diff --git a/docs/getting-started/elastic-endpoint-reqs.asciidoc b/docs/getting-started/elastic-endpoint-reqs.asciidoc new file mode 100644 index 0000000000..3afa4e99dd --- /dev/null +++ b/docs/getting-started/elastic-endpoint-reqs.asciidoc @@ -0,0 +1,12 @@ +[[elastic-endpoint-deploy-reqs]] += {elastic-endpoint} requirements + +:frontmatter-description: Manually install and deploy Elastic Endpoint. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [other] +:frontmatter-tags-user-goals: [secure] + +To properly deploy {elastic-endpoint} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the endpoint before {elastic-endpoint} can be fully functional. For more information, refer to the instructions for your macOS version: + +* <> +* <> \ No newline at end of file diff --git a/docs/getting-started/endgame-sensor-FDA.asciidoc b/docs/getting-started/endgame-sensor-FDA.asciidoc index 4d43b4bf3b..225b8377e6 100644 --- a/docs/getting-started/endgame-sensor-FDA.asciidoc +++ b/docs/getting-started/endgame-sensor-FDA.asciidoc @@ -64,6 +64,7 @@ When you receive the prompt to approve loading the system extension: image::images/fda/sec-privacy-pane.png[] -- . On the Security and Privacy pane, select the *Privacy* tab. + + . From the left pane, select *Full Disk Access*. + diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 072a3a1631..aea96737cf 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -17,7 +17,9 @@ include::security-spaces.asciidoc[leveloffset=+1] include::data-views-in-sec.asciidoc[leveloffset=+1] include::ingest-data.asciidoc[leveloffset=+1] include::install-endpoint.asciidoc[leveloffset=+1] -include::install-elastic-endpoint.asciidoc[leveloffset=+1] +include::elastic-endpoint-reqs.asciidoc[leveloffset=+1] +include::install-elastic-endpoint.asciidoc[leveloffset=+2] +include::install-elastic-endpoint-ven.asciidoc[leveloffset=+2] include::offline-endpoint.asciidoc[leveloffset=+1] include::configure-integration-policy.asciidoc[leveloffset=+1] include::endpoint-diagnostic-data.asciidoc[leveloffset=+2] diff --git a/docs/getting-started/install-elastic-endpoint-ven.asciidoc b/docs/getting-started/install-elastic-endpoint-ven.asciidoc new file mode 100644 index 0000000000..8f12cef223 --- /dev/null +++ b/docs/getting-started/install-elastic-endpoint-ven.asciidoc @@ -0,0 +1,101 @@ +[[deploy-elastic-endpoint-ven]] += Install {elastic-endpoint} manually on macOS Ventura and higher + +:frontmatter-description: Manually install and deploy Elastic Endpoint on macOS Ventura and higher. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [secure] + + +To properly install and configure {elastic-endpoint} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before {elastic-endpoint} can be fully functional: + +* <> +* <> +* <> + +NOTE: The following permissions that need to be enabled are required after you <>, which includes <>. + +[discrete] +[[system-extension-endpoint-ven]] +== Approve the system extension for {elastic-endpoint} + +For macOS Ventura (13.0) and later, {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. + +The following message appears during installation: + +[role="screenshot"] +image::install-endpoint-ven/system_extension_blocked_warning_ven.png[] + +. Click *Open System Settings*. +. In the left pane, click *Privacy & Security*. ++ +[role="screenshot"] +image::install-endpoint-ven/privacy_security_ven.png[] ++ +. On the right pane, scroll down to the Security section. Click *Allow* to allow the ElasticEndpoint system extension to load. ++ +[role="screenshot"] +image::install-endpoint-ven/allow_system_extension_ven.png[] + +. Enter your username and password and click **Modify Settings** to save your changes. + ++ +[role="screenshot"] +image::install-endpoint-ven/enter_login_details_to_confirm_ven.png[] + +[discrete] +[[allow-filter-content-ven]] +== Approve network content filtering for {elastic-endpoint} + +After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {elastic-endpoint} to filter network content. + +[role="screenshot"] +image::install-endpoint-ven/allow_network_filter_ven.png[] + +Click *Allow* to enable content filtering for the ElasticEndpoint system extension. Without this approval, {elastic-endpoint} cannot receive network events and, therefore, cannot enable network-related features such as <>. + +[discrete] +[[enable-fda-endpoint-ven]] +== Enable Full Disk Access for {elastic-endpoint} + +{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. + +If you have not granted Full Disk Access, the following notification prompt will appear. + +[role="screenshot"] +image::install-endpoint-ven/allow_full_disk_access_notification_ven.png[] + +To enable Full Disk Access, you must manually approve {elastic-endpoint}. + +NOTE: The following instructions apply only to {elastic-endpoint} running {stack} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <>. + +. Open the *System Settings* application. +. In the left pane, select *Privacy & Security*. ++ +[role="screenshot"] +image::install-endpoint-ven/privacy_security_ven.png[] ++ +. From the right pane, select *Full Disk Access*. ++ +[role="screenshot"] +image::install-endpoint-ven/select_fda_ven.png[Select Full Disk Access] ++ +. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access. ++ +[role="screenshot"] +image::install-endpoint-ven/allow_fda_ven.png[] + +If the endpoint is running {stack} version 7.17.0 or earlier: + +. Click the *+* button to view *Finder*. +. The system may prompt you to enter your username and password if you haven't already. ++ +[role="screenshot"] +image::install-endpoint-ven/enter_login_details_to_confirm_ven.png[] ++ +. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. +. Click *Open*. +. In the *Privacy* tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access. ++ +[role="screenshot"] +image::install-endpoint-ven/verify_fed_granted_ven.png[Select Full Disk Access] \ No newline at end of file diff --git a/docs/getting-started/install-elastic-endpoint.asciidoc b/docs/getting-started/install-elastic-endpoint.asciidoc index cca1b16c31..68aa3e1a7f 100644 --- a/docs/getting-started/install-elastic-endpoint.asciidoc +++ b/docs/getting-started/install-elastic-endpoint.asciidoc @@ -1,5 +1,10 @@ [[deploy-elastic-endpoint]] -= Install {elastic-endpoint} manually += Install {elastic-endpoint} manually on macOS Catalina though Monterey + +:frontmatter-description: Manually install and deploy Elastic Endpoint on on macOS Catalina though Monterey. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [secure] To properly install and configure {elastic-endpoint} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before {elastic-endpoint} can be fully functional: @@ -13,7 +18,7 @@ NOTE: The following permissions that need to be enabled are required after you < [[system-extension-endpoint]] == Approve the system extension for {elastic-endpoint} -For macOS Catalina (10.15) and later, {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. +For macOS Catalina (10.15) though macOS Monterey (12.6.6), {elastic-endpoint} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. The following message appears during installation: @@ -49,7 +54,7 @@ image::images/install-endpoint/filter-network-content.png[] [[enable-fda-endpoint]] == Enable Full Disk Access for {elastic-endpoint} -{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. To enable Full Disk Access, you must manually approve {elastic-endpoint}. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the {elastic-endpoint} <>. +{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {elastic-endpoint}. For endpoints running macOS Mojave (10.14) and earlier, you must also approve the {elastic-endpoint} <>. NOTE: The following instructions apply only to {elastic-endpoint} running {stack} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to <>. diff --git a/docs/getting-started/install-endpoint-ven/allow_fda_ven.png b/docs/getting-started/install-endpoint-ven/allow_fda_ven.png new file mode 100644 index 0000000000..0ddc224224 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/allow_fda_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/allow_full_disk_access_notification_ven.png b/docs/getting-started/install-endpoint-ven/allow_full_disk_access_notification_ven.png new file mode 100644 index 0000000000..8383df9f48 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/allow_full_disk_access_notification_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/allow_network_filter_ven.png b/docs/getting-started/install-endpoint-ven/allow_network_filter_ven.png new file mode 100644 index 0000000000..fc1fdd9721 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/allow_network_filter_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/allow_notifications_from_endpoint_ven.png b/docs/getting-started/install-endpoint-ven/allow_notifications_from_endpoint_ven.png new file mode 100644 index 0000000000..ad8629e786 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/allow_notifications_from_endpoint_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/allow_system_extension_ven.png b/docs/getting-started/install-endpoint-ven/allow_system_extension_ven.png new file mode 100644 index 0000000000..b1499d8872 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/allow_system_extension_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/enter_login_details_to_confirm_ven.png b/docs/getting-started/install-endpoint-ven/enter_login_details_to_confirm_ven.png new file mode 100644 index 0000000000..ed25e4323c Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/enter_login_details_to_confirm_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/privacy_security_ven.png b/docs/getting-started/install-endpoint-ven/privacy_security_ven.png new file mode 100644 index 0000000000..f73012cfa6 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/privacy_security_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/select_fda_ven.png b/docs/getting-started/install-endpoint-ven/select_fda_ven.png new file mode 100644 index 0000000000..05057237c5 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/select_fda_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/system_extension_blocked_warning_ven.png b/docs/getting-started/install-endpoint-ven/system_extension_blocked_warning_ven.png new file mode 100644 index 0000000000..05c472aeb4 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/system_extension_blocked_warning_ven.png differ diff --git a/docs/getting-started/install-endpoint-ven/verify_fed_granted_ven.png b/docs/getting-started/install-endpoint-ven/verify_fed_granted_ven.png new file mode 100644 index 0000000000..56abac61a2 Binary files /dev/null and b/docs/getting-started/install-endpoint-ven/verify_fed_granted_ven.png differ diff --git a/docs/getting-started/sec-app-requirements.asciidoc b/docs/getting-started/sec-app-requirements.asciidoc index e547f7cc58..44ad0300ea 100644 --- a/docs/getting-started/sec-app-requirements.asciidoc +++ b/docs/getting-started/sec-app-requirements.asciidoc @@ -45,7 +45,7 @@ There are some additional requirements for specific features: * <> * <> * <> -* <> +* <> * <> [discrete]