Bitdefender Jamf Push "Full Disk Access Required"

j_allenbrand
Contributor

Hi we are trying to get Bit Defender Endpoint Security to push from Jamf,

We've enabled the Kernal's for Bitdefender, but still once it is installed it advises "full disk access required"

Does anyone have any ideas?

19 REPLIES 19

j_allenbrand
Contributor

Thanks for this, my issue now is getting the bin location to show up,

/usr/bin/log show --predicate 'subsystem == "com.bitdefender.EndpointSecurityforMac"' | grep Prompting

I've tried to enable Kernal extensions for with automatic approval also and that did not work. 3916fd36ba694f739e93df0da87d6656

j_allenbrand
Contributor

Also tried using Privacy Preferences Policy Control,

I got the identifier but not sure what to put as code requirement 88fec32597f5477a931d803fd1a48769

martenblank
New Contributor III

I am too searching for the answer to this!
We have BitDefender antivirus for Mac and I don't get the "Full disk access" panel to be pre-populated with "BDLDaemon" and "Endpoint Security for Mac". Anyone have more input on this?

Eric84
New Contributor II

We had a piece of software that was also told to be given "Full disk access" but I found that enabling Accessibility and All Files also sufficed. Might be worth a shot with BitDefender. cdfe55cf16474bc58c38dcb871fc116a

scarmichael68
New Contributor

I just got this working fairly easily following these instructions: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14

I used the Privacy Preferences Policy Control settings and have two App Access settings:

Identifier: com.bitdefender.EndpointSecurityforMac
Identifier type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = GUNFMW623Y
Validate the Statis Code Requirement: checked
App or Service: SystemPolicyAllFiles Allow

Identifier: /Library/Bitdefender/AVP/BDLDaemon
Identifier Type: Path
Code Requirement: identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = GUNFMW623Y
Validate the Static Code Requirement: checked
App or Service: SystemPolicyAllFiles Allow

c5e12c61892b48dd8845c5781e9da6b6

pmcavey
New Contributor II

scarmichael68
I used the settings you outlined, copied and pasted. But, I get an error when deploying the config through JSS (10.15.1) "In the payload (UUID: CA355A38-F029-4914-A398-00CE78B2D6D1), the key 'Code Requirement' has an invalid value."

Edno_Alivecor
New Contributor II

Having the same exact issue.

Edno_Alivecor
New Contributor II

Figured it out, if you copied and pasted, check for a trailing enter and delete it. the cursor should be at the end of the team identity code.

Pat34
New Contributor

scarmichael68's post is correct, but pay close attention because the post's markdown interpreter screwed up the contents: / exists / should be /* exists */. Compare the texts and the screenshots of the original post and you'll spot the differences.

For easy copy/pasting, here is the same content again, but now formatted properly:

Identifier: com.bitdefender.EndpointSecurityforMac
Identifier type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
Validate the Static Code Requirement: checked
App or Service: SystemPolicyAllFiles Allow

Identifier: /Library/Bitdefender/AVP/BDLDaemon
Identifier Type: Path
Code Requirement: identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
Validate the Static Code Requirement: checked
App or Service: SystemPolicyAllFiles Allow

Nfawad
New Contributor II

having the exact issue 4f95952e1f0e4e92a5b070f58a1e8aa5

whabib
New Contributor

This solution (esp the version correcting for encoding) worked great for me. However for test purposes, I've upgraded a machine to Big Sur, and now Bitdefender wants one more full disk access permission for BDLDaemon.app. I've tried creating a permission that looks like the BDLDaemon one but with ".app", however it doesn't seem to work. Has anyone else updated this solution for Big Sur?

remus
New Contributor III

@whabib This what I'm using. It seems to be doing the job in Catalina and Big Sur.
ac828326e6954b6ba501d2019c499e81

jwscarsdale
New Contributor III

https://www.bitdefender.com/support/bitdefender-support-for-macos-big-sur-2531.html

Bit Defender is working on a new version to enable Content Control which I believe is what's causing the full disk access error.

whabib
New Contributor

@remus Brilliant, thank you! That solved my problem exactly, after fixing my data error entries, of course. I wish I had some time to investigate and understand a little better how this syntax works.

@jwscarsdale It appears we can get around the full disk access issue, however I am discouraging people from upgrading to Big Sur until the BitDefender folks do release the version that fully supports it.

blairb
New Contributor III

Not sure what I'm doing wrong here. Using @remus payloads, I am at least able to get the BitDefender stuff to show in the Full Disk Access list, however, it isn't checked.

crs_cody
New Contributor

I'm currently having issues with Bitdefender installing on a BigSur instance. We're testing this right now but my question for you guys is with Bitdefender default download link being a .dmg how are you using JAMF to push the installer? I've tried multiple ways and have had no luck at all. Any help would be appreciated. 

Pat34
New Contributor

Hi @crs_cody ,

We're deploying Bitdefender to Big Sur machines with this installation script:

#!/bin/sh
#
# Display Name:
# Install Bitdefender
#
# Information:
# This script will download and install Bitdefender.
#
# Additional configuration profiles will need to be deployed to complete the
# configuration. See:
#  - https://www.bitdefender.com/support/how-to-install-bitdefender-endpoint-security-for-mac-through-jamf-pro-10-x-2243.html
#  - https://www.bitdefender.com/support/how-to-whitelist-bitdefender-endpoint-security-for-mac-kernel-extensions-using-jamf-pro-10-x-2242.html
#  - https://www.jamf.com/jamf-nation/discussions/31445/bitdefender-jamf-push-full-disk-access-required
#
dmgfile="Bitdefender_for_MAC.dmg"
pkgfile="antivirus_for_mac.pkg"
url="https://.../Bitdefender_for_MAC.dmg" # replace with real download URL

# Use parameter 4 to test for debugmode
debugmode=${4}

# Use the alphanumeric characters of the script name to form the log file name
scriptname=$(basename "${0}" | tr -Cd "[:alnum:].-")
logfile="/Library/Logs/${scriptname}-jamf.log"

printlog() {
    timestamp=$(date +%F\ %T)
        
    if [ "$(whoami)" = "root" ]; then
        /bin/echo "${timestamp}" "${1}" | tee -a "${logfile}"
    else 
        /bin/echo "${timestamp}" "${1}"
    fi
}

# Download package
printlog "Downloading latest version of Bitdefender."
/usr/bin/curl -s -o "/tmp/${dmgfile}" "${url}"

# Create temporary mount directory for dmg
printlog "Mounting ${dmgfile}"
mnt=`/usr/bin/mktemp -d 2> /dev/null`
[[ ! -d "${mnt}" ]] && printlog "Failed to verify temporary mount point for dmg exists." && exit 1

/bin/sleep 2

# Attach the dmg to the temporary mount directory
/usr/bin/hdiutil attach "/tmp/${dmgfile}" -quiet -nobrowse -mountpoint "${mnt}" &> /dev/null

# Install package
printlog "Installing..."
cd "${mnt}"
/usr/sbin/installer -pkg "${pkgfile}" -target /
/bin/sleep 5

# Unmount and remove the temporary directory
printlog "Removing mount directory"
/usr/bin/hdiutil detach -force -quiet "${mnt}"
/sbin/umount -f "${mnt}" &> /dev/null
/bin/rm -rf "${mnt}" &> /dev/null

# Clean up package
printlog "Deleting ${dmgfile}."
/bin/rm "/tmp/${dmgfile}"

exit 0

Hope this helps.

crs_cody
New Contributor

@Pat34 This would except I found out shortly after you sent me this that we use Endpoint from Bitdefender and we get that installer from Kaseya. This installer is packed similarly with one exception, there is no .pkg inside the .dmg file. Instead its a .app file and I'm still having issue with getting it to auto install.