AMP FOR ENDPOINTS MAC CONNECTOR
Changes due to macOS 10.14 (Mojave)
Introduction Apple has introduced two new security features in macOS 10.14 (Mojave) that affect the AMP for Endpoints Mac Connector. These changes are: 1. Improved User Data & Privacy Protections 2. Application Notarization This advisory describes how the AMP Connector is affected and the steps users and system administrators can take to ensure that AMP operates correctly.
IMPORTANT! We encourage customers to delay upgrading to macOS 10.14 until AMP for Endpoints Mac Connector 1.9.0 becomes available. While it is possible to run the currently available AMP Connector (1.8.1) on macOS 10.14, the upcoming 1.9.0 release contains changes that improve compatibility. AMP for Endpoints Mac Connector 1.9.0 is expected to be available in October 2018.
Improved User Data & Privacy Protections macOS 10.14 requires user approval before an application can access parts of the filesystem that contain personal user data (e.g. Contacts, Photos, Calendar, etc). Without approval, applications attempting to access these files may trigger a prompt for approval. If approval is not granted, the application will be denied access.
1 Improved User Data & Privacy Protections
Impact on the Mac Connector Without approval, the AMP Connector will be unable to provide protection or visibility to these parts of the filesystem being protected by macOS. Some Connector functions may also be suspended while the user is being prompted to grant approval.
Approving Full Disk Access at the Endpoint Users can pre-approve the AMP Connector by updating Privacy Options in Security & Privacy System Preferences and granting Full Disk Access to the AMP service daemon /opt/cisco/amp/ampdaemon. The ampdaemon file in AMP Connector 1.8.1 has a special property that prevents it from being dragged and dropped into the Privacy Options application list. To add ampdaemon to the list 1. Click [+] to add a new entry. 2. Press Command-Shift-G to bring up the "Go to the folder" prompt. 3. Type /opt/cisco/amp and click Go. 4. Choose ampdaemon and click Open.
For AMP Connector 1.8.1 and earlier: After Full Disk Access approval has been granted, the AMP service daemon will also need to be restarted: sudo launchctl unload /Library/LaunchDaemons/com.cisco.amp.daemon.plist sudo launchctl load /Library/LaunchDaemons/com.cisco.amp.daemon.plist The drag-and-drop and service restart restrictions will be removed in AMP Connector 1.9.0.
Approving Full Disk Access using MDM For customers using a Mobile Device Management (MDM) solution (e.g. Cisco Meraki) for deployment and management, Full Disk Access approval can be granted using the
2 2. Application Notarization
Privacy Preferences Policy Control Payload in an MDM profile. This removes the need for action by the end-user.
IMPORTANT! For customers using MDM, consult the MDM documentation or speak to the MDM vendor to learn how to grant Full Disk Access approval for the AMP for Endpoints Mac Connector.
The Cisco AMP Team details are: • Name: Cisco Systems, Inc. (TDNYQP7VRK) • Team Identifier: TDNYQP7VRK Beginning with AMP for Endpoints Mac Connector 1.9.0, endpoints that have not granted access to the protected paths will send an Event that is visible in the AMP Console. You can determine which Connectors may be operating in a degraded state by reviewing the devices generating this Event type.
2. Application Notarization macOS 10.14 introduces a new security mechanism for software distributed outside the App Store called Application Notarization. Apple has created an automated service that executes security checks against applications submitted by developers. Once the checks are complete and if the application passes, a notarization ticket can be “stapled” to the application to indicate to macOS that the software can be installed without prompting for user approval.
Impact on the Mac Connector Starting with AMP for Endpoints Mac Connector 1.9.0, Cisco will make changes to how the installer is made available to end users. Instead of distributing the AMP Connector as an un-notarized Installer Package (.pkg) file, 1.9.0 and newer releases will be distributed as an Apple Disk Image (.dmg) embedding a notarized Installer Package (.pkg) file. While this difference may be minor when invoking the installer
3 Summary
manually, any automated processes used to deploy the Mac Connector across your environment will need to be modified to handle the new installation file format.
A sample workflow may be: • Download amp_mac_connector.dmg from the AMP Console • Push amp_mac_connector.dmg to your endpoints • Mount the .dmg file $ hdiutil attach ampmac_connector.dmg • Execute the Apple notarized Mac Connector package file $ sudo installer -pkg /Volumes/ampmac_connector/ciscoampmac_connector.pkg -target / • Un-mount the .dmg file $ hdiutil detach /Volumes/ampmac_connector
Summary macOS 10.14 (Mojave) introduces two new security features that affect the AMP for Endpoints Mac Connector. We encourage customers to delay upgrading to macOS 10.14 until AMP for Endpoints Mac Connector 1.9.0 becomes available in October 2018. While it is possible to run the currently available AMP Connector (1.8.1) on macOS 10.14, the upcoming 1.9.0 release contains changes that improve compatibility. In addition to upgrading to the 1.9.0 release when it becomes available, customers need to: 1. Ensure Full Disk Access is granted to the AMP service daemon: /opt/cisco/amp/ampdaemon 2. Re-evaluate the AMP install process to adjust for a installer file format change from a single Package Installer (.pkg) file to an Apple Disk Image file (.dmg) containing a Package Installer (.pkg) inside the image. The purpose of this advisory is to help AMP customers understand the impact of macOS 10.14. It is based on currently available information and may change without notice. Cisco continues to research, develop, and test to ensure that AMP runs seamlessly and effectively on macOS 10.14.
Technical Resources: • Apple WWDC 2018 Talk regarding the new User Data & Privacy protections: https://developer.apple.com/videos/play/wwdc2018/702/?time=438
4 Technical Resources:
• Apple’s MDM Documentation regarding the “Privacy Preferences Policy Control Payload”: https://developer.apple.com/enterprise/documentation/Configuration-Profile- Reference.pdf • Apple WWDC 2018 Talk regarding the new notarization workflow: https://developer.apple.com/videos/play/wwdc2018/702/?time=1769 • Apple Notarization Overview: https://developer.apple.com/developer-id/
5