When you enable a DNS Filtering rule on a policy that includes a Mac device, the device tries to load a system extension and a Cloudflare certificate. These items must be permitted for DNS Filtering to operate on Mac devices. There are two methods to permit the system extension and certificate:
- An admin can use a .mobileconfig profile with a User Approved Mobile Deployment Management (UAMDM) tool to remotely allow the system extension and certificate.
- Individual users can manually allow the system extension in the macOS Security & Privacy settings and trust the certificate in Keychain Access.
Upload .mobileconfig profile to MDM
Create a Privacy Preferences Policy Control profile (PPPCP) to allow the system extension and deploy it via a UAMDM.
- Download the attached file called Malwarebytes_Protection_profile_general.mobileconfig
- Upload the file to your UAMDM.
- Save and deploy your PPPCP by UAMDM as a device profile.
Manually allow system extension
- On the Mac device, click on the Apple icon > System Preferences.
- Navigate to Privacy & Security.
- Under Security, click Allow to allow the DNSProxy system extension. A window to add DNS Proxy configurations displays.
Note: If you have other system extensions awaiting approval, this section may appear different. To manage the list of pending extensions, click on Details and toggle on DNSProxy. - If prompted for the user's password, enter the password.
- Click Allow.
For more information, see Change Security & Privacy General Preferences on Mac.
Manually trust Cloudflare certificate
- Open Keychain Access.
- Go to System > Certificates.
- Double-click your certificate. The default Cloudflare certificate is named Cloudflare for Teams ECC Authority.
- Select Trust
- When using this certificate to Always Trust.
For more information, see Change the trust settings of a certificate in Keychain Access on Mac.