Summary: The Huntress Agent now includes a system extension that allows the agent to activate host isolation on macOS systems. Installing a system extension without using an MDM presents several prompts to the user that must be manually approved, and so must be planned to avoid surprising the user with dialogs asking for their permission.
This release of the agent retains the functionality of previous macOS releases, and upon first being installed, it should behave identically from the user’s point of view. The extension itself may be manually installed from the portal or the command line on the endpoint; these approaches are described in the sections below.
The screenshots shown in this document were all taken in a current version of macOS Ventura, and may look different in Monterey or Sonoma, although the steps themselves should not change. The aim of this article is to document how to install the extension and to show the prompts the user may encounter along the way.
During the extension’s installation process there will be a split second where it loses network connectivity. This shouldn’t be noticeable in most cases, but if there are any programs that need an uninterrupted network connection this installation process should be planned during a time where this is acceptable.
In this article
A Note on MDMs
Install From the Huntress Portal
Install From the Command Line
A Note on MDMs
Organizations with an appropriately-configured MDM policy can bypass these permissions prompts. For more information on setting up MDMs, see this article.
Install From the Huntress Portal
Prerequisites:
- an installed System Extension-capable agent
- a user with account administrator access in the Huntress portal
An account administrator in the Huntress portal can direct the agent to install the extension from the agent details page after an eligible agent has sent back at least one survey. It can take around 15 minutes for a new survey to process after the new agent has been installed. (The survey is necessary because the agent must inform the portal that it’s capable of installing the extension. By default, the portal assumes that the agent is an older version that is not extension-capable.)
Installing the extension
- Log into the portal and navigate to the agent details page for the relevant agent.
The path for this page will be of the form /org/11/agents/221. If the agent has received at least one survey, you will see the following panel below the agent details. If this panel does not appear, it is likely that the agent is still on an older version, or has upgraded to an eligible version but has not sent back a survey since the upgrade. - Click the “Install System Extension” link to dispatch a task to the agent.
- On the endpoint, the following prompt should appear after a brief delay:
System Extension Blocked
The application "Huntress" tried to load new system extension(s). If you want to enable these extensions, open Privacy & Security in System Settings. - Click the “Open System Settings” button to open the Security panel of System Settings. You should see the following:
Allow applications downloaded from
App Store
App Store and identified developers
System software from application "Huntress" was blocked from loading.
Allow - Click the “Allow” button to approve the extension.
- After several seconds, the following prompt should appear:
"Huntress" would like to filter network content
All network activity on this Mac may be filtered or monitored. - Click the “Allow” button to enable the extension’s network filter.
You have now completed host isolation setup on the endpoint. Upon receiving a survey from the endpoint (which could take 15min), the agent details page should indicate that the requisite permissions have been granted, and that host isolation is now enabled:
Authorizing the network filter (not usually needed)
If you followed the steps above and allowed the system extension to filter network content, as shown above, then you have already granted authorization and can ignore this section.
If the system extension has been successfully installed, but the network filter has not been authorized (for instance, if you clicked the “Don’t Allow” button), the agent details page will show the following:
Click “Install Network Filter” to issue a task to the endpoint, and click “Allow” when the above prompt appears.
Users without admin access
Users without administrator access to the account who view the agent page will see a “read-only” display of the above panel that shows the current installation status, but does not allow the user to actually install the extension:
Install From the Command Line
Prerequisites:
- an installed System Extension-capable agent
- a user with an administrator account on the endpoint
Installing the extension
A user with an administrator account on the endpoint itself can install the extension via the command line. This will still require a user to approve two prompts, unless the endpoint is equipped with an MDM policy allowing the extension.
- To install the extension and authorize the network filter, open a terminal window and run:
sudo /Applications/Huntress.app/Contents/MacOS/Huntress extensionctl install --preauthorize
As in the case of installing from the portal, you should be presented with a dialog asking you to approve the extension.
- After approving the extension, you will receive the same prompt asking you to filter network traffic. Click “Allow”; you have now completed setup on the endpoint, and the updated status will be sent to the portal on the next survey.
Authorizing the network filter
If the extension has been installed but the network filter has not been authorized, you can run the following:
sudo /Applications/Huntress.app/Contents/MacOS/Huntress preauthorize-network-filter
Click “Allow” when the dialog appears.
Checking extension status
sudo /Applications/Huntress.app/Contents/MacOS/Huntress extensionctl status
This should produce output like the following:
Extension Status: installed
Preauthorization Status: granted
Host Isolation Status: notActivated
Comments
0 comments
Article is closed for comments.