Installing using MDM on Mac

Without MDM, permissions have to be manually approved due to Apple requirements. It's a few button clicks to approve if you're just testing, but it doesn't scale for wider deployments, for which we highly recommend (require) MDM

We've pre-created a custom profile to make MDM profile deployment easy. Our mac MDM profile (.mobileconfig) consists of 4 configurations:

  1. Root Certificate - for trusting the on-device SSL inspection

  2. Network Extension Permission - for re-routing traffic to the on-device proxy

  3. VPN Permission - for re-routing traffic to the on-device proxy

  4. Privacy Preferences Permission - for anti-tampering

The easiest method to import these is to upload, or copy & paste the custom profile below into your MDM software. You can also manually create it.

Some MDM software will require you to save & upload this as a .mobileconfig file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>DopeSecurityApp</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.3FC862E3-0F98-45DA-9BA0-B00D74C6E82E</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>798346BB-9A01-40B3-8EA6-377B26B0018B</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>DopeSecurityApp</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>security.dope.DopeSecurityApp.Redirector</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "security.dope.DopeSecurityApp.Redirector" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 63JU25B8Q7)</string>
				<key>RemoteAddress</key>
				<string>localhost</string>
			</dict>
			<key>VPNSubType</key>
			<string>security.dope.DopeSecurityApp</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict>
				<key>Group</key>
				<string>63JU25B8Q7.security.dope.DopeSecurityApp</string>
			</dict>
		</dict>
		<dict>
			<key>AllowedTeamIdentifiers</key>
			<array>
				<string>63JU25B8Q7</string>
			</array>
			<key>PayloadDisplayName</key>
			<string>System Extension Policy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.system-extension-policy.190E1DB5-015F-4CAF-8AD5-9F0C293663DE</string>
			<key>PayloadType</key>
			<string>com.apple.system-extension-policy</string>
			<key>PayloadUUID</key>
			<string>1CAA9256-333E-4F53-BF59-F54984275562</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>RemovableSystemExtensions</key>
			<dict>
				<key>63JU25B8Q7</key>
				<array>
					<string>security.dope.DopeSecurityApp.Redirector</string>
				</array>
			</dict>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>dope.security.root</string>
			<key>PayloadContent</key>
			<data>
			LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1RENDQXFD
			Z0F3SUJBZ0lVZHlRUUc3eFoyUUFFVEZncVhQZHptbGVCUlNBd0RR
			WUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNWVk14
			RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEZqQVVCZ05WQkFj
			TQpEVTF2ZFc1MFlXbHVJRlpwWlhjeEZqQVVCZ05WQkFvTURXUnZj
			R1V1YzJWamRYSnBkSGt4SURBZUJnTlZCQU1NCkYyUnZjR1V1YzJW
			amRYSnBkSGxmY205dmRGOWpZU0F4TUI0WERURTVNRFV3TWpBd01E
			QXdNRm9YRFRNNU1EVXcKTVRBd01EQXdNRm93ZERFTE1Ba0dBMVVF
			QmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RmpB
			VQpCZ05WQkFjTURVMXZkVzUwWVdsdUlGWnBaWGN4RmpBVUJnTlZC
			QW9NRFdSdmNHVXVjMlZqZFhKcGRIa3hJREFlCkJnTlZCQU1NRjJS
			dmNHVXVjMlZqZFhKcGRIbGZjbTl2ZEY5allTQXhNSUlCSWpBTkJn
			a3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2MC9D
			eEREUXZWaCttRzJ5aDNTOUZWdEp2RytDVzBPYjY4K2Jpck14Z2Vq
			NQpUNVhMV1ZxUldSYURoaUIrUGRKRXBab21JakUvNXI4UWRrWlB5
			cHNacVZOakJ6ejJNOGZsb1lJeHM1MW5VZ3U0ClkrUU1wOEFEamli
			NWN1a2p0N2hUSTdaUU5nZmRVaVk3MGloTzhGOUh4Q09kM0Mzd25J
			TVhGN0FyTXlCTDVIRisKbm1DT2psRzMxbE90Yjg3WUJsa3B0WmlY
			VzlOV3dmcWVCaHlhWlJRcmxURGQ5VDJkRWhLdzBsTjMrelprbU4v
			WQp0QkNkbSs0bWU4WHBVV05Bc0NCTVJYRStqajVjbXZ5SlJHNmxh
			UTZJVi92T08xNjNrSUF4UkhTYyt3M0NjY1lXCklua2pJdnJhcEoy
			UWNjWnJEcnEreEhISnFLZEJ1b2FwTTBpN0o4dExSUUlEQVFBQm8w
			SXdRREFkQmdOVkhRNEUKRmdRVXJBWGZFTnk4Nlh0TFZxRUF1REJh
			alNvL1J6d3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFMQmdO
			VgpIUThFQkFNQ0FRWXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJB
			RUFiRWRLeUFUdzB0KzB6QUJENlM3NzVoa2ozCmNMU2JwSXNjLzFt
			T0ZpdE1Jck4wTjFCSFFrZ0FlaHJsK2F0anVpM2dXQktGZCtJYWpO
			MWZqUTRRdG9BUVQyUWMKTVFzajVZWlNWeURlUjdQaTF3UHdtUG01
			YmlFaFFER0RVSG42RWd0RDF0MWNMWnlmNnRuUE9meFZ3VDlQZ0dP
			QQpGRWNVS3BNNjlMRzNJMWtFa0ljOTI5cTNUZXFXbGZGZi9kWnUy
			eWg4SDhBUUttcXh1dno1K3A0Q2ZHT0U0QzdjCmIzUEFZclJlQmY1
			aXptdlNxREFjSjNpRTdON0ZRaG5lR3ZNK1NNbWJnUy83ZndYaVpP
			clZvY2JvdCtSM2N1eXAKd2hIUmxaa2pXK1ZJQWsvNkJBeStZQ0x4
			MXZiVGZtd3J6M3Eva3p4cU5pMURydk5WWXByVU9KK2dZOU09Ci0t
			LS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
			</data>
			<key>PayloadDisplayName</key>
			<string>Certificate</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pem.16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadType</key>
			<string>com.apple.security.pem</string>
			<key>PayloadUUID</key>
			<string>16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Privacy Preferences Policy Control #1</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.TCC.configuration-profile-policy.979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadType</key>
			<string>com.apple.TCC.configuration-profile-policy</string>
			<key>PayloadUUID</key>
			<string>979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Services</key>
			<dict>
				<key>SystemPolicyAllFiles</key>
				<array>
					<dict>
						<key>Allowed</key>
						<true/>
						<key>CodeRequirement</key>
						<string>anchor apple generic and identifier "security.dope.DopeSecurityApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "63JU25B8Q7")</string>
						<key>Identifier</key>
						<string>security.dope.DopeSecurityApp</string>
						<key>IdentifierType</key>
						<string>bundleID</string>
						<key>StaticCode</key>
						<false/>
					</dict>
				</array>
			</dict>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>DopeSecurityApp</string>
	<key>PayloadIdentifier</key>
	<string>DOPE.D66FA254-FEC6-4BBD-80CC-7CFB4A93CF8E</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>FFC74072-37BC-46C4-B376-81547F290B9F</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

After deploying the MDM profile, you can now upload the .zip and have it deployed to your target systems.

It's unusual, but if you need a DMG for any reason, you can run this command:

hdiutil create -format UDZO -srcfolder dope_security_mac_1.0.9723 dope_1-0-9721.dmg

After deploying MDM & the installer to your target devices, users will no longer be required to enter your password or accept other permissions. That's it!

Last updated