Install the Cortex XDR Agent Using JAMF - 7.7 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

To deploy the Cortex XDR agent to multiple endpoints, you can set up a JAMF profile. As part of your JAMF deployment you must grant full disk access and approve system extensions and notifications. Depending on your macOS version:

  • macOS 10.15.3 and earlier versions—You must enable the Cortex XDR agent Kernel Extension in your JAMF profile.

  • macOS 10.15.4 and later versions—You must enable Cortex XDR agent System Extensions (Endpoint Security and Network) in your JAMF profile.

For a seamless configuration using JAMF that does not require creating the configuration profile manually, refer to Install with a Unified Configuration Profile for MDMs.

Caution

  • Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled. For the suggested workaround, refer to the Cortex XDR 7.6 agent list of Known Issues.

To set up a JAMF profile step-by-step, use the following workflow. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.

Note

Due to changes of certification, signed profiles need to be renewed every year. The existing signed Configuration Profiles have expired and we recommend you replace them with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point.

It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:

  1. Upload the profiles following the steps described below ensuring you add the profiles to the same scope as the expired profiles. For example, same groups and dynamic groups.

  2. Ensure all endpoints have both the expired profiles and new profiles.

  3. Only after all endpoints in your environment have the new profiles can you delete the expired profiles.

  1. Create a new Computer Configuration Profile in JAMF.

    Under General Options, assign the following:

    • Name—Cortex XDR Agent Unified Configuration Profile

    • Level—Select Computer level.

    jamf-general.png

    For additional information, refer to the JAMF documentation on configuring configuration profiles.

  2. (macOS 10.15.3 and earlier) Configure Approved Kernel Extensions.

    jamf-profile-kext.png
    1. Allow users to approve kernel extensions.

    2. Add an approved Team ID for Palo Alto Networks:

      • Display Name—Palo Alto Networks

      • Team ID—PXPZ95SK77

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved Kernel Extensions. To use it, download the signed configuration file CortexXDR_KernelExtensions_Profile_V3_SignedPANW (MD5=32de99bd1eb565ff9a0940a70b5823c0) and refer to the JAMF documentation on uploading a computer configuration profile.

  3. (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) Configure System Extensions.

    jamf-profile-system-extensions.png
    1. Allow users to approve system extensions.

    2. Add an approved Team ID for Palo Alto Networks:

      • Display Name—Palo Alto Networks

      • System Extension Types—Allowed System Extensions

      • Team Identifier—PXPZ95SK77

      • Allowed system extension bundles—com.paloaltonetworks.traps.securityextension and com.paloaltonetworks.traps.networkextension

    3. Add the following allowed system extensions and save each item.

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved System Extensions. To use it, download the signed configuration file CortexXDR_SystemExtensions_Profile_V3_SignedPANW (MD5=53687a6aed90ba6ef26d4656424c0987) and refer to the JAMF documentation on uploading a computer configuration profile.

  4. (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) Configure Content Filter.

    Configure the following Content Filter in your JAMF profile:

    • Filter name—Cortex XDR Network Filter

    • Identifier—com.paloaltonetworks.cortex.app

    • Filter Order—Firewall

    • Socket Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

    • Socket Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"

    • Network Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

    • Network Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"

    JamfContentFilter_FinalConfig.png

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the web content filter. To use it, download the signed configuration file CortexXDR_ContentFilter_Profile_V4_SignedPANW (MD5=0b7952f79598e789d8402095037b2f46) and refer to the JAMF documentation on uploading a computer configuration profile.

  5. (macOS 10.15.0 and later) Next, configure Privacy Preferences Policy Control as described in Steps 5, 6, and 7:

    jamf-profile-privacy-policy-control.png
    1. Use the following settings to define the entity:

      • Identifier—com.paloaltonetworks.traps-agent

      • Identifier Type—Bundle ID

      • Code Requirement—identifier "com.paloaltonetworks.traps-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

    2. Add and Allow the following AppleEvents configuration for finder using the following definitions:

      • Receiver Identifier—com.apple.finder

      • Receiver Identifier Type—Bundle ID

      • Receiver Code Requirement—identifier "com.apple.finder" and anchor apple

      • Save the app or sevice item.

    3. Add and Allow the following AppleEvents configuration for system UI server using the following definitions:

      • Receiver Identifier—com.apple.systemuiserver

      • Receiver Identifier Type—Bundle ID

      • Receiver Code Requirement—identifier "com.apple.systemuiserver" and anchor apple

      • Save the app or sevice item.

    4. Add and Allow the following AppleEvents configuration for system events using the following definitions:

      • Receiver Identifier—com.apple.systemevents

      • Receiver Identifier Type—Bundle ID

      • Receiver Code Requirement—identifier "com.apple.systemevents" and anchor apple

      • Save the app or sevice item.

  6. (macOS 10.15.0 and later) Add a new App Access configuration for Cortex XDR security extensions.

    This configuration is required to enable the security extension to communicate with the OS.

    jamf-profile-system-extensions-app-access.png
    1. Use the following settings to define the following entity:

      • Identifier—com.paloaltonetworks.traps.securityextension

      • Identifier Type—Bundle ID

      • Code Requirement—identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

    2. In App or Service, set SystemPolicyAllFiles to Allow.

    3. Save the app or sevice item.

  7. (macOS 10.15.0 and later) Add a new App Access entity for the Cortex XDR Process Monitor Daemon (pmd).

    This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.

    jamf-profile-process-monitor-daemon.png
    1. Use the following settings to define the entity:

      • Identifier—/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd

      • Identifier Type—Path

      • Code Requirement—identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

    2. In App or Service, set SystemPolicyAllFiles to Allow.

    3. Save the app or sevice item.

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Privacy Preferences Policy Control. To use it, download the signed configuration file CortexXDR_PPPC_Profile_V3_SignedPANW (MD5=d0e181ebc8d5c5a0dbce2178fbcf8b21) and refer to the JAMF documentation on uploading a computer configuration profile.

  8. (macOS 10.15.0 and later) Configure Notifications.

    Configure the following Notifications payload in your JAMF profile:

    • Bundle ID—com.paloaltonetworks.traps-agent

    • Critical alerts—Enable and include.

    • Notifications—Enable and include.

    • Banner alert type—Temporary and include.

    • Notifications on Lock Screen—Display and include.

    • Notifications on Notification Center—Display and include.

    • Badge app icon—Display and include.

    • Play sound for notifications—Enable.

    jamf-configure-notifications-profile.png

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the notifications payload. To use it, downloadthe signed configuration file CortexXDR_Notifications_Profile_V3_SignedPANW (MD5=MD5: 9fb268c244dac035f0cea7b26ac79b1) and refer to the JAMF documentation on uploading a computer configuration profile.

  9. Save the configuration profile.

  10. After you set up your computer configuration profiles, you must create a new agent installation package in the Cortex XDR management console, upload the ZIP package you downloaded from Cortex XDR to your MDM (do not extract it), and then add it to a distribution point.

    For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.

  11. Create a new policy and install the package.