Skip to main content

Allow system extension for Web Protection on macOS devices - OneView

Updated: 

Web Protection for macOS requires a system extension to be allowed in order to monitor the endpoint's network activity. The end user can allow this extension locally, or an administrator can do it remotely with a mobileconfig profile using a User Approved Mobile Device Management (UAMDM) tool. 

Allow system extension locally on device

If you don't use a UAMDM, then a prompt appears on the end user's device when Web Protection is enabled on the endpoint's policy.

Screenshot 2024-07-26 at 10.13.30 AM.png Screenshot 2024-07-26 at 10.12.36 AM.png

Have the user click Allow or Open System Settings and follow the prompts to allow the MB-EngineHostsApp-NCEP system extension to filter network content. 

If the pop-up was dismissed or ignored, follow these steps instead:

  1. On the affected Mac device, click on the Apple icon > System Settings.
  2. Go to General > Login Items & Extensions.
  3. Click the information button (i) next to Endpoint Security Extensions.
  4. Toggle on Malwarebytes Engine Host (NCEP)
  5. Enter your Mac password and click Ok.
  6. Click Done.
  7. Another prompt to allow the MB-EngineHostApp-NCEP displays, click Allow

For admins to easily identify which endpoints haven't allowed the system extension:

  1. In OneView, go to Manage > Endpoints.
  2. Filter the Protection Status column for the Unprotected status.
  3. Filter the OS Platform column for MacOS.

For more information, see Endpoint protection statuses in OneView.

Remotely allow the system extension

Administrators can deploy the mobileconfig file with a UAMDM to prevent each end user from needing to manually allow the system extension. You can enroll devices with Apple Business Manager to use the Apple Automated Device Enrollment feature.

Note: An MDM profile loaded remotely via SSH or similar does not qualify as a UAMDM.

Upload and deploy PPPCP using UAMDM

Create a Privacy Preferences Policy Control profile (PPPCP) to allow the system extension remotely for your end users. Deploy the PPPCP using a UAMDM.

  1. Download the attached file for your macOS endpoints:
    • Threatdown Protection - Malicious Web Access Control (MWAC).mobileconfig
  2. Upload the file to your MDM.
  3. Save and deploy your PPPCP by UAMDM as a device profile.

For troubleshooting Web Protection on macOS, see Troubleshooting macOS Web Protection in OneView.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more