Install the Cortex XDR Agent Using JAMF - Administrator Guide - 8.3 - Cortex XDR Agent - Cortex XDR - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR Agent
Cortex XDR
Version
8.3
Creation date
2024-01-02
Last date published
2024-07-04
Category
Administrator Guide
Abstract

Step-by-step instructions to configure a JAMF installation profile for the Cortex XDR agent on macOS endpoints.

To deploy the Cortex XDR agent to multiple endpoints, you can set up a JAMF profile. As part of your JAMF deployment you must grant full disk access, approve system extensions, content filter configuration, notifications and managed login items. Depending on your macOS version.

For a seamless configuration using JAMF that does not require creating the configuration profile manually, refer to Install with a Unified Configuration Profile for MDMs.

Caution

Following the changes Apple introduced in macOS 11.3 for MDMs, when you remove an MDM configuration profile that includes permissions for system extensions (for Cortex XDR agents or Global Protect), the system extensions will be instantly unloaded from all endpoints. As a result, the Cortex XDR protection status will be disabled.

    To set up a JAMF profile step-by-step, use the following workflow. For additional information, refer to the JAMF documentation on configuring configuration profiles.

    1. Create a new Computer Configuration Profile in JAMF.

      Under General Options, assign the following:

      • Name—Cortex XDR Agent Unified Configuration Profile

      • Level—Select Computer level.

      Unified_Config_Profile.png
    2. Configure System Extensions.

      JAMF_System_Extentions_2023.png
      1. SelectAllow users to approve system extensions.

      2. Add an approved Team ID for Palo Alto Networks:

        • System Extension Types—Allowed System Extensions

        • Team Identifier—PXPZ95SK77

        • Allowed system extension bundles—com.paloaltonetworks.traps.securityextension and com.paloaltonetworks.traps.networkextension

      3. Add the allowed system extensions and save each item.

    3. Configure Content Filter.

      1. Configure the following Content Filter in your JAMF profile:

        • Filter name—Cortex XDR Network Filter

        • Identifier—com.paloaltonetworks.cortex.app

        • Filter Order—Firewall

      2. Set the socket filter to enabled, and define the following:

        • Socket Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

        • Socket Filter Designated Requirement—identifier "com.paloaltonetworks.traps.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77

      3. The network (packet) filter should be set to disabled/ignore by default. The packet filter provider is enabled on demand by the Cortex XDR agent when it is required.

        • Network Filter Bundle Identifier—com.paloaltonetworks.traps.networkextension

        • Network Filter Designated Requirement—identifier "com.paloaltonetworks.traps.networkextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77

      JAMF_Config_Settings-Content_Filter_2023.png
    4. Configure Privacy Preferences Policy Control as described in Steps 4, 5, and 6:

      JAMF_Privacy_Preferences_Policy_Control_2023.png
      1. Use the following settings to define the entity:

        • Identifier—com.paloaltonetworks.cortex.agent

        • Identifier Type—Bundle ID

        • Code Requirement—identifier "com.paloaltonetworks.cortex.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = PXPZ95SK77

      2. Add and Allow Accessibility service.

      3. Save the app or service item.

    5. Add a new App Access configuration to grant Full Disk Access to the Cortex XDR security extension.

      This configuration is required to enable the security extension to communicate with the OS.

      JAMF_Privacy_Preferences_Policy_Control_b_2023.png
      1. Use the following settings to define the following entity:

        • Identifier—com.paloaltonetworks.traps.securityextension

        • Identifier Type—Bundle ID

        • Code Requirement—identifier "com.paloaltonetworks.traps.securityextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

      2. In App or Service, set SystemPolicyAllFiles to Allow.

      3. Save the app or service item.

    6. Add a new App Access configuration to grant Full Disk Access to Cortex XDR pmd.

      This configuration allows the daemon access to analyze processes, files, disk access, utilities and more.

      JAMF_Privacy_Preferences_Policy_Control_c_2023.png
      1. Use the following settings to define the entity:

        • Identifier—/Library/Application Support/PaloAltoNetworks/Traps/bin/pmd

        • Identifier Type—Path

        • Code Requirement—identifier pmd and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PXPZ95SK77

      2. In App or Service, set SystemPolicyAllFiles to Allow.

      3. Save the app or service item.

    7. Configure Notifications.

      Configure the following Notifications payload in your JAMF profile:

      • Bundle ID for agent 8.2 and earlier—com.paloaltonetworks.traps-agent

        Bundle ID for agent 8.3 and later—com.paloaltonetworks.cortex.agentr

      • Critical alerts—Enable and include.

      • Notifications—Enable and include.

      • Banner alert type—Temporary and include.

      • Notifications on Lock Screen—Display and include.

      • Notifications on Notification Center—Display and include.

      • Badge app icon—Display and include.

      • Play sound for notifications—Enable.

      JAMF_Notifications_2023.png
    8. Configure Managed Login Items.

      • Rule type—Label prefix

      • Rule value—com.paloaltonetworks.cortex

      • Team identifier—PXPZ95SK77

      • Rule comment—Allows Cortex XDR launch daemons and launch agents.

      Configuration_profile_Notifications_2.png
    9. Save the configuration profile.

    10. After you set up your computer configuration profiles, create a new agent installation package in the Cortex XDR management console, upload the ZIP package you downloaded from Cortex XDR to your MDM (do not extract it), and then add it to a distribution point.

      For instructions, see the following documentation resource from JAMF: Manually Adding a Package to a Distribution Point and Jamf Pro.

    11. Create a new policy and install the package.