Install the Cortex XDR Agent for Mac Using JAMF
You can Install the Cortex XDR Agent for Mac manually on
the endpoint or deploy the agent to multiple endpoints using a third-party
software deployment tool such as JAMF. Use the following steps to
set up a JAMF profile.
- Create a new JAMF configuration profile for your computers.
- ConfigureApproved Kernel Extensions.
- Allow users to approve kernel extensions.
- Add an approved Team ID for Palo Alto Networks:
- Display Name—Palo Alto Networks
- Team ID—PXPZ95SK77
- Savethe configuration.
- ConfigureSystem Extensions.
- Allow users to approve system extensions.
- Define the entity as follows:
- Display Name—Palo Alto Networks
- System Extension Types—Allowed System Extensions
- Team Identifier—PXPZ95SK77
- Allowed system extension bundles—com.paloaltonetworks.traps.securityextensionandcom.paloaltonetworks.traps.networkextension
- Savethe configuration.
- Next, configurePrivacy Preferences Policy Control.
- Use the following settings to define the entity:
- Receiver Identifier—com.paloaltonetworks.traps-agent
- Receiver Identifier Type—Bundle ID
- Code Requirement—identifier "com.paloaltonetworks.traps-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- InApp or Service, setSystemPolicyAllFilestoAllow.
- Add andAllowthe followingAppleEventsconfiguration for finder using the following definitions:
- Receiver Identifier—com.apple.finder
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.finder" and anchor apple
- Add andAllowthe followingAppleEventsconfiguration for system UI server using the following definitions:
- Receiver Identifier—com.apple.systemuiserver
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.systemuiserver" and anchor apple
- Add andAllowthe followingAppleEventsconfiguration for system events using the following definitions:
- Receiver Identifier—com.apple.systemevents
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.systemevents" and anchor apple
- Savethe configuration.
- Add a newApp Accessconfiguration for Cortex XDR security extensions.This configuration is required to enable the security extension to communicate with the OS.
- Define the following entity:
- Identifier—com.paloaltonetworks.traps.securityextension
- Identifier Type—Bundle ID
- Code Requirement—identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- InApp or Service, setSystemPolicyAllFilestoAllow.
- Savethe configuration.
- Add a newApp Accessentity for the Cortex XDR Process Monitor Daemon (pmd).This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.
- Use the following settings to define the entity:
- Identifier—/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
- Identifier Type—Path
- Code Requirement—identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- InApp or Service, setSystemPolicyAllFilestoAllow.
- Savethe configuration.
