An overview of user notifications for the Cortex XDR agent during installation, upgrade, and removal on a Mac.
When you install, upgrade, or remove the Cortex XDR agent from your Mac endpoint, both the operating system and the Cortex XDR agent prompt specific notifications the end user has to approve. The operating system notifications are in line with Apple’s security improvements starting with macOS 10.15.4, which include the deprecation of kernel extensions by third-party providers. As a result, the Cortex XDR agent 7.1 and later releases no longer use the kernel extension. Instead, the agent is designed to deploy two System Extensions.
Since the 7.1 release, the Cortex XDR agent deploys the Endpoint Security extension to monitor system events, and starting in the 7.2.1 agent release, a new Network extension was added to monitor network events. Together, these two System extensions provide full coverage of the endpoint traffic and replace the deprecated kernel extension. To suppress the extension notifications for the Cortex XDR agent installation process, refer to Install the Cortex XDR Agent Using JAMF. For a one-click installation using a MDM of your choice, refer to Install with a Unified Configuration Profile for MDMs.
The following tables describe the extension and notification approval workflow the end user is required to perform on a Mac endpoint during agent installation, upgrade, and removal processes.
Installing a Cortex XDR Agent
The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent installation, when performed manually or using an MDM.
macOS 10.15.3 and earlier | macOS 10.15.4 and later | |
---|---|---|
Install a Cortex XDR agent |
|
|
Upgrading to a Cortex XDR Agent
The following table describes the extension approval workflow the end user is required to perform on the endpoint during agent upgrade, when performed manually or using an MDM.
macOS 10.15.3 and earlier | macOS 10.15.4 and later | |
---|---|---|
Upgrade a Cortex XDR agent |
|
|
Removing a Cortex XDR Agent
The following table describes the approval workflow the end user is required to perform on the endpoint during agent removal, when performed manually or using an MDM.
macOS 10.15.3 and earlier | macOS 10.15.4 and later | |
---|---|---|
Remove a Cortex XDR agent 7.6 and later |
|
|