Install with a Unified Configuration Profile for MDMs - Administrator Guide - 8.2 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
8.2
Creation date
2023-06-29
Last date published
2024-07-16
Category
Administrator Guide
Abstract

Use the Palo Alto Networks unified configuration profile for MDMs to seamlessly install the Cortex XDR agent on macOS endpoints.

You install the Cortex XDR agent by deploying an installation package on the endpoint. When you install the Cortex XDR agent for macOS, the operating system requires the user to approve system extensions, notifications, content filter configuration, login items, and to grant full disk access permissions.

For a seamless installation that does not require end user interaction, Palo Alto Networks provides a unified configuration profile that you can upload to any third-party deployment software of your choice. This unified configuration profile is compatible with all supported macOS versions and all supported Cortex XDR agent versions. If you prefer to manually create the configuration profile in JAMF, refer to Install the Cortex XDR Agent Using JAMF.Install the Cortex XDR Agent Using JAMF

These instructions are supplied by Palo Alto Networks to assist our customers. Support with third party vendor tools (with the exception of JAMF) is out of the scope of Palo Alto Networks.

The following payloads are included in the unified configuration profile:

  • Managed Login Items

    Payload type: com.apple.servicemanagement

    Required for: macOS 13 and later

  • System Extensions

    Payload type: com.apple.system-extension-policy

    Required for: macOS 10.15.4 and later

  • Content Filter

    Payload type: com.apple.webcontent-filter

    Required for: macOS 10.15.4 and later

  • Privacy Preferences Policy Control

    Payload type: com.apple.TCC.configuration-profile-policy

    Required for: macOS 10.15.0 and later

  • Notifications

    Payload type: com.apple.notificationsettings

    Required for: macOS 10.15.0 and later

Note

The new signed profile will be valid until June 2027. The existing signed configuration profiles have expired, they must be replaced with the updated profiles attached here. While using an expired profile is not recommended, no functional impact is expected at this point, there may be future functional impact.

It is very important that you first upload the new profiles before replacing the expired profiles. To ensure there are no disruptions to your endpoint profiles, make sure to:

  1. Upload the profiles following the steps described below.

  2. Ensure all endpoints have both the expired profiles and new profiles. It is recommended to keep both new and old profiles side by side for a month, as ample time to ensure that all deployed agents connect and receive the new profile.

  3. Only after all endpoints in your environment have the new profiles can you delete the expired profiles.

  4. When all endpoints have the new profiles, and the expired profiles are removed, there may be a short time (up to of 15 minutes) where an agent could appear as disabled. Any potential affected functionality is network related (event collection, host firewall, isolation). This is resolved automatically, and the agent remains functional during this time period.

This flow details how to deploy the Cortex XDR agent on Mac endpoints using the Palo Alto Networks unified configuration profile file. You must perform the steps consecutively as described below and you must not change the order. If you change the order, you risk that the required configuration profiles will not be available at the time the agent requires them, which could cause the agent to display unexpected behavior.

Note

Palo Alto Networks recommends you upload only a signed configuration profile file to your MDM, avoid uploading the unsigned file directly to your MDM.

If your MDM solution allows upload of .zip files (like JAMF) continue with Step 2. If your MDM solution allows only a .pkg file continue with Step 3.

  1. Upload the unified configuration profile to your MDM tool. If you prefer, or are required to sign the configuration file using your own signing certificate, use the unsigned configuration profile provided here.

    1. Download the signed or unsigned configuration profile.

      • Download the signed configuration profile. (CortexXDR_UnifiedConfigProfile_V5_SignedPANW.mobileconfig)

        SHA256: 61b41f7395fee559394648602341ab3b8e703940a251102c8d832870403bdbd6

        MD5: ec8e1bd188aba606e843c146d1a51722

      • Download the unsigned configuration profile and sign it. (CortexXDR_UnifiedConfigProfile_V5_Unsigned.mobileconfig)

        SHA256: 9dd42f3a50016b9f81b60934d756638c9f91d39a122e9924a37dc8e69adc20ee

        MD5: 5ef440126d5489f316c708f7768f076c

    2. Upload the profile to your MDM.

    3. In the Scope tab of the MDM, add to the targets list set to All Computers.

    4. Save the configuration profile.

  2. Upload the Cortex XDR agent installation package (.zip) to your MDM tool.

    1. Create a new agent installation package in the Cortex XDR management console.

    2. Upload the ZIP package you downloaded from Cortex XDR to your MDM. Do not extract it.

    3. Proceed to distribute the Cortex XDR agent package across your endpoints.

  3. Follow this step if your MDM solution allows only the .pkg profile file.

    1. Extract the zip package downloaded from the Cortex XDR. Using the standalone install package without the config.xml and the included script will set the distribution ID. This is a simple bash that calls Cytool and sets the distribution ID accordingly after the installation (the same can be done with proxy).

    2. Upload only the .pkg file.

    3. Run a script that will set the distribution ID and connect the agent to the given tenant.

      echo Password1|/Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool reconnect force  <packageDistributionID>; sleep 5; /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool checkin

    4. There is no connection to any tenant at this point in time, so no policy, the initial password will always be the default "Password1". After this, the Cortex XDRagent will register with the given tenant and get its policy.

      This is supported by all MDM solutions, either as a single action/policy, where you can define a package to install and a script to run after the install, or as a separate action.