Install the Cortex® XDR™ Agent Using JAMF

Step-by-step instructions to configure a JAMF installation profile for the Cortex® XDR™ agent on macOS endpoints.
To deploy the Cortex XDR agent to multiple endpoints, you can set up a JAMF profile. As part of your JAMF deployment you must grant full disk access and approve system extensions and notifications. Depending on your macOS version:
  • macOS 10.15.3 and earlier versions—You must enable the Cortex XDR agent Kernel Extension in your JAMF profile.
  • macOS 10.15.4 and later versions—You must enable Cortex XDR agent System Extensions (Endpoint Security and Network) in your JAMF profile.
For a seamless configuration using JAMF that does not require creating the configuration profile manually, refer to Install with a Unified Configuration Profile for MDMs.
  • Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled. For the suggested workaround, refer to the Cortex XDR 7.4 agent list of known issues.
To set up a JAMF profile step-by-step, use the following workflow. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.
Due to changes of certification, signed profiles need to be renewed every year. The existing signed Configuration Profiles have expired and we recommend you replace them with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point.
It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:
  1. Upload the profiles following the steps described below ensuring you add the profiles to the same scope as the expired profiles. For example, same groups and dynamic groups.
  2. Ensure all endpoints have both the expired profiles and new profiles.
  3. Only after all endpoints in your environment have the new profiles can you delete the expired profiles.
  1. Create a new
    Computer Configuration Profile
    in JAMF.
    Under General Options, assign the following:
    • Name—
      Cortex XDR Agent Unified Configuration Profile
    • Level—Select
      Computer level
      .
    For additional information, refer to the JAMF documentation on configuring configuration profiles.
  2. (
    macOS 10.15.3 and earlier
    ) Configure
    Approved Kernel Extensions
    .
    1. Allow users to approve kernel extensions
      .
    2. Add an approved Team ID for Palo Alto Networks:
      • Display Name—
        Palo Alto Networks
      • Team ID—
        PXPZ95SK77
    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved Kernel Extensions. To use it, download the signed configuration file
    CortexXDR_KernelExtensions_Profile_V2_SignedPANW
    (MD5=
    64646d86c13757e13526ecefb9510ea9
    ) and refer to the JAMF documentation on uploading a computer configuration profile.
  3. (
    macOS 10.15.4 and later for Cortex XDR agent 7.0 or later
    ) Configure
    System Extensions
    .
    1. Allow users to approve system extensions
      .
    2. Add an approved Team ID for Palo Alto Networks:
      • Display Name—
        Palo Alto Networks
      • System Extension Types—
        Allowed System Extensions
      • Team Identifier—
        PXPZ95SK77
      • Allowed system extension bundles—
        com.paloaltonetworks.traps.securityextension
        and
        com.paloaltonetworks.traps.networkextension
    3. Add the following allowed system extensions and save each item.
    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved System Extensions. To use it, download the signed configuration file
    CortexXDR_SystemExtensions_Profile_V2_SignedPANW
    (MD5=
    67ca2e824893d9d956f404777ca8bfa7
    ) and refer to the JAMF documentation on uploading a computer configuration profile.
  4. (
    macOS 10.15.4 and later for Cortex XDR agent 7.0 or later
    ) Configure
    Content Filter
    .
    Configure the following Content Filter in your JAMF profile:
    • Filter name—
      Cortex XDR Network Filter
    • Identifier—
      com.paloaltonetworks.cortex.app
    • Filter Order—
      Firewall
    • Socket Filter Bundle Identifier—
      com.paloaltonetworks.traps.networkextension
    • Socket Filter Designated Requirement—
      anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"
    • Network Filter Bundle Identifier—
      com.paloaltonetworks.traps.networkextension
    • Network Filter Designated Requirement—
      anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"
    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the web content filter. To use it, download the signed configuration file
    CortexXDR_ContentFilter_Profile_V3_SignedPANW
    (MD5=
    26de09d533be942da59eacc12cde168b
    ) and refer to the JAMF documentation on uploading a computer configuration profile.
  5. (
    macOS 10.15.0 and later
    ) Next, configure
    Privacy Preferences Policy Control
    as described in Steps 5, 6, and 7:
    1. Use the following settings to define the entity:
      • Identifier—
        com.paloaltonetworks.traps-agent
      • Identifier Type—
        Bundle ID
      • Code Requirement—
        identifier "com.paloaltonetworks.traps-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. Add and
      Allow
      the following
      AppleEvents
      configuration for finder using the following definitions:
      • Receiver Identifier—
        com.apple.finder
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.finder" and anchor apple
      • Save
        the app or sevice item.
    3. Add and
      Allow
      the following
      AppleEvents
      configuration for system UI server using the following definitions:
      • Receiver Identifier—
        com.apple.systemuiserver
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.systemuiserver" and anchor apple
      • Save
        the app or sevice item.
    4. Add and
      Allow
      the following
      AppleEvents
      configuration for system events using the following definitions:
      • Receiver Identifier—
        com.apple.systemevents
      • Receiver Identifier Type—
        Bundle ID
      • Receiver Code Requirement—
        identifier "com.apple.systemevents" and anchor apple
      • Save
        the app or sevice item.
  6. (
    macOS 10.15.0 and later
    ) Add a new
    App Access
    configuration for Cortex XDR security extensions.
    This configuration is required to enable the security extension to communicate with the OS.
    1. Use the following settings to define the following entity:
      • Identifier—
        com.paloaltonetworks.traps.securityextension
      • Identifier Type—
        Bundle ID
      • Code Requirement—
        identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. In
      App or Service
      , set
      SystemPolicyAllFiles
      to
      Allow
      .
    3. Save
      the app or sevice item.
  7. (
    macOS 10.15.0 and later
    ) Add a new
    App Access
    entity for the Cortex XDR Process Monitor Daemon (pmd).
    This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.
    1. Use the following settings to define the entity:
      • Identifier—
        /Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
      • Identifier Type—
        Path
      • Code Requirement—
        identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
    2. In
      App or Service
      , set
      SystemPolicyAllFiles
      to
      Allow
      .
    3. Save
      the app or sevice item.
    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Privacy Preferences Policy Control. To use it, download the signed configuration file
    CortexXDR_PPPC_Profile_V2_SignedPANW
    (MD5=
    373de6a86490509734ac36412629804f
    ) and refer to the JAMF documentation on uploading a computer configuration profile.
  8. (
    macOS 10.15.0 and later
    ) Configure
    Notifications
    .
    Configure the following Notifications payload in your JAMF profile:
    • Bundle ID—
      com.paloaltonetworks.traps-agent
    • Critical alerts—
      Enable and include
      .
    • Notifications—
      Enable and include
      .
    • Banner alert type—
      Temporary and include
      .
    • Notifications on Lock Screen—
      Display and include
      .
    • Notifications on Notification Center—
      Display and include
      .
    • Badge app icon—
      Display and include
      .
    • Play sound for notifications—
      Enable
      .
    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the notifications payload. To use it, downloadthe signed configuration file
    CortexXDR_Notifications_Profile_V2_SignedPANW
    (MD5=
    MD5: ee326573f70c3728a25931b95a3f3074
    ) and refer to the JAMF documentation on uploading a computer configuration profile.
  9. Save
    the configuration profile.
  10. After you set up your computer configuration profiles, you must create a new agent installation package in the Cortex XDR management console, upload the ZIP package you downloaded from Cortex XDR to your MDM (do not extract it), and then add it to a distribution point.
    For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.
  11. Create a new policy and install the package.

Recommended For You