Install with a Unified Configuration Profile for MDMs - 7.7 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

You install the Cortex XDR agent by deploying an installation package on the endpoint. When you install the Cortex XDR agent for macOS, the operating system requires the user to approve extensions and notifications and to grant full disk access permissions. For a seamless installation that does not require end user interaction, Palo Alto Networks provides a unified configuration profile that you can upload to any third-party deployment software of your choice. This unified configuration profile is compatible with all supported macOS versions and all supported Cortex XDR agent versions. If you prefer to use individual configuration profiles, refer to Install the Cortex XDR Agent Using JAMF.

Caution

  • This unified configuration profile is not supported on JAMF Pro 10.27 - 10.29. JAMF Pro introduced native support for the notifications payload in their UI in version 10.27, however an issue in the Jamf parser prevents configuration profiles that include the notifications payload to successfully import into JAMF. On these versions, you must create the configuration for the notifications payload manually in the JAMF UI. You can still use the Palo Alto Networks signed individual configuration profiles to import the other configurations.

  • Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled. For the suggested workaround, refer to the Cortex XDR 7.6 agent list of Known Issues.

The following payloads are included in the unified configuration profile:

  • Kernel Extensions

    Payload type: com.apple.syspolicy.kernel-extension-policy

    Required for: macOS 10.15.3 and earlier

  • System Extensions

    Payload type: com.apple.system-extension-policy

    Required for: macOS 10.15.4 and later for Cortex XDR agent 7.0 or later

  • Content Filter

    Payload type: com.apple.webcontent-filter

    Required for: macOS 10.15.4 and later for Cortex XDR agent 7.0 or later

  • Privacy Preferences Policy Control

    Payload type: com.apple.TCC.configuration-profile-policy

    Required for: macOS 10.15.0 and later

  • Notifications

    Payload type: com.apple.notificationsettings

    Required for: macOS 10.15.0 and later

Note

Due to changes of certification, signed profiles need to be renewed every year. The existing signed Configuration Profiles have expired and we recommend you replace them with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point.

It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:

  1. Upload the profiles following the steps described below ensuring you add the profiles to the same scope as the expired profiles. For example, same groups and dynamic groups.

  2. Ensure all endpoints have both the expired profiles and new profiles.

  3. Only after all endpoints in your environment have the new profiles can you delete the expired profiles.

This flow details how to deploy the Cortex XDR agent on Mac endpoints using the Palo Alto Networks unified configuration profile file. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.

  1. Create a new smart group in Jamf.

    In your Jamf smart group, set Display Name—Apple M1, and add two criteria with the following values:

    • First criteria: Criteria—Processor Type, Operator—is, Value—Apple M1

    • Second criteria: AND/OR—or, Criteria—Architecture Type, Operator—is, Value—arm64

    01SmartGroupM1.png

    Note

    In other MDM solutions, smart groups could be referred to as dynamic groups or a similar name. If the processor type criteria is not available in your MDM solution, use only the architecture type. This will cover the M1 chip and future chips using the arm64 architecture.

  2. Upload the signed unified configuration profile to your MDM tool.

    • For Apple Silicon (M1) endpoints—

      1. Download the signed configuration file CortexXDR_UnifiedConfigProfile_ARM64_V4_SignedPANW.mobileconfig (MD5=d6a4f5b8671c434c520399e437e28222). If you prefer or are required to sign the configuration file using your own signing certificate, download the unsigned configuration file CortexXDR_UnifiedConfigProfile_ARM64_V4_Unsigned (MD5=d4f09f21d5b8fc893f77934fbcaa301c) and sign it.

      2. Upload the file to your MDM.

      3. In the Scope tab, add to the targets list the Apple M1 smart group you created in the previous step.

        03UnifiedProfileAppleM1Targets.png
      4. Save the configuration profile.

    • For all other non-M1 endpoints—

      1. Download the signed configuration file CortexXDR_UnifiedConfigProfile_Intel_V4_SignedPANW (MD5=c84cb1ccaee14c108231395a2bda3e25). If you prefer or are required to sign the configuration file using your own signing certificate, download the unsigned configuration file CortexXDR_UnifiedConfigProfile_Intel_V4_Unsigned (MD5=1fb2f9c580f15456eb58b13d1965aef2) and sign it.

      2. Upload the file to your MDM.

      3. In the Scope tab, add to the exclusions list the Apple M1 smart group you created in the previous step. Then, proceed to specify your target group - either all computers or a smart group you have predefined.

        04LegacyUnifiedProfileExclusions.png
      4. Then, still under the Scope tab, proceed to add your Target group - either all computers or a smart group you have predefined.

        04LegacyUnifiedProfileTargets.png
      5. Save the configuration profile.

    Note

    Palo Alto Networks recommends you upload only a signed configuration profile file to your MDM, and avoid uploading the unsigned file directly to your MDM.

  3. Upload the Cortex XDR agent installation package to your MDM tool.

    1. Create a new agent installation package in the Cortex XDR management console.

    2. Upload the ZIP package you downloaded from Cortex XDR to your MDM. Do not extract it.

    3. Proceed to distribute the Cortex XDR agent package across your endpoints.