LogoLogo
  • Introducing dope.swg
    • Changing the Rules...
    • Quick Start Guide
      • Create a dope.swg Account
      • Get Started with the dope.endpoint
      • Import User and Group Data
      • Create a dope.swg Web Policy
    • Mitre ATT&CK and Nist CSF
  • dope.console
    • Analytics
      • Overview dashboard
      • Policy View
      • Productivity
      • Shadow IT
      • Detail View
    • dope.swg Policy
      • Editing the Base Policy
      • Adding Policy Exceptions
      • Assigning a Block Page
      • Creating Custom Categories
      • URL Bypass List
      • Application Bypass List
      • Default Bypass List
      • Cloud Application Control (CAC)
        • Microsoft O365
        • Google
        • Box
        • Salesforce
        • Dropbox
        • Slack
        • WebEx
      • Custom Policy
      • Policy Assignment
      • Policy Inheritance and Customization
    • CASB Neural
      • Microsoft 365 - Authentication
      • Google - Authentication
      • CASB DLP
        • DLP Files Table
    • Endpoint Manager View
      • Searching the View
      • Filtering and Sorting the Endpoint View
      • Endpoint Count
      • Running Diagnostics
      • Disable Endpoint
    • Settings
      • General
      • Block Pages
      • Endpoints
      • Users
        • Importing from Google
        • Why not SAML & SCIM?
      • Audit Log
      • SIEM Integration
        • Category & Verdict Mappings
      • API Client Credentials
      • Billing Details
    • Notifications
      • SSL Errors
  • dope.endpoint
    • Trusted Process Names
    • Generate Diagnostics
    • Disable Endpoint
    • Installing using MDM on Mac
      • Using JAMF
      • Using Kandji
      • Using Intune
    • Installing using Intune on Win
    • Mac Installer
      • Installation Process - Silent
      • Uninstall
      • Endpoint Authentication
    • Windows Installer
      • Installation Process - Silent
      • Uninstall
      • Endpoint Authentication
    • dope.endpoint UI
      • Windows UI
      • macOS UI
    • Automatic Updates
  • Release Notes
  • DOPE.APIs
    • Public API Specification
Powered by GitBook
On this page
  1. dope.endpoint

Installing using MDM on Mac

PreviousDisable EndpointNextUsing JAMF

Last updated 10 months ago

Without MDM, permissions have to be manually approved due to Apple requirements. It's a few button clicks to approve if you're just testing, but it doesn't scale for wider deployments, for which we highly recommend (require) MDM

We've pre-created a custom profile to make MDM profile deployment easy. Our mac MDM profile (.mobileconfig) consists of 4 configurations:

  1. Root Certificate - for trusting the on-device SSL inspection

  2. Network Extension Permission - for re-routing traffic to the on-device proxy

  3. VPN Permission - for re-routing traffic to the on-device proxy

  4. Privacy Preferences Permission - for anti-tampering

The easiest method to import these is to upload, or copy & paste the custom profile below into your MDM software. You can also manually create it.

Some MDM software will require you to save & upload this as a .mobileconfig file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>DopeSecurityApp</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.3FC862E3-0F98-45DA-9BA0-B00D74C6E82E</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>798346BB-9A01-40B3-8EA6-377B26B0018B</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>DopeSecurityApp</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>security.dope.DopeSecurityApp.Redirector</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "security.dope.DopeSecurityApp.Redirector" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 63JU25B8Q7)</string>
				<key>RemoteAddress</key>
				<string>localhost</string>
			</dict>
			<key>VPNSubType</key>
			<string>security.dope.DopeSecurityApp</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict>
				<key>Group</key>
				<string>63JU25B8Q7.security.dope.DopeSecurityApp</string>
			</dict>
		</dict>
		<dict>
			<key>AllowedTeamIdentifiers</key>
			<array>
				<string>63JU25B8Q7</string>
			</array>
			<key>PayloadDisplayName</key>
			<string>System Extension Policy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.system-extension-policy.190E1DB5-015F-4CAF-8AD5-9F0C293663DE</string>
			<key>PayloadType</key>
			<string>com.apple.system-extension-policy</string>
			<key>PayloadUUID</key>
			<string>1CAA9256-333E-4F53-BF59-F54984275562</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>RemovableSystemExtensions</key>
			<dict>
				<key>63JU25B8Q7</key>
				<array>
					<string>security.dope.DopeSecurityApp.Redirector</string>
				</array>
			</dict>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>dope.security.root</string>
			<key>PayloadContent</key>
			<data>
			LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1RENDQXFD
			Z0F3SUJBZ0lVZHlRUUc3eFoyUUFFVEZncVhQZHptbGVCUlNBd0RR
			WUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNWVk14
			RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEZqQVVCZ05WQkFj
			TQpEVTF2ZFc1MFlXbHVJRlpwWlhjeEZqQVVCZ05WQkFvTURXUnZj
			R1V1YzJWamRYSnBkSGt4SURBZUJnTlZCQU1NCkYyUnZjR1V1YzJW
			amRYSnBkSGxmY205dmRGOWpZU0F4TUI0WERURTVNRFV3TWpBd01E
			QXdNRm9YRFRNNU1EVXcKTVRBd01EQXdNRm93ZERFTE1Ba0dBMVVF
			QmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RmpB
			VQpCZ05WQkFjTURVMXZkVzUwWVdsdUlGWnBaWGN4RmpBVUJnTlZC
			QW9NRFdSdmNHVXVjMlZqZFhKcGRIa3hJREFlCkJnTlZCQU1NRjJS
			dmNHVXVjMlZqZFhKcGRIbGZjbTl2ZEY5allTQXhNSUlCSWpBTkJn
			a3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2MC9D
			eEREUXZWaCttRzJ5aDNTOUZWdEp2RytDVzBPYjY4K2Jpck14Z2Vq
			NQpUNVhMV1ZxUldSYURoaUIrUGRKRXBab21JakUvNXI4UWRrWlB5
			cHNacVZOakJ6ejJNOGZsb1lJeHM1MW5VZ3U0ClkrUU1wOEFEamli
			NWN1a2p0N2hUSTdaUU5nZmRVaVk3MGloTzhGOUh4Q09kM0Mzd25J
			TVhGN0FyTXlCTDVIRisKbm1DT2psRzMxbE90Yjg3WUJsa3B0WmlY
			VzlOV3dmcWVCaHlhWlJRcmxURGQ5VDJkRWhLdzBsTjMrelprbU4v
			WQp0QkNkbSs0bWU4WHBVV05Bc0NCTVJYRStqajVjbXZ5SlJHNmxh
			UTZJVi92T08xNjNrSUF4UkhTYyt3M0NjY1lXCklua2pJdnJhcEoy
			UWNjWnJEcnEreEhISnFLZEJ1b2FwTTBpN0o4dExSUUlEQVFBQm8w
			SXdRREFkQmdOVkhRNEUKRmdRVXJBWGZFTnk4Nlh0TFZxRUF1REJh
			alNvL1J6d3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFMQmdO
			VgpIUThFQkFNQ0FRWXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJB
			RUFiRWRLeUFUdzB0KzB6QUJENlM3NzVoa2ozCmNMU2JwSXNjLzFt
			T0ZpdE1Jck4wTjFCSFFrZ0FlaHJsK2F0anVpM2dXQktGZCtJYWpO
			MWZqUTRRdG9BUVQyUWMKTVFzajVZWlNWeURlUjdQaTF3UHdtUG01
			YmlFaFFER0RVSG42RWd0RDF0MWNMWnlmNnRuUE9meFZ3VDlQZ0dP
			QQpGRWNVS3BNNjlMRzNJMWtFa0ljOTI5cTNUZXFXbGZGZi9kWnUy
			eWg4SDhBUUttcXh1dno1K3A0Q2ZHT0U0QzdjCmIzUEFZclJlQmY1
			aXptdlNxREFjSjNpRTdON0ZRaG5lR3ZNK1NNbWJnUy83ZndYaVpP
			clZvY2JvdCtSM2N1eXAKd2hIUmxaa2pXK1ZJQWsvNkJBeStZQ0x4
			MXZiVGZtd3J6M3Eva3p4cU5pMURydk5WWXByVU9KK2dZOU09Ci0t
			LS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
			</data>
			<key>PayloadDisplayName</key>
			<string>Certificate</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pem.16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadType</key>
			<string>com.apple.security.pem</string>
			<key>PayloadUUID</key>
			<string>16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Privacy Preferences Policy Control #1</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.TCC.configuration-profile-policy.979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadType</key>
			<string>com.apple.TCC.configuration-profile-policy</string>
			<key>PayloadUUID</key>
			<string>979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Services</key>
			<dict>
				<key>SystemPolicyAllFiles</key>
				<array>
					<dict>
						<key>Allowed</key>
						<true/>
						<key>CodeRequirement</key>
						<string>anchor apple generic and identifier "security.dope.DopeSecurityApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "63JU25B8Q7")</string>
						<key>Identifier</key>
						<string>security.dope.DopeSecurityApp</string>
						<key>IdentifierType</key>
						<string>bundleID</string>
						<key>StaticCode</key>
						<false/>
					</dict>
				</array>
			</dict>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>DopeSecurityApp</string>
	<key>PayloadIdentifier</key>
	<string>DOPE.D66FA254-FEC6-4BBD-80CC-7CFB4A93CF8E</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>FFC74072-37BC-46C4-B376-81547F290B9F</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

After deploying the MDM profile, you can now upload the .zip and have it deployed to your target systems.

It's unusual, but if you need a DMG for any reason, you can run this command:

hdiutil create -format UDZO -srcfolder dope_security_mac_1.0.9723 dope_1-0-9721.dmg

After deploying MDM & the installer to your target devices, users will no longer be required to enter your password or accept other permissions. That's it!

Sample system extension policy from Simple MDM