Skip to main content

Allow DNS system extension and Cloudflare certificate on Mac devices - OneView

Updated: 

When you enable a DNS Filtering rule on a policy that includes a Mac device, the device tries to load a system extension and a Cloudflare certificate. These items must be permitted for DNS Filtering to operate on Mac devices. There are two methods to permit the system extension and certificate:

  • An admin can use a .mobileconfig profile with a User Approved Mobile Deployment Management (UAMDM) tool to remotely allow the system extension and certificate.
  • Individual users can manually allow the system extension in the macOS Security & Privacy settings and trust the certificate in Keychain Access. 

Upload .mobileconfig profile to MDM

Create a Privacy Preferences Policy Control profile (PPPCP) to allow the system extension and deploy it via a UAMDM.

  1. Download the file at the bottom oft he article called Malwarebytes_Protection_profile_general.mobileconfig
  2. Upload the file to your UAMDM.
  3. Save and deploy your PPPCP by UAMDM as a device profile.

Manually allow system extension

  1. On the Mac device, click on the Apple icon > System Preferences.
  2. Follow the steps to manually allow the system extension based on your operating system version:
    1. macOS 26 Tahoe
      1. Navigate to General > Login Items & Extensions.
      2. Click the information button next to DNSProxy.
      3. Toggle on Network extension.
    2. macOS Sequoia 15 and older
      1. Navigate to Privacy & Security.
      2. Under Security, click Allow to allow the DNSProxy system extension. A window to add DNS Proxy configurations displays. 
    3. Note: If you have other system extensions awaiting approval, this section may appear different. To manage the list of pending extensions, click on Details and toggle on DNSProxy.
  3. If prompted for the user's password, enter the password.
  4. Click Allow.

Manually trust Cloudflare certificate

  1. Open Keychain Access.
  2. Go to System > Certificates.
  3. Double-click the threatdown.com certificate. 
  4. Expand Trust.
  5. Configure "When using this certificate to" Always Trust.

For more information, see Change the trust settings of a certificate in Keychain Access on Mac.

Download mobileconfig

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more