Install the Cortex XDR Agent Manually - Administrator Guide - 8.2 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
8.2
Creation date
2023-06-29
Last date published
2024-07-16
Category
Administrator Guide
Abstract

Learn how to install the Cortex XDR agent manually on macOS endpoints.

To install the Cortex XDR agent manually on a macOS endpoint:

  1. Download the installation package you want to install from Cortex XDR.

  2. Copy the installation package to the endpoint on which you want to install the Cortex XDR agent software.

  3. Unzip the installation package.

  4. (Optional) Configure a Cortex XDR agent specific proxy on the endpoint.

    If you are deploying Cortex XDR in an environment where the agents communicate with Cortex XDR through a proxy, you must assign the proxy IP address and port number during the agent installation on the endpoint.

    Note

    The Cortex XDR agent does not support proxy communication in environments where proxy authentication is required.

    1. Locate the Config.xml file in the unzipped installation folder.

    2. Edit the <proxy_list><proxyserver>:<port></proxy_list> tag.

      • To enforce a proxy specific to the Cortex XDR agent, enter your proxy IP address and port number. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces. You can assign up to five different IP addresses per agent, and the proxy for communication is selected randomly with equal probability.

        <proxy_list>My.Network.Name:808,10.196.20.244:8080</proxy_list>

      • To install an agent communicating through the Palo Alto Networks Broker Service, enter only the broker VM IP address and port number 8888.

    3. If needed, you can later change the proxy settings from the Cortex XDR management console.

  5. (Optional) Disable Live Terminal, script execution, and file retrieval on the endpoint

    You can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. Disabling any of these payloads in the Config.xml file is an irreversible action, so if you later want to enable the action on the endpoint, you must uninstall your Cortex XDR agent and install a new agent with the corresponding values in the Config.xml file.

    1. Locate the Config.xml file in the unzipped installation folder.

    2. Enter the value 1 for this tag, as follows: <restrict_invasive_response_actions>1</restrict_invasive_response_actions>.

      • To disable a specific action, update only the value of the relevant tag:

        <restrict_live_terminal>1</restrict_live_terminal> <restrict_script_execution>1</restrict_script_execution> <restrict_file_retrieval>1</restrict_file_retrieval>

  6. (Optional) Add tags to the endpoint tag list.

    1. Locate the Config.xml file in the unzipped installation folder.

    2. Add<endpoint_tags>tag1,tag2,tag3</endpoint_tags> to the file and save.

  7. Install the Cortex XDR agent software.

    1. Execute the CortexXDR.pkg file in the unzipped installation folder.

      CortexMacOs_Install01.png
    2. Click Continue to proceed with the installation.

    3. If prompted to confirm the destination, click Continue.

    4. Click Install to begin the installation.

      CortexMacOs_Install02.png
    5. Enter the User Name and Password of the administrator with access to install software on the endpoint, and then click Install Software.

    6. Wait for the Cortex XDR agent installation to complete.

      CortexMacOs_Install03.png

      Tip

      The Cortex XDR agent logs any installation errors to /var/log/install.log. If installation fails for any reason, you can view this log to better understand the cause of the installation failure.

  8. (macOS 10.15 and later versions) Approve Cortex XDR System Extensions.

    1. When you are installing the Cortex XDR agent 7.2.1 or a later release on an endpoint running macOS 10.15.4 or later, this warning displays twice: first for the Security Extension and then for the Network Extension. However, in both warnings, the operating system displays System Extension Blocked.

      CortexMacOs_Install04.png

      Select Open Security Preferences.

    2. Go to System Settings → Privacy & Security, and click Details.

      step-8-b.png
    3. Select both Cortex XDR System Extensions and click OK to allow them. Ignore the message informing that The system needs to be restarted before it can be used since this step is not required.