Approve Cortex XDR Agent Extensions Using JAMF

To install the Cortex XDR agent on macOS endpoints, you must approve extensions when you set up a JAMF profile.
You can Install the Cortex XDR Agent for Mac manually on the endpoint or deploy the agent to multiple endpoints using a third-party software deployment tool such as JAMF.
As part of your JAMF deployment you must approve extensions depending on your macOS version:
  • macOS 10.15.3 and earlier versions—You must enable kernel extensions in your JAMF profile.
  • macOS 10.15.4 and later versions—You must enable Cortex XDR agent system (security and network) extensions in your JAMF profile.
To set up a JAMF profile, use the following workflow:
  1. Create a new computer configuration profile for the extensions in JAMF.
    For additional information, refer to the JAMF documentation on configuring configuration profiles.
  2. (
    macOS 10.15.3 and earlier
    ) Configure
    Approved Kernel Extensions
    .
    jamf-profile-kext.png
    1. Allow users to approve kernel extensions
      .
    2. Add an approved Team ID for Palo Alto Networks:
      • Display Name—
        Palo Alto Networks
      • Team ID—
        PXPZ95SK77
    3. Save
      the configuration.
  3. (
    macOS 10.15.4 and later for Cortex XDR agent 7.0 or later
    ) Configure
    System Extensions
    .
    jamf-profile-system-extensions.png
    1. Allow users to approve system extensions
      .
    2. Add an approved Team ID for Palo Alto Networks:
      • Display Name—
        Palo Alto Networks
      • System Extension Types—
        Allowed System Extensions
      • Team Identifier—
        PXPZ95SK77
      • Allowed system extension bundles—
        com.paloaltonetworks.traps.securityextension
        and
        com.paloaltonetworks.traps.networkextension
    3. Save
      the configuration.
  4. (
    Cortex XDR agents 7.2.1 and later on macOS 10.15.4 and later
    ) Configure Network Extensions.
    After you successfully install a Cortex XDR agent, the operating system prompts the end user to allow Cortex XDR to filter network content on the endpoint. To provide full protection on the endpoint, the end user must
    Allow
    the network extension manually.
    mac-network-extension.png
    If the user does not allow the Cortex XDR network extension on the endpoint, the Cortex XDR agent does not monitor the network traffic on the endpoint, and cannot report network events back to Cortex XDR. Consequently, BIOC and BIOC to Behavioral threat protection (BTP) rules you have for network events will not work, and you will not be able to query about network events in the Query builder. The agent fully supports all other data collection and security capabilities on the endpoint.
    To allow the network extension during the Cortex XDR agent installation and suppress the pop-up on the endpoint, upload to your JAMF profile a network extension configuration profile file provided by Palo Alto Networks, according to the listed workflow:
    1. Download the signed configuration file
      CortexNetworkExtensionProfilePF_V2_SignedPANW.mobileconfig
      (MD5=
      d65d2aee7f8fed38e6d4246fe04c097d
      ).
    2. In JAMF, navigate to
      Computers
      Configuration Profiles
      .
    3. Upload the configuration file to JAMF.
      Click
      Upload
      , select the configuration file, and click
      Upload
      again.
      mac-network-extension-config-2.png
    4. Save
      the uploaded file.
      mac-network-extension-config-3.png
    5. Review and verify the configuration profile file is uploaded successfully.
      mac-network-extension-config-4.png
    6. After you install the agent on the endpoint, it is highly recommended to verify that the Cortex XDR Network Extension is listed.
      Successfully deployed Cortex XDR agent configuration profiles create a new network interface on the endpoint under
      System Preferences
      Network
      . After the agent connects to Cortex XDR, check that the network interface appears in either
      Running
      or
      Not Running
      status, according to the agent installation profile in effect.
      mac-jamf-profile-validation-2.png
      Additionally, you can view the network extension profile under
      System Preferences
      Profiles
      .
      mac-jamf-profile-validation-3.png
  5. (
    macOS 10.15.0 and later
    ) Create a new computer configuration profile for Full Disk Access.
    For additional information, refer to the JAMF documentation on configuring configuration profiles.
  6. (
    macOS 10.15.0 and later
    ) Next, configure
    Privacy Preferences Policy Control
    .
    jamf-profile-privacy-policy-control.png
    1. Use the following settings to define the entity:
      • Identifier—
        com.paloaltonetworks.traps-agent
      • Identifier Type—
        Bundle ID
      • Code Requirement—
        identifier "com.paloaltonetworks.traps-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. In
      App or Service
      , set
      SystemPolicyAllFiles
      to
      Allow
      .
    3. Add and
      Allow
      the following
      AppleEvents
      configuration for finder using the following definitions:
      • Receiver Identifier—
        com.apple.finder
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.finder" and anchor apple
    4. Add and
      Allow
      the following
      AppleEvents
      configuration for system UI server using the following definitions:
      • Receiver Identifier—
        com.apple.systemuiserver
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.systemuiserver" and anchor apple
    5. Add and
      Allow
      the following
      AppleEvents
      configuration for system events using the following definitions:
      • Receiver Identifier—
        com.apple.systemevents
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.systemevents" and anchor apple
    6. Save
      the configuration.
  7. (
    macOS 10.15.0 and later
    ) Add a new
    App Access
    configuration for Cortex XDR security extensions.
    This configuration is required to enable the security extension to communicate with the OS.
    jamf-profile-system-extensions-app-access.png
    1. Use the following settings to define the following entity:
      • Identifier—
        com.paloaltonetworks.traps.securityextension
      • Identifier Type—
        Bundle ID
      • Code Requirement—
        identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. In
      App or Service
      , set
      SystemPolicyAllFiles
      to
      Allow
      .
    3. Save
      the configuration.
  8. (
    macOS 10.15.0 and later
    ) Add a new
    App Access
    entity for the Cortex XDR Process Monitor Daemon (pmd).
    This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.
    jamf-profile-process-monitor-daemon.png
    1. Use the following settings to define the entity:
      • Identifier—
        /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
      • Identifier Type—
        Path
      • Code Requirement—
        identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. In
      App or Service
      , set
      SystemPolicyAllFiles
      to
      Allow
      .
    3. Save
      the configuration.
  9. After you set up your computer configuration profiles, you must create a new agent installation package in the Cortex XDR management console, upload the ZIP package in JAMF, and then add it to a distribution point.
    For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.
  10. Create a new policy and install the package.

Recommended For You