To ensure a seamless functionality between the Endpoint Agent and its plugins, specific System Security permissions must be provided for the following macOS versions:
- Tahoe 26
- Sequoia 15
- Sonoma 14
- Ventura 13
- Monterey 12
- Big Sur 11
These permissions include Full Disk Access (FDA), System Extensions, Web Content Filtering, DNS Proxy Configuration, and Certificates. End users can grant these manually in Mac Settings, but we recommend using Mobile Device Management (MDM) profiles to grant them automatically and avoid prompting each end user.
NOTICE - Some MDMs only support one web content filter per configuration profile, so two separate .mobileconfig files were created for remote deployment. Both are required, and are available to download at the bottom of this article.
Requirements
Your Mac endpoints must have a User Approved Mobile Device Management (UAMDM) configured. You can enroll devices with Apple Business Manager to make use of the Apple Automated Device Enrollment feature.
An MDM profile loaded remotely via Secure Shell (SSH) or similar does not qualify as a UAMDM.
Allow the extensions remotely with UAMDM
Deploy the mobileconfig files with a UAMDM so end users don't receive local prompts. Create a Privacy Preferences Policy Control profile (PPPCP) to allow the system extensions remotely, then deploy it using UAMDM:
- Download the mobileconfig files at the bottom of the article. Both are required:
- Malwarebytes_Protection_profile_general.mobileconfig
- Threatdown Protection - Malicious Web Access Control (MWAC).mobileconfig
- Upload the files to your MDM.
- Save and deploy your PPPCP by UAMDM as a device profile.
Mobileconfig configuration payloads
The two mobileconfig files contains configuration payloads for many of our products, which can be used regardless of which OneView policies you have configured for your Mac endpoints. Along with the payloads, the .mobileconfig file contains general information such as Identifier, Description, Type, and Scope.
Malwarebytes_Protection_profile_general
This profile can be edited to remove the payloads that aren't required for your environment. However, keeping unnecessary payloads does not affect the performance of either your Mac endpoints or our products, so we recommend using the file as is. If you need to edit it, consider the following:
- Reference the table below to determine which payloads are required for each product. Only remove payloads for products you are not subscribed to.
- Full Disk Access permission is required for all products.
| Payload | Description | Required for |
|---|---|---|
| Transparency, Consent, and Control (TCC). Also known as Full Disk Access (FDA) | Four separate approvals to access all files required by the Endpoint Agent Daemon and Real-Time Protection Daemon. |
|
| Allowed System Extensions | Two approvals to install system extensions required by the Endpoint Detection and Response system extension and DNS Proxy system extension, and two permissions to silently uninstall said extensions (supported only on macOS 12 and above) |
|
| Web Content Filtering | Approval for the web content filtering required by the Endpoint Detection and Response system extension. |
|
| DNS Proxy Configuration | Approval for the configuration of a DNS proxy required by the DNS Proxy System Extension. |
|
| Certificates | A Cloudflare certificate required by the DNS Proxy system extension. |
|
ThreatDown Protection - Malicious Web Access Control (MWAC)
This is the other file required for remote deployment. It allows OneView Web Protection to block inbound and outbound connections to known malicious IPs and domains on macOS devices. The file contains the following payload:
| Payload | Description | Required for |
|---|---|---|
| Web Content Filtering | Approval for the web content filtering required by the Web Protection system extension. |
|