Manage the Agent Deployment Notifications for Mac - 7.9 - 7.8 - Cortex XDR - Cortex XDR Agent - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

When you install, upgrade, or remove the Cortex XDR agent from your Mac endpoint, both the operating system and the Cortex XDR agent prompt specific notifications the end user has to approve. The operating system notifications are in line with Apple’s security improvements starting with macOS 10.15.4, which include the deprecation of kernel extensions by third-party providers. As a result, the Cortex XDR agent 7.1 and later releases no longer use the kernel extension. Instead, the agent is designed to deploy two System Extensions.

In the 7.1 release, the Cortex XDR agent deploys the Endpoint Security extension to monitor system events, and starting in the 7.2.1 agent release, a new Network extension was added to monitor network events. Together, these two System extensions provide full coverage of the endpoint traffic and replace the deprecated kernel extension. To suppress the extension notifications for the Cortex XDR agent installation process, refer to Install the Cortex XDR Agent Using JAMF. For a one-click installation using a MDM of your choice, refer to Install with a Unified Configuration Profile for MDMs.Install the Cortex XDR Agent Using JAMFInstall with a Unified Configuration Profile for MDMs

The following tables describe the extension and notification approval workflow the end user is required to perform on a Mac endpoint during agent installation, upgrade, and removal processes.

Installing a Cortex XDR Agent 7.7

The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent installation, when performed manually or using an MDM.

 

macOS 10.15.3 and earlier

macOS 10.15.4 and later

Install a Cortex XDR agent 7.6

  • Kernel extension— Requires user approval. Can be suppressed in your MDM profile.

  • Endpoint Security extension—Requires user approval. Can be suppressed in your MDM profile.

  • Network extension—Requires user approval. Can be suppressed in your MDM profile.

  • Network content filter—Requires user approval. Can be suppressed in your MDM profile. You can also suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks.Install the Cortex XDR Agent Using JAMF

Upgrading to a Cortex XDR Agent 7.7

The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent upgrade, when performed manually or using an MDM.

 

macOS 10.15.3 and earlier

macOS 10.15.4 and later

Upgrade to a Cortex XDR agent 7.6

  • Kernel extension—If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once. Can be suppressed in your MDM profile.

  • Endpoint Security extension—If already allowed during initial agent installation, nothing to allow during upgrade. Otherwise, allow once. Can be suppressed in your MDM profile.

  • Network extension—If you are upgrading from a Cortex XDR agent release prior to 7.2.1 where this extension did not exist, requires user approval. Can be suppressed in your MDM profile. Otherwise, if you are upgrading from a 7.2.1 agent or later and approval was already provided, nothing to allow during upgrade.

  • Network content filter—If you are upgrading from a Cortex XDR agent release prior to 7.2.1 where this addition did not exist, requires user approval. If you are using an MDM to deploy the agents in your networks, you can suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks. Otherwise, if you are upgrading from a 7.2.1 agent or later and approval was already provided, nothing to allow during upgrade.Install the Cortex XDR Agent Using JAMF

Removing a Cortex XDR Agent 7.7

The following table describes the approval workflow the end user is required to perform on the endpoint during agent removal, when performed manually or using an MDM.

 

macOS 10.15.3 and earlier

macOS 10.15.4 and later

Remove a Cortex XDR agent 7.6 and later

  • User approval and password are required. Can be suppressed in your MDM profile.

  • User approval and password are required by Apple for each System extension. In the current operating system release, you cannot suppress this option in your MDM profile, and will be required to approve twice.