Update macOS Endpoint install and deploy documentation for Ventura (#…

…3161)

Co-authored-by: Joe Peeples <[email protected]>
Co-authored-by: Yamin Tian <[email protected]>
(cherry picked from commit 0c82ecf)

docs/getting-started/elastic-endpoint-reqs.asciidoc

@@ -0,0 +1,12 @@
+[[elastic-endpoint-deploy-reqs]]
+= {elastic-endpoint} requirements
+
+:frontmatter-description: Manually install and deploy Elastic Endpoint.
+:frontmatter-tags-products: [security]
+:frontmatter-tags-content-type: [other]
+:frontmatter-tags-user-goals: [secure]
+
+To properly deploy {elastic-endpoint} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the endpoint before {elastic-endpoint} can be fully functional. For more information, refer to the instructions for your macOS version:
+
+* <<deploy-elastic-endpoint>>
+* <<deploy-elastic-endpoint-ven>>

docs/getting-started/endgame-sensor-FDA.asciidoc

@@ -64,6 +64,7 @@ When you receive the prompt to approve loading the system extension:
 image::images/fda/sec-privacy-pane.png[]
 --
 . On the Security and Privacy pane, select the *Privacy* tab.
+
 +
 . From the left pane, select *Full Disk Access*.
 +

docs/getting-started/index.asciidoc

@@ -17,7 +17,9 @@ include::security-spaces.asciidoc[leveloffset=+1]
 include::data-views-in-sec.asciidoc[leveloffset=+1]
 include::ingest-data.asciidoc[leveloffset=+1]
 include::install-endpoint.asciidoc[leveloffset=+1]
-include::install-elastic-endpoint.asciidoc[leveloffset=+1]
+include::elastic-endpoint-reqs.asciidoc[leveloffset=+1]
+include::install-elastic-endpoint.asciidoc[leveloffset=+2]
+include::install-elastic-endpoint-ven.asciidoc[leveloffset=+2]
 include::offline-endpoint.asciidoc[leveloffset=+1]
 include::configure-integration-policy.asciidoc[leveloffset=+1]
 include::endpoint-diagnostic-data.asciidoc[leveloffset=+2]

docs/getting-started/install-elastic-endpoint-ven.asciidoc

@@ -0,0 +1,101 @@
+[[deploy-elastic-endpoint-ven]]
+= Install {elastic-endpoint} manually on macOS Ventura and higher
+
+:frontmatter-description: Manually install and deploy Elastic Endpoint on macOS Ventura and higher.
+:frontmatter-tags-products: [security]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [secure]
+
+
+To properly install and configure {elastic-endpoint} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before {elastic-endpoint} can be fully functional:
+
+* <<system-extension-endpoint-ven, Approve the system extension>>
+* <<allow-filter-content-ven, Approve network content filtering>>
+* <<enable-fda-endpoint-ven, Enable Full Disk Access>>
+
+NOTE: The following permissions that need to be enabled are required after you <<install-endpoint, configure and install the {elastic-defend} integration>>, which includes <<enroll-security-agent, enrolling the {agent}>>.
+
+[discrete]
+[[system-extension-endpoint-ven]]
+== Approve the system extension for {elastic-endpoint}
+
+For macOS Ventura (13.0) and later, {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.
+
+The following message appears during installation:
+
+[role="screenshot"]
+image::install-endpoint-ven/system_extension_blocked_warning_ven.png[]
+
+. Click *Open System Settings*.
+. In the left pane, click *Privacy & Security*.
++
+[role="screenshot"]
+image::install-endpoint-ven/privacy_security_ven.png[]
++
+. On the right pane, scroll down to the Security section. Click *Allow* to allow the ElasticEndpoint system extension to load.
++
+[role="screenshot"]
+image::install-endpoint-ven/allow_system_extension_ven.png[]
+
+. Enter your username and password and click **Modify Settings** to save your changes.
+
++
+[role="screenshot"]
+image::install-endpoint-ven/enter_login_details_to_confirm_ven.png[]
+
+[discrete]
+[[allow-filter-content-ven]]
+== Approve network content filtering for {elastic-endpoint}
+
+After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {elastic-endpoint} to filter network content.
+
+[role="screenshot"]
+image::install-endpoint-ven/allow_network_filter_ven.png[]
+
+Click *Allow* to enable content filtering for the ElasticEndpoint system extension. Without this approval, {elastic-endpoint} cannot receive network events and, therefore, cannot enable network-related features such as <<host-isolation-ov, host isolation>>.
+
+[discrete]
+[[enable-fda-endpoint-ven]]
+== Enable Full Disk Access for {elastic-endpoint}
+
+{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. 
+
+If you have not granted Full Disk Access, the following notification prompt will appear. 
+
+[role="screenshot"]
+image::install-endpoint-ven/allow_full_disk_access_notification_ven.png[]
+
+To enable Full Disk Access, you must manually approve {elastic-endpoint}. 
+
+NOTE: The following instructions apply only to {elastic-endpoint} running {stack} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <<endgame-sensor-full-disk-access>>.
+
+. Open the *System Settings* application.
+. In the left pane, select *Privacy & Security*.
++
+[role="screenshot"]
+image::install-endpoint-ven/privacy_security_ven.png[]
++
+. From the right pane, select *Full Disk Access*.
++
+[role="screenshot"]
+image::install-endpoint-ven/select_fda_ven.png[Select Full Disk Access]
++
+. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access.
++
+[role="screenshot"]
+image::install-endpoint-ven/allow_fda_ven.png[]
+
+If the endpoint is running {stack} version 7.17.0 or earlier:
+
+. Click the *+* button to view *Finder*.
+. The system may prompt you to enter your username and password if you haven't already.
++
+[role="screenshot"]
+image::install-endpoint-ven/enter_login_details_to_confirm_ven.png[]
++
+. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file.
+. Click *Open*.
+. In the *Privacy* tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access.
++
+[role="screenshot"]
+image::install-endpoint-ven/verify_fed_granted_ven.png[Select Full Disk Access]

docs/getting-started/install-elastic-endpoint.asciidoc

@@ -1,5 +1,10 @@
 [[deploy-elastic-endpoint]]
-= Install {elastic-endpoint} manually
+= Install {elastic-endpoint} manually on macOS Catalina though Monterey
+
+:frontmatter-description: Manually install and deploy Elastic Endpoint on on macOS Catalina though Monterey.
+:frontmatter-tags-products: [security]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [secure]
 
 To properly install and configure {elastic-endpoint} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before {elastic-endpoint} can be fully functional:
 
@@ -13,7 +18,7 @@ NOTE: The following permissions that need to be enabled are required after you <
 [[system-extension-endpoint]]
 == Approve the system extension for {elastic-endpoint}
 
-For macOS Catalina (10.15) and later, {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.
+For macOS Catalina (10.15) though macOS Monterey (12.6.6), {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.
 
 The following message appears during installation:
 
@@ -49,7 +54,7 @@ image::images/install-endpoint/filter-network-content.png[]
 [[enable-fda-endpoint]]
 == Enable Full Disk Access for {elastic-endpoint}
 
-{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. To enable Full Disk Access, you must manually approve {elastic-endpoint}. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the {elastic-endpoint} <<kernel-extension-approval, kernel system extension>>.
+{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {elastic-endpoint}. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the {elastic-endpoint} <<kernel-extension-approval, kernel extension>>.
 
 NOTE: The following instructions apply only to {elastic-endpoint} running {stack} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <<endgame-sensor-full-disk-access>>.
 

docs/getting-started/sec-app-requirements.asciidoc

@@ -45,7 +45,7 @@ There are some additional requirements for specific features:
 * <<detections-permissions-section>>
 * <<case-permissions>>
 * <<ml-requirements>>
-* <<deploy-elastic-endpoint, {elastic-endpoint} requirements>>
+* <<elastic-endpoint-deploy-reqs, {elastic-endpoint} requirements>>
 * <<conf-map-ui>>
 
 [discrete]