Install the Cortex XDR Agent for Mac

Download the installation package you want to install from Cortex XDR.
Copy the installation package to the endpoint on which you want to install the Cortex XDR agent software.
Unzip the installation package.
(
Optional
) Configure a Cortex XDR agent specific proxy on the endpoint.
If you are deploying Cortex XDR in an environment where the agents communicate with Cortex XDR through a proxy, you must assign the proxy IP address and port number during the agent installation on the endpoint.
Locate the
Config.xml
file in the unzipped installation folder.
Edit the
<proxy_list>
<proxyserver>:<port>
</proxy_list>
tag.
To install an agent with a Cortex XDR specific proxy, enter your proxy IP address and port number. You can assign up to five different IP addresses per agent, and the proxy for communication is selected randomly with equal probability.
<proxy_list>10.196.20.244:8080,10.196.20.245:8080</proxy_list>
To install an agent communicating through the Palo Alto Networks Broker Service, you must enter the Broker VM IP address and port number 8888 only.
After the initial installation, you can change the proxy settings in Cortex XDR.
Install the Cortex XDR agent software.
Run the

Cortex xdr.pkg

installation file.



Click

Continue

to proceed with the installation.

If prompted to confirm the destination, click

Continue

.

Click

Install

to begin the installation.

Enter the

User Name

and

Password

of the administrator with access to install software on the endpoint, and then click

Install Software

.

(

macOS 10.13 and later versions

) Allow Cortex XDR to install system extensions:

Dismiss the

System Extension Blocked

warning.

Go to

System Preferences

Security & Privacy

General

and select

Allow

.


The Cortex XDR agent logs any installation errors to
/var/logs/installation.log
. If installation fails for any reason, you can view this log to better understand the cause of the installation failure.
After the installation completes, verify your connection.
To open the Cortex XDR agent console, click the agent icon in the menu bar, and select
Open Console
.
Click
Check In Now
to initiate a connection with your tenant of Cortex XDR. If successful, the
Last Check-In
field updates to display the recent check-in date and time.

If the Cortex XDR agent does not connect to Cortex XDR, verify your internet connection and perform a check-in on the endpoint. If the agent still does not connect, verify the installation package has not been removed from the Cortex XDR management console.
(
macOS 10.15 and later versions
) Grant full disk access.
Due to changes in the security settings of macOS 10.15, you must allow the Cortex XDR agent full disk access on your endpoint to enable full protection. If you do not authorize the agent full disk access on your endpoint, the agent provides only partial protection of files in the
/Applications
directory. The first time the agent detects an attempt to run an executable file located in another protected location on the endpoint as part of the anti-malware flow, macOS will deny the Cortex XDR agent access and prompts the user to grant full disk access.
You can grant the Cortex XDR agent full disk access manually or using a third-party tool such as JAMF.
To grant the Cortex XDR agent full disk access locally on the endpoint:
Go to
System Preferences
Security & Privacy
tab, and select
Full Disk Access
.
To make changes, click lock icon ( ) on the bottom left, enter your credentials, and
Unlock
.
Navigate to
Macintosh HD
Library
Application Support
PaloAltoNetworks
Traps
bin
.
Select
trapsd
,
authorized
, and
pmd
.

When you’re done, click to save your changes and stop editing.