devices. In addition, you can take the following actions:

  • Tag the device as At Risk in Workspace ONE UEM, making the UEM administrator aware of devices vulnerable.
  • Notify the end-user via e-mail.
  • Notify the security team via Slack about the attack and share all the relevant information.
  • Create an incident ticket in ServiceNow for tracking and audit purposes.

To quarantine a device in VMware Carbon Black, leverage the Automation Custom Connector that allows you to extend the automation capabilities against other systems and tools through REST API.

Steps to Setup VMware Carbon Black Custom Connector

To set up the VMware Carbon Black Custom Connector in Workspace ONE Intelligence to enable quarantine device action, download the VMware Carbon Black Cloud Sample Collection from GitHub and follow the instructions.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps on how to configure the integration between Workspace ONE Intelligence and VMware Carbon Black to obtain threat insights and extend threat remediation with the Workspace ONE Intelligence Automation engine.

Procedures included:

  • Configuring prerequisites
  • Integrating Workspace ONE Intelligence and VMware Carbon Black
  • Deploying the Carbon Black Cloud Sensor on Windows 10 and macOS
  • Validating the integration

For more information about Workspace ONE Intelligence, see the following resources:

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management Activity Path

The content in this section helps you establish a basic understanding of Windows 10 management in the following categories:

Managing Windows 10 can be complicated. Let us demystify it, and make you a hero!

 

Change Log

The following updates were made to this guide:

Date Change
2020/03/02
  • First release
2020/07/01
  • Added steps to deploy Carbon Black Sensor on macOS
2021/01/28
  • Added steps to deploy Carbon Black Sensor on macOS Big Sur
  • Updated Carbon Black Cloud Console and Workspace ONE Intelligence screenshots

About the Authors and Contributors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Contributors to this tutorial:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User Computing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Carbon Black Cloud Workspace ONE UEM Document Operational Tutorial Intermediate Manage