Security

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks.
Also, Health classes varies, since macOS has fewer Health Classes compared to Windows.
AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls. 

This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks.
https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS?
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: Oct 23, 2025 02:28 PM
From: Cleiton da Silva dos Santos
Subject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks.
Also, Health classes varies, since macOS has fewer Health Classes compared to Windows.
AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls. 

This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks.
https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS?
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.

Original Message:
Sent: Oct 23, 2025 02:28 PM
From: Cleiton da Silva dos Santos
Subject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

Thanks again for your clarification!

As requested, please find below the screenshots of the macOS Health Validation rules currently configured in ClearPass (version 6.11.12).

We're using the ClearPass macOS Universal System Health Validator plugin with the following configuration:

• Antivirus: CrowdStrike Falcon (minimum version 7.13.183.308.0)

• Evaluation rule: PassAnyOne

• Auto Remediation: Enabled

• User Notification: Enabled

• No Data File / Last Scan / RTP check configured

(Attached screenshots below for reference)

However, I still have a question about the alert we see in the Access Tracker:

"Did not receive any health information from ClearPass health agent."

Does this specifically mean that the OnGuard agent failed to send any posture data to ClearPass, or can it also appear when the agent sends partial data that doesn't match any defined health class?

Since the agent is installed and communicating properly, I'm wondering whether this is related to a macOS privacy restriction or posture data not being recognized due to limited macOS health checks.

Original Message: Sent: Oct 23, 2025 02:37 PM From: shpat Subject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks. Also, Health classes varies, since macOS has fewer Health Classes compared to Windows. AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls.  This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks. https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS? ------------------------------ Shpat | ACEP | ACMP | ACCP | ACDP Just an Aruba enthusiast and contributor by cases If you find my comment helpful, KUDOS are appreciated. Original Message: Sent: Oct 23, 2025 02:28 PM From: Cleiton da Silva dos Santos Subject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

Regarding the message: ""Did not receive any health information from ClearPass health agent.""
Can you check if Agent from macOS -> can reach CPPM through TCP/UDP 443 ? 
In addition,  check the /Library/Application Support/ArubaNetworks/OnGuard/logs/OnGuardAgent.log if you see any log which can be useful (something like Received posture data: empty). 

Also, try on the ClearPass CPPM to configure Posture Health Validator for macOS (Antivirus) -> Any instead of just Crowdstrike.

Thanks again for your clarification!

As requested, please find below the screenshots of the macOS Health Validation rules currently configured in ClearPass (version 6.11.12).

We're using the ClearPass macOS Universal System Health Validator plugin with the following configuration:

• Antivirus: CrowdStrike Falcon (minimum version 7.13.183.308.0)

• Evaluation rule: PassAnyOne

• Auto Remediation: Enabled

• User Notification: Enabled

• No Data File / Last Scan / RTP check configured

(Attached screenshots below for reference)

However, I still have a question about the alert we see in the Access Tracker:

"Did not receive any health information from ClearPass health agent."

Does this specifically mean that the OnGuard agent failed to send any posture data to ClearPass, or can it also appear when the agent sends partial data that doesn't match any defined health class?

Since the agent is installed and communicating properly, I'm wondering whether this is related to a macOS privacy restriction or posture data not being recognized due to limited macOS health checks.

Original Message:Sent: Oct 23, 2025 02:37 PMFrom: shpatSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks.Also, Health classes varies, since macOS has fewer Health Classes compared to Windows.AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls. This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks.https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS?------------------------------Shpat | ACEP | ACMP | ACCP | ACDPJust an Aruba enthusiast and contributor by casesIf you find my comment helpful, KUDOS are appreciated.Original Message:Sent: Oct 23, 2025 02:28 PMFrom: Cleiton da Silva dos SantosSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

Regarding the message: ""Did not receive any health information from ClearPass health agent.""
Can you check if Agent from macOS -> can reach CPPM through TCP/UDP 443 ? 
In addition,  check the /Library/Application Support/ArubaNetworks/OnGuard/logs/OnGuardAgent.log if you see any log which can be useful (something like Received posture data: empty). 

Also, try on the ClearPass CPPM to configure Posture Health Validator for macOS (Antivirus) -> Any instead of just Crowdstrike.

Thanks again for your clarification!

As requested, please find below the screenshots of the macOS Health Validation rules currently configured in ClearPass (version 6.11.12).

We're using the ClearPass macOS Universal System Health Validator plugin with the following configuration:

• Antivirus: CrowdStrike Falcon (minimum version 7.13.183.308.0)

• Evaluation rule: PassAnyOne

• Auto Remediation: Enabled

• User Notification: Enabled

• No Data File / Last Scan / RTP check configured

(Attached screenshots below for reference)

However, I still have a question about the alert we see in the Access Tracker:

"Did not receive any health information from ClearPass health agent."

Does this specifically mean that the OnGuard agent failed to send any posture data to ClearPass, or can it also appear when the agent sends partial data that doesn't match any defined health class?

Since the agent is installed and communicating properly, I'm wondering whether this is related to a macOS privacy restriction or posture data not being recognized due to limited macOS health checks.

Original Message:Sent: Oct 23, 2025 02:37 PMFrom: shpatSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks.Also, Health classes varies, since macOS has fewer Health Classes compared to Windows.AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls. This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks.https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS?------------------------------Shpat | ACEP | ACMP | ACCP | ACDPJust an Aruba enthusiast and contributor by casesIf you find my comment helpful, KUDOS are appreciated.Original Message:Sent: Oct 23, 2025 02:28 PMFrom: Cleiton da Silva dos SantosSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------

Hello,

We are running ClearPass 6.11.12 with OnGuard Agent for macOS (6.11.12.262976).
The Posture Policy follows the official documentation (macOS Universal System Health Validator) and currently validates only CrowdStrike Falcon.

However, macOS endpoints are still being quarantined with the following alerts:

Did not receive any health information from ClearPass health agent.
Multiple AntiVirus Products Detected: Client reported more than 2 AntiVirus products: [CrowdStrike Falcon, Gatekeeper, Xprotect]

Below are log snippets and context for reference:

1️⃣ Backend Log (macagent_backend_0.log)

Shows that the OnGuard agent successfully collects posture data and detects multiple antivirus engines.

2025-10-22 16:36:24,707 DEBUG MacSHA.AMOesisV4Impl - GetAntiVirusDefinitions: Definition updates for 'Xprotect': Signature=100428 IsRecent=true2025-10-22 16:36:24,721 INFO  MacSHA.AVV4HealthClassInfoFactory - GetDefintionVersions: AV DatFile Version - 53202025-10-22 16:36:24,721 INFO  MacSHA.AVV4HealthClassInfoFactory - GetRTPStatus: AV Real Time Protection Status - On2025-10-22 16:36:24,979 DEBUG MacSHA.PMV4HealthClassInfoFactory - GetHealth: Found Patch Agent Application using V4 - Software Update 3.0 (100192)2025-10-22 16:36:25,563 DEBUG MacSHA.PMV4HealthClassInfoFactory - GetHealth: Found Patch Agent Application using V4 - Microsoft AutoUpdate 4.81 (100516)2025-10-22 16:36:25,563 DEBUG MacSHA.PMV4HealthClassInfoFactory - GetHealth: Found Patch Agent Application using V4 - Trellix Agent for Mac 5.8.4.505 (100501)

➡️ This shows the agent correctly detects CrowdStrike, XProtect, and Gatekeeper, with real-time protection enabled and system updates active.
The problem is not local to the endpoint.

2️⃣ Frontend Log (ClearPassOnGuard_12.log)

Shows that the OnGuard agent attempts to reach the CPPM via HTTPS but times out.

2025-10-20 17:12:07,765 ERROR OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Send Request failed from Local IP: x.x.x.x to Remote IP: 1x.x.x.x. Error - 28(Timeout was reached)2025-10-20 17:12:07,788 ERROR OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Send Request failed from Local IP: x.x.x.x to Remote IP: x.x.x.x. Error - 28(Timeout was reached)2025-10-20 17:12:22,933 WARN  OnGuardPlugin.UIInterfaceStateListener - AuthServerAvailable: any Authentication server is not available interface en0

➡️ The agent cannot send posture data to the CPPM (TCP/UDP 443 timeout).
In ClearPass, the result is:

Posture Token: UnknownHealth Result: Did not receive any health information

This state triggers quarantine enforcement.

3️⃣ Policy Manager Alert Correlation

The Policy Server interprets partial posture data and detects multiple antivirus products.

Did not receive any health information from ClearPass health agent.Multiple AntiVirus Products Detected: Client reported more than 2 AntiVirus products: [CrowdStrike Falcon, Gatekeeper, Xprotect]

➡️ This suggests ClearPass did not receive the complete posture report, and the OESIS framework marked the device as Unhealthy due to multiple AV detections.

4️⃣ Agent Configuration (agent.conf)

Confirms the agent is set to IPv4-only mode and proper health mode.

IPVersionOnGuard=IPv4Onlymode=healthAuthServers=x.x.x.x,x.x.x.x,x.x.x.x,x.x.x.x,x.x.x.x,x.x.x.x,x.x.x.x

➡️ The configuration is correct - the issue appears related to communication or antivirus detection handling.

Lab Test

In a lab environment, I simulated a new Health Validator configuration to include all detected antivirus engines under PassAnyOne (CrowdStrike, Gatekeeper, XProtect).

Before moving this configuration into production, I'd like to confirm with the community:

1. Is it recommended to include all three AVs (CrowdStrike, Gatekeeper, XProtect) and use PassAnyOne for macOS posture validation?

2. Is the "Did not receive any health information" alert expected behavior when macOS blocks part of the posture report due to privacy/security controls?

3. Is there any official guidance on optimizing the OESIS Framework for macOS environments with EDR and native protections?

Thanks in advance for any insights or best practices!

Regarding the message: ""Did not receive any health information from ClearPass health agent."" Can you check if Agent from macOS -> can reach CPPM through TCP/UDP 443 ?  In addition,  check the /Library/Application Support/ArubaNetworks/OnGuard/logs/OnGuardAgent.log if you see any log which can be useful (something like Received posture data: empty).  Also, try on the ClearPass CPPM to configure Posture Health Validator for macOS (Antivirus) -> Any instead of just Crowdstrike.

Thanks again for your clarification!

As requested, please find below the screenshots of the macOS Health Validation rules currently configured in ClearPass (version 6.11.12).

We're using the ClearPass macOS Universal System Health Validator plugin with the following configuration:

• Antivirus: CrowdStrike Falcon (minimum version 7.13.183.308.0)

• Evaluation rule: PassAnyOne

• Auto Remediation: Enabled

• User Notification: Enabled

• No Data File / Last Scan / RTP check configured

(Attached screenshots below for reference)

However, I still have a question about the alert we see in the Access Tracker:

"Did not receive any health information from ClearPass health agent."

Does this specifically mean that the OnGuard agent failed to send any posture data to ClearPass, or can it also appear when the agent sends partial data that doesn't match any defined health class?

Since the agent is installed and communicating properly, I'm wondering whether this is related to a macOS privacy restriction or posture data not being recognized due to limited macOS health checks.

Original Message:Sent: Oct 23, 2025 02:37 PMFrom: shpatSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

So there are some slight differences in macOS vs Windows as for example:

Agent Types in Windows are persistent (OnGuard.exe) with full posture integration while the macOS has limited posture checks.Also, Health classes varies, since macOS has fewer Health Classes compared to Windows.AV Detection logic in windows can be used WMI and Registry keys and in macOS, it goes through system_profiler and security framework queries.

Communication is bidirectional Windows Agent -> Clearpass through HTTPs and COA, and on macOS it uses the same concept but you need to check privacy controls. This link could be of a help maybe, where you can find macOS Health Checks and then you can compare it with your Windows checks.https://arubanetworking.hpe.com/techdocs/ClearPass/6.11/PolicyManager/Content/CPPM_UserGuide/Posture/CPMACSystemHealthValidatorOG.htm?Highlight=onguard%20macos

Also, from the Policy Server Alerts tab, it states that you are using three Antiviruses on the device, and could be that you are having only Health Validator requesting 1. Can you share maybe the Health Validation rules for your macOS?------------------------------Shpat | ACEP | ACMP | ACCP | ACDPJust an Aruba enthusiast and contributor by casesIf you find my comment helpful, KUDOS are appreciated.Original Message:Sent: Oct 23, 2025 02:28 PMFrom: Cleiton da Silva dos SantosSubject: ClearPass OnGuard for macOS quarantining devices – configuration differences from Windows?

Hello everyone,

We are currently using ClearPass OnGuard (version 6.11.12) in production, and the health check works properly for Windows endpoints. However, the customer would like to start testing macOS devices (MacBooks) on the corporate network.

We've noticed that when a MacBook with the OnGuard agent installed connects to the corporate SSID, it is placed into quarantine, even though the OnGuard client appears to be running normally.

The Access Tracker shows alerts such as:

Did not receive any health information from ClearPass health agent. Multiple Antivirus Products Detected: Client reported more than 2 AntiVirus products [CrowdStrike Falcon, Gatekeeper, XProtect]

My questions are:

1. Are there specific configuration differences in OnGuard posture policies for macOS compared to Windows?

2. Does macOS require any additional posture checks or custom health classes to properly report to the Policy Manager?

3. Could the presence of built-in macOS protections (e.g., Gatekeeper, XProtect, or third-party AV like CrowdStrike) trigger false positives or quarantine actions?

4. What is the recommended configuration or best practice to ensure MacBooks pass posture validation without being quarantined?

Thanks in advance for your help!

-------------------------------------------