JAMF Pro and Trend Worry Free

Are you an IT Pro scratching your head over this?



Disclaimer: In a break from our usual topics on device repairs I have published this blog hoping that a fellow IT Pro will read it and that I would have helped them. I am not recommending that anyone does anything without testing it. If you are ever unsure then don't do it.


Scope wisely. Test. Do not trust. The Internet wants to destroy you. It is the devils highway.


I am not accountable for anyone breaking Macs or introducing any levels of security risk. The results can be catastrophic in the wrong hands.


JAMF Pro and Trend Micro Worry Free Business Security.


I was recently deploying JAMF Pro for an organisation. The point of JAMF Pro is centrally achieving something without the user or administrator having to get access to the Mac, iOS, iPadOS or even tvOS device. Having a network of 20, 50 or even 100 Macs is manageable without this but what happens when you support numbers running in their thousands. You need an MDM Solution and lets face it, JAMF is the gold standard. Having a central management platform where you can deploy apps and policies is priceless.


With versions of macOS 10.13> Kernel extensions need to be manually registered. These extensions are low level drivers that interface with macOS. In the case of Trend Micro Worry Free Business security I was able to get the following article from Trend Micro. I take no credit for this. It was produced by a guy called Tommy Huang and I found it very helpful especially in that it reveals the Trend TeamID. JAMF and Mac admins will know what this is.


Take your time to read and understand it. Get a test system, not production, something you can easily wipe and reload with macOS. If you push this out through a JAMF Policy for further testing be sure to check you scope and ONLY scope to your test environment. Deploy in small test batches and observe.

 

[Mac] KEXT problem

Created by Tommy Huang (RD-TW), last modified on Oct 28, 2020

[description]

Mac start to check KEXT since 10.13. every kernel extension installed need to be approved. Base on the KB form Mac (https://developer.apple.com/library/archive/technotes/tn2459/_index.html) , this approve setting will only be shown for 30 minutes. Once we have installation failed case, we can use following steps to do troubleshooting.

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert.


[Resolve issue SOP] SEG-40802

1. Check if customer approved KEXT

Open terminal type command:

/usr/bin/sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy


NOTE: if you can not find /var/db/SystemPolicyConfiguration/KextPolicy , there might have some other KextPolicy in the same dir e.g. KextPolicyMDM. you can try to open another db for query result

---result--------------------------------

sh-3.2# /usr/bin/sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

SQLite version 3.19.3 2017-06-27 16:48:08

Enter ".help" for usage hints.

sqlite>

2. type SQL command:

SELECT * FROM kext_policy;


---result--------------------------------

following is sample , 1 means allowed

E8P47U2H32|com.trendmicro.kext.filehook|1|Trend Micro, Inc.|8

E8P47U2H32|com.trendmicro.kext.KERedirect|1|Trend Micro, Inc.|8

2. if step#1 shows NOT ALLOWED , please help customer reboot computer and help customer approve it ([Apple KB|https://developer.apple.com/library/archive/technotes/tn2459/_index.html).]

3. if step#1 shows ALLOWED , Please use following steps

1. Uninstall Agent with uninstall tool

2. Restart computer with Long press Command + R to boot into the Recovery System

3. Choose "Disk Utility" from the Recovery Menu

https://wiki.jarvis.trendmicro.com/display/WFBSSVC/%5BMac%5D+KEXT+problem 1/3

3/11/22, 2:56 AM [Mac] KEXT problem - WFBS-SVC - JARVIS Wiki

4. Within Disk Utility click on your main hard drive (e.g. Macintosh HD) and then click on "Mount"

5.Exit out of "Disk Utility"

6. Click "Utilities" in the menu bar and select "Terminal"

7. Use the following commands backup folder and remove folder:

cp -r /Volumes/Macintosh\ HD/Library/StagedExtensions/Library/Application\ Support/TrendMicro /Volumes/Macintosh\ HD/Library/StagedExtensions/Library/Application\ Support/TrendMicro_bak

cd /Volumes/Macintosh\ HD/Library/StagedExtensions/Library/Application\ Support

rm -rf /Volumes/Macintosh\ HD/Library/StagedExtensions/Library/Application\ Support/TrendMicro 8. Reboot computer

9. Install Agent again

10. go to System Preferences -> Security & Privacy allow Trend's KEXT.

if button not shown ,

reboot computer.

go to System Preferences -> Security & Privacy allow Trend's KEXT again.

reboot computer

If button shown , click "Allow" , reboot computer.

If above step cannot resolve issue , it means that MacOS does not allow any 3rd-party KEXT (checked kextStat.txt , there is no any other 3rd party software's kext in the list.) We need to add Trend's developer ID in SIP white list or disable SIP.

Noted: Once support fond similar log as below in kextStat.txt , please directly try to adding Trend’s develop ID in SIP white list.

2018-11-20 13:16:30.878889-0800 0x9c4 Default 0x0 0 0 kernel: Kext com.trendmicro.kext.KERedirect not found for unload request. 2018-11-20 13:16:31.059318-0800 0x22d Default 0x0 45 0 kextd: Kext rejected due to system policy: <OSKext 0x7f875821cb50 [0x7fff8800eaf0]> { URL = "file:///Library/StagedExtensions/Library/Application%20Support/TrendMicro/kext/KERedirect/10.12/KERedirect.kext/", ID = "com.trendmicro.kext.KERedirect" }


[Steps to Adding Trendmicro developer ID in SIP white list]

1. Boot the Mac in recovery mode (Boot and holding Command-Option-R)

2. Open a terminal

3. type command adding Trend's ID in SIP white list: (where E8P47U2H32 is trendmicro developer ID) spctl kext-consent add E8P47U2H32

4.type command check if trendmicro developer ID in white list (which can list and verify id "E8P47U2H32" is added or not) specl kext-consent list

5. reboot the computer

if adding white list can NOT resolve issue please help disable SIP (as SEG-40407)verify if issue can be resolve. *****NOTE: Disable SIP will have security concern. Please remember enable it after verification.

[Steps to disable the SIP]

https://wiki.jarvis.trendmicro.com/display/WFBSSVC/%5BMac%5D+KEXT+problem 2/3

3/11/22, 2:56 AM [Mac] KEXT problem - WFBS-SVC - JARVIS Wiki

1. From the Apple menu select Restart.

2. As your Mac restarts, press and hold down the Command + R keys immediately upon hearing the startup chime. Hold the keys until the Apple logo appears to get the computer in Recovery mode.

3. The computer is now in Recovery mode. From the Apple menu select Utilities -> Terminal

4. Run the command to disable SIP:

csrutil disable

5. From the Apple menu, select Restart.

6. Check if the Mac agent starts in "Protection" mode or not.

[Restore MacOS self-protection SIP]

1. Shutdown/Restart Your Computer.

2. Press Command + R during booting to enter Recovery Mode.

3. Click “Open Terminal” from Menu Bar.

4. Type “csrutil enable” to enable SIP. <-- Important!!

5. Restart Computer


6 views