Use the Palo Alto Networks unified configuration profile for MDMs to seamlessly install the Cortex XDR agent on macOS endpoints.
You install the Cortex XDR agent by deploying an installation package on the endpoint. When you install the Cortex XDR agent for macOS, the operating system requires the user to approve system extensions, notifications, content filter configuration, login items, and to grant full disk access permissions.
For a seamless installation that does not require end user interaction, Palo Alto Networks provides a unified configuration profile that you can upload to any third-party deployment software of your choice. This unified configuration profile is compatible with all supported macOS versions and all supported Cortex XDR agent versions. If you prefer to manually create the configuration profile in JAMF, refer to Install the Cortex XDR Agent Using JAMF.
These instructions are supplied by Palo Alto Networks to assist our customers. Support with third party vendor tools (with the exception of JAMF) is out of the scope of Palo Alto Networks.
The following payloads are included in the unified configuration profile:
Managed Login Items
Payload type:
com.apple.servicemanagement
Required for: macOS 13 and later
System Extensions
Payload type:
com.apple.system-extension-policy
Required for: macOS 10.15.4 and later
Content Filter
Payload type:
com.apple.webcontent-filter
Required for: macOS 10.15.4 and later
Privacy Preferences Policy Control
Payload type:
com.apple.TCC.configuration-profile-policy
Required for: macOS 10.15.0 and later
Notifications
Payload type:
com.apple.notificationsettings
Required for: macOS 10.15.0 and later
Note
The new signed profile will be valid until June 2027. The existing signed configuration profiles have expired, they must be replaced with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point, there may be future functional impact.
It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:
Upload the profiles following the steps described below.
Ensure all endpoints have both the expired profiles and new profiles. It is recommended to keep both new and old profiles side by side for a month, as ample time to ensure that all deployed agents connect and receive the new profile.
Only after all endpoints in your environment have the new profiles can you delete the expired profiles.
When all endpoints have the new profiles, and the expired profiles are removed, there may be a short time (up to of 15 minutes) where an agent could appear as disabled. Any potential affected functionality is network related (event collection, host firewall, isolation). This is resolved automatically, and the agent remains functional during this time period.
This flow details how to deploy the Cortex XDR agent on Mac endpoints using the Palo Alto Networks unified configuration profile file. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.
Note
Palo Alto Networks recommends you upload only a signed configuration profile file to your MDM, avoid uploading the unsigned file directly to your MDM.
If your MDM solution allows upload of .zip files (like JAMF) continue with Step 2. If your MDM solution allows only a .pkg file continue with Step 3.
Upload the unified configuration profile to your MDM tool. If you prefer, or are required to sign the configuration file using your own signing certificate, use the unsigned configuration profile provided here.
Download the signed or unsigned configuration profile.
Download the signed configuration profile. (CortexXDR_UnifiedConfigProfile_V5_SignedPANW.mobileconfig)
SHA256: 61b41f7395fee559394648602341ab3b8e703940a251102c8d832870403bdbd6
MD5: ec8e1bd188aba606e843c146d1a51722
Download the unsigned configuration profile and sign it. (CortexXDR_UnifiedConfigProfile_V5_Unsigned.mobileconfig)
SHA256: 9dd42f3a50016b9f81b60934d756638c9f91d39a122e9924a37dc8e69adc20ee
MD5: 5ef440126d5489f316c708f7768f076c
Upload the profile to your MDM.
In the Scope tab of the MDM, add to the targets list set to All Computers.
Save the configuration profile.
Upload the Cortex XDR agent installation package (.zip) to your MDM tool.
Create a new agent installation package in the Cortex XDR management console.
Upload the ZIP package you downloaded from Cortex XDR to your MDM. Do not extract it.
Proceed to distribute the Cortex XDR agent package across your endpoints.
Follow this step if your MDM solution allows only the .pkg profile file.
Extract the zip package downloaded from the Cortex XDR. Using the standalone install package without the config.xml and the included script will set the distribution ID. This is a simple bash that calls Cytool and sets the distribution ID accordingly after the installation (the same can be done with proxy).
Upload only the .pkg file.
Run a script that will set the distribution ID and connect the agent to the given tenant.
echo Password1|/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool reconnect force <packageDistributionID>; sleep 5; /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin
There is no connection to any tenant at this point in time, so no policy, the initial password will always be the default "Password1". After this, the Cortex XDRagent will register with the given tenant and get its policy.
This is supported by all MDM solutions, either as a single action/policy, where you can define a package to install and a script to run after the install, or as a separate action.