As in, will one need to push an MDM profile to all...
# macosn
natewalck
09/15/2021, 6:35 PMAs in, will one need to push an MDM profile to allow said extension 🙂
s
sharvil
09/15/2021, 7:01 PMHey @natewalck, the EndpointSecurity features need certain macOS permissions, namely root and Full Disk Access (inside System Preferences --> Privacy --> Full Disk Access). If these permissions are granted manually, there is no need for MDM.
n
natewalck
09/15/2021, 7:01 PMYep, that all makes sense. So this is an Endpoint agent but not a System Extension ?
s
sharvil
09/15/2021, 7:01 PMMDM just makes it easy to automatically grant these permissions via a PPPC payload config profile
n
natewalck
09/15/2021, 7:01 PMgiven that it runs its own launchd
natewalck
09/15/2021, 7:01 PMYep, I'm familiar with all that
s
sharvil
09/15/2021, 7:02 PMYes, it's currently is just EndpointSecurity
sharvil
09/15/2021, 7:02 PMthere is no SystemExtension yet
n
natewalck
09/15/2021, 7:02 PMit was funky to see a .app and not have a system extension ala Crowdstrike, Santa, etc
natewalck
09/15/2021, 7:02 PMAre there plans for a system extension?
s
sharvil
09/15/2021, 7:03 PM.app is required so that osqueryd (which has es entitlements) can automatically pick up the corresponding provisioning profile
👍 1
sharvil
09/15/2021, 7:04 PMOtherwise, folks would have to install the profile manually (https://github.com/osquery/osquery/blob/master/tools/deployment/macos_packaging/embedded.provisionprofile)
sharvil
09/15/2021, 7:05 PMThere are a lot of folks who would like to see the SystemExtension functionality too, and I would like to support that too, but it's not in the immediate roadmap
👍 1
sharvil
09/15/2021, 7:17 PMWe have also tried to capture and document all that stuff here (https://osquery.readthedocs.io/en/latest/deployment/process-auditing/#auditing-processes-with-endpointsecurity), if there is anything there that you think needs improvement, please let me know!
7 Views