Manage the Cortex XDR Agent Deployment Notifications for Mac

An overview of user notifications for the Cortex XDR agent during installation, upgrade, and removal.
When you install, upgrade, or remove the Cortex XDR agent from your Mac endpoint, both the operating system and the Cortex XDR agent prompt specific notifications the end user has to approve. The operating system notifications are in line with Apple’s security improvements starting with macOS 10.15.4, which include the deprecation of kernel extensions by 3rd party providers. As a result, the Cortex XDR agent 7.1 and later releases no longer use the kernel extension. Instead, the agent is designed to deploy two System Extensions. In the 7.1 release, the Cortex XDR agent deploys the Endpoint Security extension to monitor system events, and starting in the 7.2.1 agent release, a new Network extension was added to monitor network events. Together, these two System extensions provide full coverage of the endpoint traffic and replace the deprecated kernel extension. To suppress the extension notifications for the Cortex XDR agent installation process, refer to Install the Cortex XDR Agent Using JAMF.
The following tables describe the extension and notification approval workflow the end user is required to perform on a Mac endpoint during agent installation, upgrade, and removal processes.

Installing a Cortex XDR Agent 7.2

The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent installation, when performed manually or using an MDM.
macOS 10.15.3 and earlier
macOS 10.15.4 and later
Cortex XDR agent 7.2.0
  • Kernel extension
    — Requires user approval. Can be suppressed in your MDM profile.
  • Endpoint Security extension
    —Requires user approval. Can be suppressed in your MDM profile.
  • Network extension
    —Not supported for this release. Cortex XDR agent does not monitor the network traffic on the endpoint, and cannot report network events back to Cortex XDR. Consequently, the BIOC rules you have for network events will not work, and you will not be able to find network events in the Query builder. The agent fully supports all other data collection and security capabilities on the endpoint.
Cortex XDR agent 7.2.1 and later
The same as installing a 7.2.0 agent
  • Endpoint Security extension
    —Requires user approval. Can be suppressed in your MDM profile.
  • Network extension
    —Requires user approval. Can be suppressed in your MDM profile.
  • Network content filter
    —Requires user approval. Can be suppressed in your MDM profile. You can also suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks.

Upgrading to a Cortex XDR Agent 7.2

The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent upgrade, when performed manually or using an MDM.
macOS 10.15.3 and earlier
macOS 10.15.4 and later
Cortex XDR agent 7.2.0
  • Kernel extension
    —If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once.Can be suppressed in your MDM profile.
  • Endpoint Security extension
    —If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once. Can be suppressed in your MDM profile.
  • Network extension
    —Not supported for this release. Cortex XDR agent does not monitor the network traffic on the endpoint, and cannot report network events back to Cortex XDR. Consequently, the BIOC rules you have for network events will not work, and you will not be able to find network events in the Query builder. The agent fully supports all other data collection and security capabilities on the endpoint.
Cortex XDR agent 7.2.1
The same as upgrading a 7.2.0 agent
  • Endpoint Security extension
    —If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once. Can be suppressed in your MDM profile.
  • Network extension
    —New extension in this release, requires user approval. Can be suppressed in your MDM profile.
  • Network content filter
    —New addition in this release, requires user approval. Can be suppressed in your MDM profile. You can also suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks.
Cortex XDR agent 7.2.2 and later
The same as upgrading a 7.2.0 agent
  • Endpoint Security extension
    —If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once. Can be suppressed in your MDM profile.
  • Network extension
    —If you are upgrading a Cortex XDR agent release prior to 7.2.1 where this extension did not exist, requires user approval. Can be suppressed in your MDM profile. Otherwise, if you are upgrading a 7.2.1 agent to a 7.2.2 agent and approval was already provided for 7.2.1, nothing to allow during upgrade.
  • Network content filter
    —If you are upgrading a Cortex XDR agent release prior to 7.2.1 where this addition did not exist, requires user approval. If you are using an MDM to deploy the agents in your networks, you can suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks. Otherwise, if you are upgrading a 7.2.1 agent to a 7.2.2 agent and approval was already provided for 7.2.1, nothing to allow during upgrade.

Removing a Cortex XDR Agent 7.2

The following table describes the approval workflow the end user is required to perform on the endpoint during agent removal, when performed manually or using an MDM.
macOS 10.15.3 and earlier
macOS 10.15.4 and later
Cortex XDR agent 7.2.0 and later
  • User approval and password are required. Can be suppressed in your MDM profile.
  • User approval and password are required by Apple for each System extension. In the current operating system release, you cannot suppress this option in your MDM profile, and will require approve twice.

Recommended For You