Web Protection for macOS requires a system extension to be allowed in order to monitor the endpoint's network activity. The end user can allow this extension locally, or an administrator can do it remotely with a mobileconfig profile using a User Approved Mobile Device Management (UAMDM) tool.
Allow system extension locally on device
If you don't use a UAMDM, then a prompt appears on the end user's device when Web Protection is enabled on the endpoint's policy.
Have the user click Allow or Open System Settings and follow the prompts to allow the MB-EngineHostsApp-NCEP system extension to filter network content.
Remotely allow the system extension
Administrators can deploy the mobileconfig file with a UAMDM to prevent each end user from needing to manually allow the system extension. You can enroll devices with Apple Business Manager to use the Apple Automated Device Enrollment feature.
Note: An MDM profile loaded remotely via SSH or similar does not qualify as a UAMDM.
Upload and deploy PPPCP using UAMDM
Create a Privacy Preferences Policy Control profile (PPPCP) to allow the system extension remotely for your end users. Deploy the PPPCP using a UAMDM.
- Download the attached file for your macOS endpoints:
- Threatdown Protection - Malicious Web Access Control (MWAC).mobileconfig
- Upload the file to your MDM.
- Save and deploy your PPPCP by UAMDM as a device profile.
For troubleshooting Web Protection on macOS, see Troubleshooting macOS Web Protection in Nebula.