Step-by-step instructions to configure a JAMF installation profile for the Cortex XDR agent on macOS endpoints.
To deploy the Cortex XDR agent to multiple endpoints, you can set up a JAMF profile. As part of your JAMF deployment you must grant full disk access, approve system extensions, content filter configuration, notifications and managed login items. Depending on your macOS version.
For a seamless configuration using JAMF that does not require creating the configuration profile manually, refer to Install with a Unified Configuration Profile for MDMs.
Caution
Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled.
To set up a JAMF profile step-by-step, use the following workflow. For additional information, refer to the JAMF documentation on configuring configuration profiles.
Create a new Computer Configuration Profile in JAMF.
Under General Options, assign the following:
Name—
Cortex XDR Agent Unified Configuration Profile
Level—Select Computer level.
Configure System Extensions.
SelectAllow users to approve system extensions.
Add an approved Team ID for Palo Alto Networks:
System Extension Types—Allowed System Extensions
Team Identifier—
PXPZ95SK77
Allowed system extension bundles—
com.paloaltonetworks.traps.securityextension
andcom.paloaltonetworks.traps.networkextension
Add the allowed system extensions and save each item.
Configure Content Filter.
Configure the following Content Filter in your JAMF profile:
Filter name—
Cortex XDR Network Filter
Identifier—
com.paloaltonetworks.cortex.app
Filter Order—
Firewall
Set the socket filter to enabled, and define the following:
Socket Filter Bundle Identifier—
com.paloaltonetworks.traps.networkextension
Socket Filter Designated Requirement—
identifier "com.paloaltonetworks.traps.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77
The network (packet) filter should be set to disabled/ignore by default. The packet filter provider is enabled on demand by the Cortex XDR agent when it is required.
Network Filter Bundle Identifier—
com.paloaltonetworks.traps.networkextension
Network Filter Designated Requirement—
identifier "com.paloaltonetworks.traps.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77
Configure Privacy Preferences Policy Control as described in Steps 4, 5, and 6:
Use the following settings to define the entity:
Identifier—
com.paloaltonetworks.cortex.agent
Identifier Type—Bundle ID
Code Requirement—
identifier "com.paloaltonetworks.cortex.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77
Add and Allow Accessibility service.
Save the app or service item.
Add a new App Access configuration to grant Full Disk Access to the Cortex XDR security extension.
This configuration is required to enable the security extension to communicate with the OS.
Use the following settings to define the following entity:
Identifier—
com.paloaltonetworks.traps.securityextension
Identifier Type—Bundle ID
Code Requirement—
identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
In App or Service, set SystemPolicyAllFiles to Allow.
Save the app or service item.
Add a new App Access configuration to grant Full Disk Access to Cortex XDR pmd.
This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.
Use the following settings to define the entity:
Identifier—
/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd
Identifier Type—Path
Code Requirement—
identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77
In App or Service, set SystemPolicyAllFiles to Allow.
Save the app or service item.
Configure Notifications.
Configure the following Notifications payload in your JAMF profile:
Bundle ID for agent 8.2 and earlier—
com.paloaltonetworks.traps-agent
Bundle ID for agent 8.3 and later—
com.paloaltonetworks.cortex.agent
rCritical alerts—
Enable and include
.Notifications—
Enable and include
.Banner alert type—
Temporary and include
.Notifications on Lock Screen—
Display and include
.Notifications on Notification Center—
Display and include
.Badge app icon—
Display and include
.Play sound for notifications—
Enable
.
Configure Managed Login Items.
Rule type—
Label prefix
Rule value—
com.paloaltonetworks.cortex
Team identifier—
PXPZ95SK77
Rule comment—
Allows Cortex XDR launch daemons and launch agents
.
Save the configuration profile.
After you set up your computer configuration profiles, create a new agent installation package in the Cortex XDR management console, upload the ZIP package you downloaded from Cortex XDR to your MDM (do not extract it), and then add it to a distribution point.
For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.
Create a new policy and install the package.
JAMF Package Deployment instructions.
JAMF Policy Management instructions.