Install the Cortex XDR Agent Using JAMF - Administrator Guide - 8.0 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
8.0
Creation date
2022-12-12
Last date published
2023-11-29
Category
Administrator Guide

To deploy the Cortex XDR agent to multiple endpoints, you can set up a JAMF profile. As part of your JAMF deployment you must grant full disk access and approve system extensions and notifications. Depending on your macOS version:

  • macOS 10.15.3 and earlier versions—You must enable the Cortex XDR agent Kernel Extension in your JAMF profile.

  • macOS 10.15.4 and later versions—You must enable Cortex XDR agent System Extensions (Endpoint Security and Network) in your JAMF profile.

For a seamless configuration using JAMF that does not require creating the configuration profile manually, refer to Install with a Unified Configuration Profile for MDMs.

Caution

  • Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled. For the suggested workaround, refer to the Cortex XDR 7.6 agent list of Known Issues.

To set up a JAMF profile step-by-step, use the following workflow. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.

Note

Due to changes of certification, signed profiles need to be renewed every year. The existing signed Configuration Profiles have expired and we recommend you replace them with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point.

It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:

  1. Upload the profiles following the steps described below ensuring you add the profiles to the same scope as the expired profiles. For example, same groups and dynamic groups.

  2. Ensure all endpoints have both the expired profiles and new profiles.

  3. Only after all endpoints in your environment have the new profiles can you delete the expired profiles.

  1. Create a new Computer Configuration Profile in JAMF.

    Under General Options, assign the following:

    • Name—Cortex XDR Agent Unified Configuration Profile

    • Level—Select Computer level.

    jamf-general.png

    For additional information, refer to the JAMF documentation on configuring configuration profiles.

  2. (macOS 10.15.3 and earlier) Configure Approved Kernel Extensions.

    jamf-profile-kext.png
    1. Allow users to approve kernel extensions.

    2. Add an approved Team ID for Palo Alto Networks:

      • Display Name—Palo Alto Networks

      • Team ID—PXPZ95SK77

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved Kernel Extensions. To use it, download the signed configuration file CortexXDR_KernelExtensions_Profile_V3_SignedPANW.mobileconfig (MD5=32de99bd1eb565ff9a0940a70b5823c0) and refer to the JAMF documentation on uploading a computer configuration profile.

  3. (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) Configure System Extensions.

    jamf-profile-system-extensions.png
    1. Allow users to approve system extensions.

    2. Add an approved Team ID for Palo Alto Networks:

      • Display Name—Palo Alto Networks

      • System Extension Types—Allowed System Extensions

      • Team Identifier—PXPZ95SK77

      • Allowed system extension bundles—com.paloaltonetworks.traps.securityextension and com.paloaltonetworks.traps.networkextension

    3. Add the following allowed system extensions and save each item.

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the Approved System Extensions. To use it, download the signed configuration file CortexXDR_SystemExtensions_Profile_V2_SignedPANW.mobileconfig (MD5=53687a6aed90ba6ef26d4656424c0987) and refer to the JAMF documentation on uploading a computer configuration profile.

  4. (macOS 10.15.4 and later for Cortex XDR agent 7.0 or later) Configure Content Filter.

    Configure the following Content Filter in your JAMF profile:

    • Filter name—Cortex XDR Network Filter

    • Identifier—com.paloaltonetworks.cortex.app

    • Filter Order—Firewall

    • Socket Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

    • Socket Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"

    • Network Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

    • Network Filter Designated Requirement—anchor apple generic and identifier "com.paloaltonetworks.traps.networkextension"

    JamfContentFilter_FinalConfig.png

    Alternatively, if you prefer, Palo Alto Networks provides a signed configuration profile for the web content filter. To use it, download the signed configuration file CortexXDR_ContentFilter_Profile_V4_SignedPANW.mobileconfig (MD5=0b7952f79598e789d8402095037b2f46) and refer to the JAMF documentation on uploading a computer configuration profile.

  5. (macOS 10.15.0 and later) Next, configure Privacy Preferences Policy Control as described in Steps 5, 6, and 7: