Install Elastic Endpoint manuallyedit

To properly install and configure Elastic Endpoint manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before Elastic Endpoint can be fully functional:

The following permissions that need to be enabled are required after you configure and install the Endpoint Security integration, which includes enrolling the Elastic Agent.

Approve the system extension for Elastic Endpointedit

For macOS Catalina (10.15) and later, Elastic Endpoint will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.

The following message appears during installation:

system ext blocked
  1. Click Open Security Preferences.
  2. In the lower-left corner of the Security & Privacy pane, click the Lock button, then enter your credentials to authenticate.

    lock button
  3. Click Allow to allow the Elastic Endpoint system extension to load.

    allow system ext

    Approve network content filtering for Elastic Endpointedit

    After successfully loading the Elastic Endpoint system extension, an additional message appears, asking to allow Elastic Endpoint to filter network content.

    filter network content
  • Click Allow to enable content filtering for the Elastic Endpoint system extension. Without this approval, Elastic Endpoint cannot receive network events and, therefore, cannot enable network-related features such as host isolation.

Enable Full Disk Access for Elastic Endpointedit

Elastic Endpoint requires Full Disk Access to subscribe to system events via the Endpoint Security framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. To enable Full Disk Access, you must manually approve Elastic Endpoint. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the Elastic Endpoint kernel system extension.

The following instructions apply only to Elastic Endpoint running Elastic Stack version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Enable Full Disk Access for the Endgame sensor.

  1. Open the System Preferences application.
  2. Select Security and Privacy.

    sec privacy pane
  3. On the Security and Privacy pane, select the Privacy tab.
  4. From the left pane, select Full Disk Access.

    Select Full Disk Access
  5. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
  6. In the Privacy tab, confirm that ElasticEndpoint AND co.elastic.systemextension are selected to properly enable Full Disk Access.

    role+"screenshot"

If the endpoint is running Elastic Stack version 7.17.0 or earlier:

  1. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
  2. Click the + button to view Finder.
  3. Navigate to /Library/Elastic/Endpoint, then select the elastic-endpoint file.
  4. Click Open.
  5. In the Privacy tab, confirm that elastic-endpoint AND co.elastic.systemextension are selected to properly enable Full Disk Access.
fda 7 16

Approve the kernel extensionedit

For endpoints running macOS Mojave (10.14) and earlier, Elastic Endpoint will attempt to load a kernel extension (as opposed to a system extension) during installation. This kernel extension is required to provide insight into system events such as process events, file system events, and network events. The following message appears during installation:

System extension blocked

To approve the extension:

  1. Click Open Security Preferences.
  2. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
  3. Click Allow to load the kernel extension.

    Allow kernel extension

    If the prompt does not appear, enable the extension by doing the following:

  4. Open a Terminal application.
  5. Enter kextload /Library/Extension/kendpoint.kext. Prepend the command with sudo if necessary. You should receive an output similar to 149 0 0xffffff7f82e7b000 0x21000 0x21000 co.elastic.kendpoint (7.11.0) BD152A57-ABD3-370A-BBE8-D15A0FCBD19A <6 5 2 1>. If you receive this output, the kernel extension is enabled.