Worklet: Installing Carbon Black on MacOS

Hey Y’all

As an IT administrator one of the first things you’ll find yourself doing is installing an endpoint security tool, which can be very difficult to automate across hundreds, if not thousands of devices.

Not with Automox. Automox Worklets gives you the power to deploy endpoint security tools to newly added endpoints as well as enforce installation on existing devices, so you always know that your endpoints are running the security tools necessary to protect your IT environment.

The below Worklet is designed to deploy Carbon Black Defense to macOS endpoints. The instructions include creating and deploying a .zip files that contains the install .sh script as well as the .pkg required by the .sh to perform the install. If everything works as designed, you should be able to run the Worklet and see the endpoint(s) appear in the Cb console.

  • You need to make sure that the Carbon Black application is whitelisted for the devices so the KEXT does not prevent the installation. Otherwise, this script will not work.

  • This is for the newest version on Carbon Black only, v3.3.2.58. Any new releases you’ll need to recreate the .zip file and upload it to the Worklet.

  • The only unique value you’ll need input in the Worklet is the install code. You can request a new one from the Cb dashboard and get it instantly if you don’t have it. (Replace “your_install_code” with your install code).

  • IF you need to input any other options for the install such as a proxy server, reference the Cb install guide and manually input the commands to the install portion of the Worklet in the Remediation code. (/tmp/Cb/CbInstallFiles/cbdefense_install_unattended.sh -i /tmp/Cb/CbInstallFiles/CbDefense\ Install.pkg -c “$installcode”)

  • If you run the script, and the device does not report into the Cb dashboard, then check the installation error logs located /tmp/cbaxinstall.log. This l will help you troubleshoot installation issues.

  • The Worklet does add files and create folders, the Worklet will clean all of the files up post installation.

Follow the instructions below. Once you have the Worklet created you can use the same one for all your devices.

You’ll only need to do this 1 time for the Worklet creation. You’ll need to create a CbInstall.zip file that will be uploaded to the Worklet inside of the Automox console. You will need to combine the cbdefense_install_unattended.sh and the CB Defense Install.pkg into a file and then zip it up.

  • login to MacOS Terminal with sudo privileges

  • Download and mount the .dmg file to the device. Perform this command from the directory the .dmg is located:
    hdiutil attach confer_installer_mac-3.3.2.58.dmg

  • make a folder for the install files you’ll extract from the .dmg. Run this exact command:
    mkdir /tmp/CbInstallFiles

  • Once you have the file, you can move the install files from the .dmg into it:
    cd /Volumes/CbDefense-3.3.2.58
    scp CbDefense\ Install.pkg /tmp/CbInstallFiles
    cd /Volumes/CbDefense-3.3.2.58/docs
    scp cbdefense_install_unattended.sh /tmp/CbInstallFiles

  • All of the files are now in the folder that we will zip up and use for the Worklet. Go ahead and zip the CbInstallFiles folder located in /tmp up and it will be ready for the Worklet

Once you have the CbInstallFiles.zip you can create the Worklet.

  • Login into the Automox console and create a new policy from the System Mgmt page
  • From there select a “Worklet” policy for MacOS
  • Name the policy (required)
  • Copy the syntax below to each of the code blocks (evaluation, remediation)

Evaluation Code:

#!/bin/bash

#evaluate the device to see if Carbon Black service is running
#exit with 0 if process is running
#exit with 1 if process is not running.  Remediation will be ran with exit code 1
[[ -d "/System/Library/Extensions/CbDefenseSensor.kext" ]]

if [[ $? -eq 0 ]]; then 
   exit 0
else
   exit 1
fi

Remediation Code:

#!/bin/bash

#Input your unique Cb install code below.  Replace your_install_code with your install code.
##########################################
installcode=your_install_code
##########################################

#make a directory that files will be extracted to
mkdir /tmp/Cb

#copy the .zip file to the device to prepare for installation 
scp CbInstallFiles.zip /tmp

   sleep 3
    
#unzip the file and make the install .sh executable    
unzip /tmp/CbInstallFiles.zip -d /tmp/Cb

chmod +x /tmp/Cb/CbInstallFiles/cbdefense_install_unattended.sh

#install carbon black to the device using the install script in conjuction with the install .pkg.  Output install errors to /tmp/cbaxinstall.log
/tmp/Cb/CbInstallFiles/cbdefense_install_unattended.sh -i /tmp/Cb/CbInstallFiles/CbDefense\ Install.pkg -c "$installcode" 2> /tmp/cbaxinstall.log &
process_id=$!

   wait $process_id

#cleanup install files from the device post installation
rm -fdr /tmp/Cb
rm -fdr /tmp/CbInstallFiles.zip

#return 0 if install is successful  
#Return 1 if install is unsuccessful
[[ -d "/System/Library/Extensions/CbDefenseSensor.kext" ]]

if [[ $? -eq 0 ]]; then 
   exit 0
else
   exit 1
fi
  • Be sure to input your unique Carbon Black install code under the Remediation code block. Do this by replacing the “your_install_code” in the installcode=your_install_code. (ex: installcode=H2263xxx)

  • The Evaluation code will check to see if the Carbon Black service is running, if it’s not, then the Cb Sensors are not installed and it will exit with a 1 forcing the remediation code to run.

  • The Remediation code will perform the install of CbDefense to the device.

  • Load the CbInstallFiles.zip file we created earlier to the Worklet. The script will reference this during the install.

  • Save The Worklet

  • Now you can set the Worklet to run on a schedule, or you can run the policy manually at any point on the devices.

You should be all set! Everything this policy runs it will check to see if a device has Carbon Black installed. If not, it will install it.

If you have any questions feel free to reach out!

2 Likes