To ensure a seamless functionality between the Endpoint Agent and its plugins, specific System Security permissions must be provided for the following macOS versions:
- Sequoia 15
- Sonoma 14
- Ventura 13
- Monterey 12
- Big Sur 11
- Catalina 10.15
These permissions include Full Disk Access (FDA), System Extensions, Web Content Filtering, DNS Proxy Configuration, and Certificates. End users can go into their Mac Settings to manually grant these permissions. However, it is recommended to use Mobile Device Management (MDM) profiles to provide these permissions automatically on Mac endpoints. This article describes how to remotely deploy the MDM profile, also known as a .mobileconfig file, to your Mac endpoints and bypass these prompts.
Requirements
Your Mac endpoints must have a User Approved Mobile Device Management (UAMDM) configured. You can enroll devices with Apple Business Manager to make use of the Apple Automated Device Enrollment feature.
Notes:
- An MDM profile loaded remotely via Secure Shell (SSH) or similar does not qualify as a UAMDM.
Profile Overview
We created a single .mobileconfig file containing configuration payloads for our products, which can be used regardless of which OneView policies you have configured for your Mac endpoints. Along with the payloads, the .mobileconfig file contains general information such as Identifier, Description, Type, and Scope.
Mobileconfig editing guidelines
The .mobileconfig profile can be edited to remove the payloads that are not required for your environment. However, keeping unnecessary settings does not affect the performance of either your Mac endpoints or our products. We recommend using the file as is, but if you need to edit it, consider the following:
- Reference the table below to determine which payloads are required for each product. Only remove payloads for products you are not subscribed to.
- Full Disk Access permission is required for all products.
Payload | Description | Required for |
Transparency, Consent, and Control (TCC). Also known as Full Disk Access (FDA) | Four separate approvals to access all files required by the Endpoint Agent Daemon and Real-Time Protection Daemon. |
|
Allowed System Extensions | Two approvals to install system extensions required by the Endpoint Detection and Response system extension and DNS Proxy system extension, and two permissions to silently uninstall said extensions (supported only on macOS 12 and above) |
|
Web Content Filtering | Approval for the web content filtering required by the Endpoint Detection and Response system extension. |
|
DNS Proxy Configuration | Approval for the configuration of a DNS proxy required by the DNS Proxy System Extension. |
|
Certificates | A Cloudflare certificate required by the DNS Proxy system extension. |
|