Install the Cortex® XDR™ Agent Manually

Learn how to install the Cortex® XDR™ agent manually on macOS endpoints.
To install the Cortex XDR agent manually on a macOS endpoint:
  1. Download the installation package you want to install from Cortex XDR.
  2. Copy the installation package to the endpoint on which you want to install the Cortex XDR agent software.
  3. Unzip the installation package.
  4. (
    Optional
    ) Configure a Cortex XDR agent specific proxy on the endpoint.
    If you are deploying Cortex XDR in an environment where the agents communicate with Cortex XDR through a proxy, you must assign the proxy IP address and port number during the agent installation on the endpoint.
    The Cortex XDR agent does not support proxy communication in environments where proxy authentication is required.
    1. Locate the
      Config.xml
      file in the unzipped installation folder.
    2. Edit the
      <proxy_list>
      <proxyserver>:<port>
      </proxy_list>
      tag.
      • To enforce a proxy specific to the Cortex XDR agent, enter your proxy IP address and port number. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces. You can assign up to five different IP addresses per agent, and the proxy for communication is selected randomly with equal probability.
        <proxy_list>My.Network.Name:808,10.196.20.244:8080</proxy_list>
      • To install an agent communicating through the Palo Alto Networks Broker Service, enter only the broker VM IP address and port number 8888.
    3. If needed, you can later change the proxy settings from the Cortex XDR management console.
  5. (
    Optional
    ) Disable Live Terminal, script execution, and file retrieval on the endpoint
    You can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. Disabling any of these payloads in the
    Config.xml
    file is an irreversible action, so if you later want to enable the action on the endpoint, you must uninstall your Cortex XDR agent and install a new agent with the corresponding values in the
    Config.xml
    file.
    1. Locate the
      Config.xml
      file in the unzipped installation folder.
    2. Enter the value
      1
      for this tag, as follows:
      <restrict_invasive_response_actions>
      1
      </restrict_invasive_response_actions>
      .
      • To disable a specific action, update only the value of the relevant tag:
        <restrict_live_terminal>1</restrict_live_terminal> <restrict_script_execution>1</restrict_script_execution> <restrict_file_retrieval>1</restrict_file_retrieval>
  6. Install the Cortex XDR agent software.
    1. Run the
      Cortex xdr.pkg
      installation file.
    2. Click
      Continue
      to proceed with the installation.
    3. If prompted to confirm the destination, click
      Continue
      .
    4. Click
      Install
      to begin the installation.
    5. Enter the
      User Name
      and
      Password
      of the administrator with access to install software on the endpoint, and then click
      Install Software
      .
    6. Wait for the Cortex XDR agent installation to complete.
      The Cortex XDR agent logs any installation errors to
      /var/log/install.log
      . If installation fails for any reason, you can view this log to better understand the cause of the installation failure.
  7. (
    macOS 10.15 and later versions
    ) Approve Cortex XDR System Extensions.
    1. When you are installing the Cortex XDR agent 7.2.1 or a later release on an endpoint running macOS 10.15.4 or later, this warning displays twice: first for the Security Extension and then for the Network Extension. However, in both warnings, the operating system displays
      System Extension Blocked
      .
      Select
      Open Security Preferences
      .
    2. Go to
      System Preferences
      Security & Privacy
      General
      , and click
      Details
      .
    3. Select both Cortex XDR System Extensions and click
      OK
      to allow them. Ignore the message informing that
      The system needs to be restarted before it can be used
      since this step is not required.
      (
      macOS 10.15 only
      ) In this macOS release, instead of the actual application name Cortex XDR, you will see
      Placeholder Developer
      .
    4. (
      macOS 10.15.4 and later and a Cortex XDR agent 7.2.1 and later
      ) Approve Cortex XDR Web Content Filter.
      Click
      Allow
      to enable the Cortex XDR agent to monitor network events.
      If you dismiss this notification, the Cortex XDR agent does not monitor the network traffic on the endpoint, and cannot report network events back to Cortex XDR. Consequently, BIOC and BIOC to Behavioral Threat Protection (BTP) rules you have for network events will not work, and you will not be able to query about network events in the Query builder. For Cortex XDR agent 7.3 and later, network isolation will not work as well.
  8. (
    macOS 10.15 and later versions
    ) Grant full disk access.
    Due to changes in the security settings of macOS 10.15, you must allow the Cortex XDR agent full disk access on your endpoint to enable full protection. If you do not authorize the agent full disk access on your endpoint, the agent provides only partial protection of files in the
    /Applications
    directory. The first time the agent detects an attempt to run an executable file located in another protected location on the endpoint as part of the anti-malware flow, macOS will deny the Cortex XDR agent access and prompts the user to grant full disk access.
    To grant the Cortex XDR agent full disk access locally on the endpoint:
    1. Go to
      System Preferences
      Security & Privacy
      tab, and select
      Full Disk Access
      .
    2. To make changes, click lock icon ( ) on the bottom left, enter your credentials, and
      Unlock
      .
    3. Navigate to
      Macintosh HD
      Library
      Application Support
      PaloAltoNetworks
      Traps
      bin
      .
    4. Select
      pmd
      and drag it to the list.
    5. Navigate to
      Macintosh HD
      Applications
      Cortex XDR.app (Show Package Contents)
      Contents
      Library
      SystemExtensions
      .
    6. Select
      com.paloaltonetworks.traps.securityextension.systemextension
      and drag it to the list.
    7. When you’re done, click to save your changes and stop editing.
  9. (
    macOS 10.15 and later versions
    ) Approve Cortex XDR agent notifications.
    1. After you install the Cortex XDR agent on the endpoint, the operating system will prompt a system notification requesting permissions to show Cortex XDR agent notifications.
    2. Click
      Options
      , and then click
      Allow
      .
    3. If the system notification is no longer visible, you can approve permissions in
      System Preferences
      Notifications
      . Select Cortex XDR agent and click
      Allow Notifications
      .
  10. Verify the Cortex XDR agent connection and protection status.
    1. To open the Cortex XDR agent console, click the agent icon in the menu bar, and select
      Open Console
      .
    2. Click
      Check In Now
      to initiate a connection with your Cortex XDR tenant. If successful, the
      Protection Status
      field updates to display
      Enabled
      , the
      Connection
      field updates to display your Cortex XDR tenant, and the
      Last Check In
      field updates to display the last check in date and time.
      If the Cortex XDR agent does not connect to Cortex XDR, verify your internet connection and check the Cortex® XDR™ Agent for Mac Requirements. If the agent still does not connect, contact Palo Alto Networks support.

Recommended For You