Skip to main content

How do I deploy Carbon Black Cloud with Jamf School?

Updated over 3 weeks ago

Description

Deploying Carbon Black Cloud with Jamf School involves:

  • Creating a package Carbon Black Cloud and uploading it to Jamf School as an in-house application

  • Creating a device profile with System Extensions, PPPC and Content Filters

  • Creating a smart group for the in-house application deployment targeting computers with the profile installed

Note - this workflow is subject to change depending on new versions/changes to Carbon Black Cloud. Always test on a small group of computers first.



Preparing the Carbon Black Cloud Package

  1. Obtain the macOS Installer DMG from the Carbon Black console.

  2. Obtain a Registration Code from Carbon Black.

  3. Open Finder and navigate to the /private/tmp/ folder.

    This photo shows where you can find private > tmp > cmp in Finder.

  4. Create a new folder named cbc.

  5. Mount the DMG downloaded in step 1.

  6. Locate the CBCloud Install.pkg and move/copy this to the /private/tmp/cbc/ folder.

    This photo shows where to move/copy your Carbon Black Cloud Installer.
  7. Locate the cbcloud_install_unattended.sh file in the docs folder in the dmg and move/copy this to the /private/tmp/cbc/ folder.

    This photo shows where to locate your cbcloud_install_unattended.sh file and where to move it to in Finder.
  8. Open the cbcloud_install_unattended.sh file in TextEdit or other plain text editor.

  9. Locate the Variable Declarations.
    #options
    CBC_INSTALLER=""
    COMPANY_OR_USER_CODE=""

  10. Enter the install package path into the CBC_INSTALLER variable. (example: CBC_INSTALLER="CBCloud Install.pkg")

    This photo shows where to enter your install package path into the CBC Installer.
  11. Enter the Registration Code from step 2 into the COMPANY_OR_USER_CODE variable. (Example: COMPANY_OR_USER_CODE="3TABC99SW2021")

    This photo shows where to enter your registration code.
  12. Save the changes.


Packaging Carbon Black Cloud in Composer

  1. Open Composer and authenticate with the Local Administrator account.

  2. Click Cancel if prompted to create a new Snapshot.

  3. Drag the /private/tmp/cbc/ folder to the left side bar of Composer.

    This photo shows where to drag the /private/tmp/cbc/ folder in Composer.
  4. Select the /cbc/ folder in the main Composer window.

  5. Adjust the permissions in the lower right of Composer: Owner - root, Group - wheel, Mode - 755
    This photo shows where to adjust permissions in Composer.

  6. Select the more (...) option to the right of these permissions and select apply these permissions to cbc and all enclosed items.

  7. In the left side bar of Composer, expand the cbc source and right click on scripts.

  8. Select Add Shell Script > postinstall.

    This photo shows where to Select Add Shell Script > postinstall.

  9. Replace the prefilled text with the following code:

    #!/bin/bash
    ## postinstall

    pathToScript=$0
    pathToPackage=$1
    targetLocation=$2
    targetVolume=$3

    sh /private/tmp/cbc/cbcloud_install_unattended.sh

    exit 0 ## Success
    exit 1 ## Failure

    This photo shows the prefilled text replaced with the above code.

  10. Save (command + s or file > save).

    This photo shows where to Save the file.

  11. Select the cbc source in the left sidebar of Composer and select Build as PKG at the top of the window.

    This photo shows where to select Build as PKG in Composer.

The package can now be uploaded to Jamf School as a new in-house macOS package for deployment to devices. Do not scope to any devices yet.



Creating a device Profile with System Extensions, Privacy Preference Policy Control, and Content Filter

  1. In Jamf School go to Profiles > Overview and select + Create Profile.

    This photo shows where to create a profile in Jamf School.

  2. Select macOS > Device Enrollment and click Next.

  3. Name the Profile (Carbon Black Cloud Settings), select Next and click Finish.

  4. Select the Security and Privacy payload on the left and select Configure.

  5. Select the Privacy tab at the top of the window.

    This photo shows where to find the Privacy tab.

  6. Scroll down to "System Policy All Files" and select + add new (below the listing).

    This photo shows where to find the Add new button to System Policy All Files.

  7. Select Select Application.

    This photo shows you where to Select application.

  8. In the text box enter the following information and then click Add.

    • Name: Carbon Black Daemon

    • Identifier: com.vmware.carbonblack.cloud.daemon

    • Type: Bundle ID

    • Code Requirement: identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

  9. Click Add new.

    This photo shows where to find the Add button.

  10. Add another app with the information below and click Add.

    • Name: Carbon Black OSQueryi

    • Identifier: com.vmware.carbonblack.cloud.osqueryi

    • Type: Bundle ID

    • Code Requirement: identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

      This photo shows the above code requirement entered correctly.

  11. Click Add new again, add another app with the information below, and click Add.

    • Name: Carbon Black SE-agent

    • Identifier: com.vmware.carbonblack.cloud.se-agent.extension

    • Type: Bundle ID

    • Code Requirement: identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

      This photo shows the above code requirement entered correctly.

  12. Click Add new again, add another app with the information below, and click Add.

    • Name: Carbon Black Uninstall

    • Identifier: com.vmware.carbonblack.cloud.uninstall

    • Type: Bundle ID

    • Code Requirement: identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

      This photo shows the above code requirement entered correctly.

  13. Click Add new again, add another app with the information below, and click Add.

    • Name: Carbon Black UninstallerUI

    • Identifier: com.vmware.carbonblack.cloud.uninstallerui

    • Type: Bundle ID

    • Code Requirement: identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

      This photo shows the above code requirement entered correctly.

  14. Click Save at the bottom of the page to save the profile.

    This photo shows where to save you System Policy All Files.

  15. Select the System Extensions Payload and click Configure.

  16. Enter the following information:

    • Team Identifier: 7AGZNQ2S2T

    • Allowed System Extensions: com.vmware.carbonblack.cloud.se-agent.extension

      This photo shows where to enter the above information.

  17. Click Save at the bottom of the page.

  18. Select the Web Content Filter payload and click Configure.

  19. Configure the following Settings:

    • Enable Web Content Filter: selected

    • Traffic: Filter Socket Traffic, Filter Packets

    • Filter Name: VMware Carbon Black Cloud Network Extension Filter

    • Identifier: com.vmware.carbonblack.cloud.se-agent

    • Data provider bundle identifier: com.vmware.carbonblack.cloud.se-agent.extension

    • Data provider designated requirement: identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

    • Packet provider bundle identifier: com.vmware.carbonblack.cloud.se-agent.extension

    • Packet provider designated requirement: identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

  20. Click Save at the bottom of the profile.



Create a Smart Group to Ensure the Profile Installs Prior to the Application

  1. In Jamf School navigate to Devices > Device Groups.

  2. Select + Add Group.

    This photo shows where to select Add Group
  3. Name the Group (Carbon Black).

  4. Select Smart Group.

    This photo shows where to select Smart Group.

  5. Select Apps at the top of the text box.

  6. Select Automatic for the Carbon Black Package.

  7. Select Members at the top of the text box.

  8. Select + Add Filter and configure as follows: Managed Profile (installed) equals Carbon Black Cloud Settings.

    This photo shows the correct configuring.
  9. Click Finish.

  10. Navigate to the Members window and Save Scope.

    This photo shows where to select the Save Scope button.



Test the Deployment

After the sections above are complete we can test the deployment on a device or small group of test devices following the steps below.

  1. Navigate to Devices > Inventory and select a test device.

  2. Select the Managed Profiles tab.

  3. Select + Add profiles in the top right corner.

    This photo shows where you can find the Managed Profiles tab to select Add profiles.

  4. Search and select Add for the Carbon Black Cloud Settings profile.

    This photo shows where to select Add.

This will install the profile on the device, placing the device into the Carbon Black Device group triggering the install of the Application. If the deployment succeeds, add additional device groups to the Scope of the Carbon Black Settings profile.


Did this answer your question?