elastic · natasha-moore-elastic · Sep 11, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
@@ -0,0 +1,126 @@
+[[deploy-with-mdm]]
+= Deploy {elastic-defend} on macOS with mobile device management
+++++
+<titleabbrev>Deploy on macOS with MDM</titleabbrev>
+++++
+
+To silently install and deploy {elastic-defend}, you need to configure a mobile device management (MDM) profile for {elastic-endpoint}—the installed component that performs {elastic-defend}'s threat monitoring and prevention. This allows you to pre-approve the {elastic-endpoint} system extension and grant Full Disk Access to all the necessary components.
+
+This page explains how to deploy {elastic-defend} silently using Jamf.
+
+[discrete]
+[[configure-jamf-profile]]
+== Configure a Jamf MDM profile
+
+In Jamf, create a configuration profile for {elastic-endpoint}. Follow these steps to configure the profile:
+
+. <<system-extension-jamf, Approve the system extension.>>
+. <<content-filtering-jamf, Approve network content filtering.>>
+. <<notifications-jamf, Enable notifications.>>
+. <<fda-jamf, Enable Full Disk Access.>>
+
+[discrete]
+[[system-extension-jamf]]
+=== Approve the system extension
+
+. Select the **System Extensions** option to configure the system extension policy for the {elastic-endpoint} configuration profile. 
+. Make sure that **Allow users to approve system extensions** is selected. 
+. In the **Allowed Team IDs and System Extensions** section, add the {elastic-endpoint} system extension:
+.. (Optional) Enter a **Display Name** for the {elastic-endpoint} system extension.
+.. From the **System Extension Types** dropdown, select **Allowed System Extensions**.
+.. Under **Team Identifier**, enter `2BT3HPN62Z`.
+.. Under **Allowed System Extensions**, enter `co.elastic.systemextension`.
+. Save the configuration.
+
+[role="screenshot"]
+image::images/system-extension-jamf.png[]
+
+[discrete]
+[[content-filtering-jamf]]
+=== Approve network content filtering
+
+. Select the **Content Filter** option to configure the Network Extension policy for the {elastic-endpoint} configuration profile.
+. Under **Filter Name**, enter `ElasticEndpoint`.
+. Under **Identifier**, enter `co.elastic.endpoint`.
+. In the **Socket Filter** section, fill in these fields:
+.. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension`
+.. **Socket Filter Designated Requirement**: Enter the following:
++
+[source,shell]
+----------------------------------
+identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+----------------------------------
+. In the **Network Filter** section, fill in these fields:
+.. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension`
+.. **Network Filter Designated Requirement**: Enter the following:
++
+[source,shell]
+----------------------------------
+identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+----------------------------------
+. Save the configuration.
+
+[role="screenshot"]
+image::images/content-filtering-jamf.png[]
+
+[discrete]
+[[notifications-jamf]]
+=== Enable notifications
+
+. Select the **Notifications** option to configure the Notification Center policy for the {elastic-endpoint} configuration profile. 
+. Under **App Name**, enter `Elastic Security.app`.
+. Under **Bundle ID**, enter `co.elastic.alert`.
+. In the **Settings** section, include these options with the following settings:
+.. **Critical Alerts**: **Enable**.
+.. **Notifications**: **Enable**.
+.. **Banner alert type**: **Persistent**.
+.. **Notifications on Lock Screen**: **Display**.
+.. **Notifications in Notification Center**: **Display**.
+.. **Badge app icon**: **Display**.
+.. **Play sound for notifications**: **Enable**.
+. Save the configuration.
+
+[role="screenshot"]
+image::images/notifications-jamf.png[]
+
+[discrete]
+[[fda-jamf]]
+=== Enable Full Disk Access
+
+. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the {elastic-endpoint} configuration profile.
+. Add a new entry with the following details:
+.. Under **Identifier**, enter `co.elastic.systemextension`.
+.. From the **Identifier Type** dropdown, select **Bundle ID**.
+.. Under **Code Requirement**, enter the following:
++
+[source,shell]
+----------------------------------
+identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+----------------------------------
+.. Make sure that **Validate the Static Code Requirement** is selected.
+. Add a second entry with the following details:
+.. Under **Identifier**, enter `co.elastic.endpoint`.
+.. From the **Identifier Type** dropdown, select **Bundle ID**.
+.. Under **Code Requirement**, enter the following:
++
+[source,shell]
+----------------------------------
+identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+----------------------------------
+.. Make sure that **Validate the Static Code Requirement** is selected.
+. Add a third entry with the following details:
+.. Under **Identifier**,  enter `co.elastic.elastic-agent`.
+.. From the **Identifier Type** dropdown, select **Bundle ID**.
+.. Under **Code Requirement**, enter the following:
++
+[source,shell]
+----------------------------------
+identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+----------------------------------
+.. Make sure that **Validate the Static Code Requirement** is selected.
+. Save the configuration.
+
+[role="screenshot"]
+image::images/fda-jamf.png[]
+
+After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, {elastic-defend} can be deployed without the need for user interaction.
@@ -9,6 +9,7 @@ include::../getting-started/elastic-endpoint-reqs.asciidoc[leveloffset=+1]
 include::../getting-started/install-endpoint.asciidoc[leveloffset=+1]
 include::../getting-started/install-elastic-endpoint.asciidoc[leveloffset=+2]
 include::../getting-started/install-elastic-endpoint-ven.asciidoc[leveloffset=+2]
+include::./admin/deploy-with-mdm.asciidoc[leveloffset=+2]
 include::../getting-started/agent-tamper-protection.asciidoc[leveloffset=+2]
 
 include::../getting-started/defend-feature-privs.asciidoc[leveloffset=+1]

@@ -0,0 +1,107 @@
+---
+slug: /serverless/security/deploy-with-mdm
+title: Deploy ((elastic-defend)) on macOS with mobile device management
+description: Configure access for deploying ((elastic-defend)) on macOS with mobile device management.
+tags: ["security","how-to","secure"]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+<div id="deploy-elastic-endpoint-mdm"></div>
+
+To silently install and deploy ((elastic-defend)) without the need for user interaction, you need to configure a mobile device management (MDM) profile for ((elastic-endpoint))—the installed component that performs ((elastic-defend))'s threat monitoring and prevention. This allows you to pre-approve the ((elastic-endpoint)) system extension and grant Full Disk Access to all the necessary components.
+
+This page explains how to deploy ((elastic-defend)) silently using Jamf.
+
+## Configure a Jamf MDM profile
+
+In Jamf, create a configuration profile for ((elastic-endpoint)). Follow these steps to configure the profile:
+
+1. <DocLink slug="/serverless/security/deploy-with-mdm" section="approve-the-system-extension">Approve the system extension</DocLink>.
+1. <DocLink slug="/serverless/security/deploy-with-mdm" section="approve-network-content-filtering">Approve network content filtering</DocLink>.
+1. <DocLink slug="/serverless/security/deploy-with-mdm" section="enable-notifications">Enable notifications</DocLink>.
+1. <DocLink slug="/serverless/security/deploy-with-mdm" section="enable-full-disk-access">Enable Full Disk Access</DocLink>.
+
+### Approve the system extension
+
+1. Select the **System Extensions** option to configure the system extension policy for the ((elastic-endpoint)) configuration profile. 
+1. Make sure that **Allow users to approve system extensions** is selected. 
+1. In the **Allowed Team IDs and System Extensions** section, add the ((elastic-endpoint)) system extension:
+    1. (Optional) Enter a **Display Name** for the ((elastic-endpoint)) system extension.
+    1. From the **System Extension Types** dropdown, select **Allowed System Extensions**.
+    1. Under **Team Identifier**, enter `2BT3HPN62Z`.
+    1. Under **Allowed System Extensions**, enter `co.elastic.systemextension`.
+1. Save the configuration.
+
+![](../images/deploy-with-mdm/system-extension-jamf.png)
+
+### Approve network content filtering
+
+1. Select the **Content Filter** option to configure the Network Extension policy for the ((elastic-endpoint)) configuration profile.
+1. Under **Filter Name**, enter `ElasticEndpoint`.
+1. Under **Identifier**, enter `co.elastic.endpoint`.
+1. In the **Socket Filter** section, fill in these fields:
+    1. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension`
+    1. **Socket Filter Designated Requirement**: Enter the following:
+    ```
+    identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+    ```
+1. In the **Network Filter** section, fill in these fields:
+    1. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension`
+    1. **Network Filter Designated Requirement**: Enter the following:
+    ```
+    identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+    ```
+1. Save the configuration.
+
+![](../images/deploy-with-mdm/content-filtering-jamf.png)
+
+### Enable notifications
+
+1. Select the **Notifications** option to configure the Notification Center policy for the ((elastic-endpoint)) configuration profile. 
+1. Under **App Name**, enter `Elastic Security.app`.
+1. Under **Bundle ID**, enter `co.elastic.alert`.
+1. In the **Settings** section, include these options with the following settings:
+    1. **Critical Alerts**: **Enable**.
+    1. **Notifications**: **Enable**.
+    1. **Banner alert type**: **Persistent**.
+    1. **Notifications on Lock Screen**: **Display**.
+    1. **Notifications in Notification Center**: **Display**.
+    1. **Badge app icon**: **Display**.
+    1. **Play sound for notifications**: **Enable**.
+1. Save the configuration.
+
+![](../images/deploy-with-mdm/notifications-jamf.png)
+
+### Enable Full Disk Access
+
+1. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the ((elastic-endpoint)) configuration profile.
+1. Add a new entry with the following details:
+    1. Under **Identifier**, enter `co.elastic.systemextension`.
+    1. From the **Identifier Type** dropdown, select **Bundle ID**.
+    1. Under **Code Requirement**, enter the following:
+    ```
+    identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+    ```
+    1. Make sure that **Validate the Static Code Requirement** is selected.
+1. Add a second entry with the following details:
+    1. Under **Identifier**, enter `co.elastic.endpoint`.
+    1. From the **Identifier Type** dropdown, select **Bundle ID**.
+    1. Under **Code Requirement**, enter the following:
+    ```
+    identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+    ```
+    1. Make sure that **Validate the Static Code Requirement** is selected.
+1. Add a third entry with the following details:
+    1. Under **Identifier**,  enter `co.elastic.elastic-agent`.
+    1. From the **Identifier Type** dropdown, select **Bundle ID**.
+    1. Under **Code Requirement**, enter the following:
+    ```
+    identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z"
+    ```
+    1. Make sure that **Validate the Static Code Requirement** is selected.
+1. Save the configuration.
+
+![](../images/deploy-with-mdm/fda-jamf.png)
+
+After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, ((elastic-defend)) can be deployed without the need for user interaction.
@@ -102,6 +102,10 @@
               "slug": "/serverless/security/deploy-elastic-endpoint-ven",
               "classic-sources": [ "enSecurityDeployElasticEndpointVen" ]
             },
+            {
+              "label": "Deploy on macOS with MDM",
+              "slug": "/serverless/security/deploy-with-mdm"
+            }, 
             {
               "slug": "/serverless/security/agent-tamper-protection"
             }    

@@ -139,3 +139,69 @@ To debug and resolve the issue, follow these steps:
     * `ping -4 localhost` (Windows)
 
 </DocAccordion>
+
+<DocAccordion id="defend-deployment" buttonContent="((elastic-defend)) deployment issues">
+
+After deploying ((elastic-defend)), you might encounter warnings or errors in the endpoint's **Policy status** in ((fleet)) if your mobile device management (MDM) is misconfigured or certain permissions for ((elastic-endpoint)) aren't granted. The following sections explain issues that can cause warnings or failures in the endpoint's policy status.
+
+### Connect Kernel has failed
+
+This means that the system extension or kernel extension was not approved. Consult the following topics for approving the system extension, either with MDM or without MDM:
+
+* <DocLink slug="/serverless/security/deploy-with-mdm" section="approve-the-system-extension">Approve the system extension with MDM</DocLink>
+* <DocLink slug="/serverless/security/deploy-elastic-endpoint-ven" section="approve-the-system-extension-for-elastic-endpoint">Approve the system extension without MDM</DocLink>
+
+You can validate the system extension is loaded by running
+
+```
+sudo systemextensionsctl list | grep co.elastic.systemextension
+```
+
+In the command output, the system extension should be marked as "active enabled".
+
+### Connect Kernel has failed and the system extension is loaded
+
+If the system extension is loaded and kernel connection still fails, this means that Full Disk Access was not granted. ((elastic-endpoint)) requires Full Disk Access to subscribe to system events via the ((elastic-defend)) framework, which is one of the primary sources of eventing information used by ((elastic-endpoint)). Consult the following topics for granting Full Disk Access, either with MDM or without MDM:
+
+* <DocLink slug="/serverless/security/deploy-with-mdm" section="enable-full-disk-access">Enable Full Disk Access with MDM</DocLink>
+* <DocLink slug="/serverless/security/deploy-elastic-endpoint-ven" section="enable-full-disk-access-for-elastic-endpoint">Enable Full Disk Access without MDM</DocLink>
+
+You can validate that Full Disk Access is approved by running
+
+```
+sudo /Library/Elastic/Endpoint/elastic-endpoint test install
+```
+
+If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
+
+### Detect Network Events has failed
+
+This means that the network extension content filtering was not approved. Consult the following topics for approving network content filtering, either with MDM or without MDM:
+
+* <DocLink slug="/serverless/security/deploy-with-mdm" section="approve-network-content-filtering">Approve network content filtering with MDM</DocLink>
+* <DocLink slug="/serverless/security/deploy-elastic-endpoint-ven" section="approve-network-content-filtering-for-elastic-endpoint">Approve network content filtering without MDM</DocLink>
+
+You can validate that network content filtering is approved by running
+
+```
+sudo /Library/Elastic/Endpoint/elastic-endpoint test install
+```
+
+If the command output doesn't contain a message about approving network content filtering, the approval was successful.
+
+### Full Disk Access has a warning
+
+This means that Full Disk Access was not granted for one or all ((elastic-endpoint)) components. Consult the following topics for granting Full Disk Access, either with MDM or without MDM:
+
+* <DocLink slug="/serverless/security/deploy-with-mdm" section="enable-full-disk-access">Enable Full Disk Access with MDM</DocLink>
+* <DocLink slug="/serverless/security/deploy-elastic-endpoint-ven" section="enable-full-disk-access-for-elastic-endpoint">Enable Full Disk Access without MDM</DocLink>
+
+You can validate that Full Disk Access is approved by running
+
+```
+sudo /Library/Elastic/Endpoint/elastic-endpoint test install
+```
+
+If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
+
+</DocAccordion>