Mac - workflow configuration failure (driver missing)

Trying out the new 7.9 endpoint security agent...everything installed, enrolled, and runs fine. I am, however, seeing "failed" under each configuration response section (see screenshot). They all fail on Workflow. Digging into the logs, I find a missing driver error. Any idea what is missing?? This is a fresh elastic-agent install/run on a Macbook and managed by Elastic Cloud Fleet configs.

"message":"Response.cpp:267 Policy action workflow: failure - Failed to apply a portion of configuration (events)"

"Response.cpp:267 Policy action workflow: failure - Failed to execute all workflows: Required driver is not loaded"

"message":"Response.cpp:468 Setting malware to failure because of workflow status"
((This is repeated for several other components beyond malware))

Hi Chris.

It looks like you need to approve loading Elastic Endpoint's kernel extension. To do this go into Preferences -> Security and Privacy. You should see an option to allow loading kernel extensions from "Endgame, Inc". Click allow, then do something to cause the Elastic Endpoint to reapply its policy (the easiest way to do this is to reboot the host or to make a change to the policy in Kibana).

If you don't see an option to allow loading kernel extensions signed by "Endgame, Inc" run the command "sudo kextload /Library/Extensions/kendpoint.kext" then reopen the Preferences window.

After you approve loading the kernel extension, you'll also want to approve granting Elastic Endpoint Full Disk Access. Instructions on how to do that are available here (https://www.elastic.co/guide/en/endpoint/master/sensor-full-disk-access.html).

Details on approving kernel extensions are also available from Apple (https://developer.apple.com/library/archive/technotes/tn2459/_index.html). They also link to instructions describing how to approve loading a kernel extension via Team ID. Mobile Device Management tools like JAMF are able to preapprove loading the kernel extension using this method, if that would be useful in your environment.

1 Like

Thanks, @ferullo! I should have figured that one out... :frowning: