When you enable a DNS Filtering rule on a policy that includes a Mac device, the device tries to load a system extension and a Cloudflare certificate. These items must be permitted for DNS Filtering to operate on Mac devices. There are two methods to permit the system extension and certificate:
- An admin can use a .mobileconfig profile with a Mobile Deployment Management (MDM) tool to remotely allow the system extension and certificate.
- Individual users can manually allow the system extension in the macOS Security & Privacy settings and trust the certificate in Keychain Access.
Upload .mobileconfig profile to MDM
The Endpoint Agent requires several system permissions to scan and protect your Mac endpoints. You can use MDM to deploy configuration profiles that approve these permissions on behalf of your users. These profiles should be deployed to your Mac endpoints prior to installing the Endpoint Agent for the best experience:
- Download the mobileconfig files at the bottom of the article. Both are required:
- Malwarebytes_Protection_profile_general.mobileconfig
- Threatdown Protection - Malicious Web Access Control (MWAC).mobileconfig
- Upload the profiles to your MDM.
- Deploy the profiles to your Mac endpoints. Refer to your MDM provider’s user guide for instructions on deploying configuration profiles.
Manually allow system extension
- On the Mac device, click on the Apple icon > System Settings.
- Follow the steps to manually allow the system extension based on your operating system version:
- macOS 26 Tahoe
- Navigate to General > Login Items & Extensions.
- Click the information button next to DNSProxy.
- Toggle on Network extension.
- macOS Sequoia 15 and older
- Navigate to Privacy & Security.
- Under Security, click Allow to allow the DNSProxy system extension. A window to add DNS Proxy configurations displays.
- Note: If you have other system extensions awaiting approval, this section may appear different. To manage the list of pending extensions, click on Details and toggle on DNSProxy.
- macOS 26 Tahoe
- If prompted for the user's password, enter the password.
- Click Allow.
Manually trust Cloudflare certificate
- Open Keychain Access.
- Go to System > Certificates.
- Double-click the threatdown.com certificate.
- Expand Trust.
- Configure "When using this certificate to" Always Trust.
For more information, see Change the trust settings of a certificate in Keychain Access on Mac.