Description
Deploying Carbon Black Cloud with Jamf School involves:
Creating a package Carbon Black Cloud and uploading it to Jamf School as an in-house application
Creating a device profile with System Extensions, PPPC and Content Filters
Creating a smart group for the in-house application deployment targeting computers with the profile installed
Note - this workflow is subject to change depending on new versions/changes to Carbon Black Cloud. Always test on a small group of computers first.
Preparing the Carbon Black Cloud Package
Obtain the macOS Installer DMG from the Carbon Black console.
Obtain a Registration Code from Carbon Black.
Open Finder and navigate to the
/private/tmp/
folder.Create a new folder named cbc.
Mount the DMG downloaded in step 1.
Locate the
CBCloud Install.pkg
and move/copy this to the/private/tmp/cbc/
folder.Locate the
cbcloud_install_unattended.sh
file in the docs folder in the dmg and move/copy this to the/private/tmp/cbc/
folder.Open the
cbcloud_install_unattended.sh
file in TextEdit or other plain text editor.Locate the Variable Declarations.
#options
CBC_INSTALLER=""
COMPANY_OR_USER_CODE=""
Enter the install package path into the CBC_INSTALLER variable. (example:
CBC_INSTALLER="CBCloud Install.pkg"
)Enter the Registration Code from step 2 into the COMPANY_OR_USER_CODE variable. (Example:
COMPANY_OR_USER_CODE="3TABC99SW2021"
)Save the changes.
Packaging Carbon Black Cloud in Composer
Open Composer and authenticate with the Local Administrator account.
Click Cancel if prompted to create a new Snapshot.
Drag the
/private/tmp/cbc/
folder to the left side bar of Composer.Select the /cbc/ folder in the main Composer window.
Adjust the permissions in the lower right of Composer: Owner - root, Group - wheel, Mode - 755
Select the more (...) option to the right of these permissions and select apply these permissions to cbc and all enclosed items.
In the left side bar of Composer, expand the cbc source and right click on scripts.
Select Add Shell Script > postinstall.
Replace the prefilled text with the following code:
#!/bin/bash
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
sh /private/tmp/cbc/cbcloud_install_unattended.sh
exit 0 ## Success
exit 1 ## FailureSave (command + s or file > save).
Select the cbc source in the left sidebar of Composer and select Build as PKG at the top of the window.
The package can now be uploaded to Jamf School as a new in-house macOS package for deployment to devices. Do not scope to any devices yet.
Creating a device Profile with System Extensions, Privacy Preference Policy Control, and Content Filter
In Jamf School go to Profiles > Overview and select + Create Profile.
Select macOS > Device Enrollment and click Next.
Name the Profile (Carbon Black Cloud Settings), select Next and click Finish.
Select the Security and Privacy payload on the left and select Configure.
Select the Privacy tab at the top of the window.
Scroll down to "System Policy All Files" and select + add new (below the listing).
Select Select Application.
In the text box enter the following information and then click Add.
Name: Carbon Black Daemon
Identifier: com.vmware.carbonblack.cloud.daemon
Type: Bundle ID
Code Requirement:
identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Add new.
Add another app with the information below and click Add.
Name: Carbon Black OSQueryi
Identifier: com.vmware.carbonblack.cloud.osqueryi
Type: Bundle ID
Code Requirement:
identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Add new again, add another app with the information below, and click Add.
Name: Carbon Black SE-agent
Identifier: com.vmware.carbonblack.cloud.se-agent.extension
Type: Bundle ID
Code Requirement:
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Add new again, add another app with the information below, and click Add.
Name: Carbon Black Uninstall
Identifier: com.vmware.carbonblack.cloud.uninstall
Type: Bundle ID
Code Requirement:
identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Add new again, add another app with the information below, and click Add.
Name: Carbon Black UninstallerUI
Identifier: com.vmware.carbonblack.cloud.uninstallerui
Type: Bundle ID
Code Requirement:
identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Save at the bottom of the page to save the profile.
Select the System Extensions Payload and click Configure.
Enter the following information:
Team Identifier: 7AGZNQ2S2T
Allowed System Extensions: com.vmware.carbonblack.cloud.se-agent.extension
Click Save at the bottom of the page.
Select the Web Content Filter payload and click Configure.
Configure the following Settings:
Enable Web Content Filter: selected
Traffic: Filter Socket Traffic, Filter Packets
Filter Name: VMware Carbon Black Cloud Network Extension Filter
Identifier:
com.vmware.carbonblack.cloud.se-agent
Data provider bundle identifier:
com.vmware.carbonblack.cloud.se-agent.extension
Data provider designated requirement:
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Packet provider bundle identifier:
com.vmware.carbonblack.cloud.se-agent.extension
Packet provider designated requirement:
identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"
Click Save at the bottom of the profile.
Create a Smart Group to Ensure the Profile Installs Prior to the Application
In Jamf School navigate to Devices > Device Groups.
Select + Add Group.
Name the Group (Carbon Black).
Select Smart Group.
Select Apps at the top of the text box.
Select Automatic for the Carbon Black Package.
Select Members at the top of the text box.
Select + Add Filter and configure as follows: Managed Profile (installed) equals Carbon Black Cloud Settings.
Click Finish.
Navigate to the Members window and Save Scope.
Test the Deployment
After the sections above are complete we can test the deployment on a device or small group of test devices following the steps below.
Navigate to Devices > Inventory and select a test device.
Select the Managed Profiles tab.
Select + Add profiles in the top right corner.
Search and select Add for the Carbon Black Cloud Settings profile.
This will install the profile on the device, placing the device into the Carbon Black Device group triggering the install of the Application. If the deployment succeeds, add additional device groups to the Scope of the Carbon Black Settings profile.