Install the Cortex® XDR™ Agent Using JAMF
Step-by-step instructions to configure a JAMF installation
profile for the Cortex® XDR™ agent on macOS endpoints.
To deploy the Cortex XDR agent to multiple
endpoints, you can set up a JAMF profile. As part of your JAMF deployment
you must grant full disk access and approve system extensions and
notifications. Depending on your macOS version:
- macOS 10.15.3 and earlier versions—You must enable the Cortex XDR agent Kernel Extension in your JAMF profile.
- macOS 10.15.4 and later versions—You must enable Cortex XDR agent System Extensions (Endpoint Security and Network) in your JAMF profile.
For a seamless configuration using
JAMF that does not require creating the configuration profile manually,
refer to Install with a Unified Configuration Profile for MDMs.
- Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled. For the suggested workaround, refer to the Cortex XDR 7.4 agent list of known issues.
To
set up a JAMF profile step-by-step, use the following workflow.
You must perform the steps consecutively as described below and
you must not change the order. If you change the order, you risk
that the required configuration profiles will not be available at
the time the agent requires them, which could cause the agent to
display unexpected behavior.
Due to changes of certification,
signed profiles need to be renewed every year. The existing signed
Configuration Profiles have expired and we recommend you replace
them with the updated profiles attached here. While using an expired
profile is not recommended, no functional impact is expected at
this point.
It is very important that you first upload the
new profiles before replacing the expired profiles. To ensure there
are no disruptions to your endpoint profiles, make sure to:
- Upload the profiles following the steps described below ensuring you add the profiles to the same scope as the expired profiles. For example, same groups and dynamic groups.
- Ensure all endpoints have both the expired profiles and new profiles.
- Only after all endpoints in your environment have the new profiles can you delete the expired profiles.
- Create a newComputer Configuration Profilein JAMF.Under General Options, assign the following:
- Name—Cortex XDR Agent Unified Configuration Profile
- Level—SelectComputer level.
For additional information, refer to the JAMF documentation on configuring configuration profiles. - (macOS 10.15.3 and earlier) ConfigureApproved Kernel Extensions.
- Allow users to approve kernel extensions.
- Add an approved Team ID for Palo Alto Networks:
- Display Name—Palo Alto Networks
- Team ID—PXPZ95SK77
Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved Kernel Extensions. To use it, download the signed configuration fileCortexXDR_KernelExtensions_Profile_V2_SignedPANW(MD5=64646d86c13757e13526ecefb9510ea9) and refer to the JAMF documentation on uploading a computer configuration profile. - (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) ConfigureSystem Extensions.
- Allow users to approve system extensions.
- Add an approved Team ID for Palo Alto Networks:
- Display Name—Palo Alto Networks
- System Extension Types—Allowed System Extensions
- Team Identifier—PXPZ95SK77
- Allowed system extension bundles—com.paloaltonetworks.traps.securityextensionandcom.paloaltonetworks.traps.networkextension
- Add the following allowed system extensions and save each item.
Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved System Extensions. To use it, download the signed configuration fileCortexXDR_SystemExtensions_Profile_V2_SignedPANW(MD5=67ca2e824893d9d956f404777ca8bfa7) and refer to the JAMF documentation on uploading a computer configuration profile. - (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) ConfigureContent Filter.Configure the following Content Filter in your JAMF profile:
- Filter name—Cortex XDR Network Filter
- Identifier—com.paloaltonetworks.cortex.app
- Filter Order—Firewall
- Socket Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension
- Socket Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"
- Network Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension
- Network Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"
Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the web content filter. To use it, download the signed configuration fileCortexXDR_ContentFilter_Profile_V3_SignedPANW(MD5=26de09d533be942da59eacc12cde168b) and refer to the JAMF documentation on uploading a computer configuration profile. - (macOS 10.15.0 and later) Next, configurePrivacy Preferences Policy Controlas described in Steps 5, 6, and 7:
- Use the following settings to define the entity:
- Identifier—com.paloaltonetworks.traps-agent
- Identifier Type—Bundle ID
- Code Requirement—identifier "com.paloaltonetworks.traps-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- Add andAllowthe followingAppleEventsconfiguration for finder using the following definitions:
- Receiver Identifier—com.apple.finder
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.finder" and anchor apple
- Savethe app or sevice item.
- Add andAllowthe followingAppleEventsconfiguration for system UI server using the following definitions:
- Receiver Identifier—com.apple.systemuiserver
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.systemuiserver" and anchor apple
- Savethe app or sevice item.
- Add andAllowthe followingAppleEventsconfiguration for system events using the following definitions:
- Receiver Identifier—com.apple.systemevents
- Receiver Identifier Type—Bundle ID
- Receiver Code Requirement—identifier "com.apple.systemevents" and anchor apple
- Savethe app or sevice item.
- (macOS 10.15.0 and later) Add a newApp Accessconfiguration for Cortex XDR security extensions.This configuration is required to enable the security extension to communicate with the OS.
- Use the following settings to define the following entity:
- Identifier—com.paloaltonetworks.traps.securityextension
- Identifier Type—Bundle ID
- Code Requirement—identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- InApp or Service, setSystemPolicyAllFilestoAllow.
- Savethe app or sevice item.
- (macOS 10.15.0 and later) Add a newApp Accessentity for the Cortex XDR Process Monitor Daemon (pmd).This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.
- Use the following settings to define the entity:
- Identifier—/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
- Identifier Type—Path
- Code Requirement—identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
- InApp or Service, setSystemPolicyAllFilestoAllow.
- Savethe app or sevice item.
Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Privacy Preferences Policy Control. To use it, download the signed configuration fileCortexXDR_PPPC_Profile_V2_SignedPANW(MD5=373de6a86490509734ac36412629804f) and refer to the JAMF documentation on uploading a computer configuration profile. - (macOS 10.15.0 and later) ConfigureNotifications.Configure the following Notifications payload in your JAMF profile:
- Bundle ID—com.paloaltonetworks.traps-agent
- Critical alerts—Enable and include.
- Notifications—Enable and include.
- Banner alert type—Temporary and include.
- Notifications on Lock Screen—Display and include.
- Notifications on Notification Center—Display and include.
- Badge app icon—Display and include.
- Play sound for notifications—Enable.
Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the notifications payload. To use it, downloadthe signed configuration fileCortexXDR_Notifications_Profile_V2_SignedPANW(MD5=MD5: ee326573f70c3728a25931b95a3f3074) and refer to the JAMF documentation on uploading a computer configuration profile. - Savethe configuration profile.
- After you set up your computer configuration profiles, you must create a new agent installation package in the Cortex XDR management console, upload the ZIP package you downloaded from Cortex XDR to your MDM (do not extract it), and then add it to a distribution point.For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.
- Create a new policy and install the package.
Recommended For You
Recommended Videos
Recommended videos not found.