Installing using MDM on Mac

Without MDM, permissions have to be manually approved due to Apple requirements. It's a few button clicks to approve if you're just testing, but it doesn't scale for wider deployments, for which we highly recommend (require) MDM

We've pre-created a custom profile to make MDM profile deployment easy. Our mac MDM profile (.mobileconfig) consists of 4 configurations:

  1. Root Certificate - for trusting the on-device SSL inspection

  2. Network Extension Permission - for re-routing traffic to the on-device proxy

  3. VPN Permission - for re-routing traffic to the on-device proxy

  4. Privacy Preferences Permission - for anti-tampering

  5. Service Management Permission - for anti-tampering to login & background items

Sample system extension policy from Simple MDM

The easiest method to import these is to upload, or copy & paste the custom profile below into your MDM software. You can also manually create it.

Some MDM software will require you to save & upload this as a .mobileconfig file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>DopeSecurityApp</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.3FC862E3-0F98-45DA-9BA0-B00D74C6E82E</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>798346BB-9A01-40B3-8EA6-377B26B0018B</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>DopeSecurityApp</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>security.dope.DopeSecurityApp.Redirector</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "security.dope.DopeSecurityApp.Redirector" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 63JU25B8Q7)</string>
				<key>RemoteAddress</key>
				<string>localhost</string>
			</dict>
			<key>VPNSubType</key>
			<string>security.dope.DopeSecurityApp</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict>
				<key>Group</key>
				<string>63JU25B8Q7.security.dope.DopeSecurityApp</string>
			</dict>
		</dict>
		<dict>
			<key>AllowedTeamIdentifiers</key>
			<array>
				<string>63JU25B8Q7</string>
			</array>
			<key>PayloadDisplayName</key>
			<string>System Extension Policy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.system-extension-policy.190E1DB5-015F-4CAF-8AD5-9F0C293663DE</string>
			<key>PayloadType</key>
			<string>com.apple.system-extension-policy</string>
			<key>PayloadUUID</key>
			<string>1CAA9256-333E-4F53-BF59-F54984275562</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>NonRemovableFromUISystemExtensions</key>
			<dict>
				<key>63JU25B8Q7</key>
				<array>
					<string>security.dope.DopeSecurityApp.Redirector</string>
					<string>security.dope.DopeSecurityApp.PacketFilter</string>
				</array>
			</dict>
			<key>RemovableSystemExtensions</key>
			<dict>
				<key>63JU25B8Q7</key>
				<array>
					<string>security.dope.DopeSecurityApp.Redirector</string>
					<string>security.dope.DopeSecurityApp.PacketFilter</string>
				</array>
			</dict>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>dope.security.root</string>
			<key>PayloadContent</key>
			<data>
			LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1RENDQXFD
			Z0F3SUJBZ0lVZHlRUUc3eFoyUUFFVEZncVhQZHptbGVCUlNBd0RR
			WUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNWVk14
			RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEZqQVVCZ05WQkFj
			TQpEVTF2ZFc1MFlXbHVJRlpwWlhjeEZqQVVCZ05WQkFvTURXUnZj
			R1V1YzJWamRYSnBkSGt4SURBZUJnTlZCQU1NCkYyUnZjR1V1YzJW
			amRYSnBkSGxmY205dmRGOWpZU0F4TUI0WERURTVNRFV3TWpBd01E
			QXdNRm9YRFRNNU1EVXcKTVRBd01EQXdNRm93ZERFTE1Ba0dBMVVF
			QmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RmpB
			VQpCZ05WQkFjTURVMXZkVzUwWVdsdUlGWnBaWGN4RmpBVUJnTlZC
			QW9NRFdSdmNHVXVjMlZqZFhKcGRIa3hJREFlCkJnTlZCQU1NRjJS
			dmNHVXVjMlZqZFhKcGRIbGZjbTl2ZEY5allTQXhNSUlCSWpBTkJn
			a3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2MC9D
			eEREUXZWaCttRzJ5aDNTOUZWdEp2RytDVzBPYjY4K2Jpck14Z2Vq
			NQpUNVhMV1ZxUldSYURoaUIrUGRKRXBab21JakUvNXI4UWRrWlB5
			cHNacVZOakJ6ejJNOGZsb1lJeHM1MW5VZ3U0ClkrUU1wOEFEamli
			NWN1a2p0N2hUSTdaUU5nZmRVaVk3MGloTzhGOUh4Q09kM0Mzd25J
			TVhGN0FyTXlCTDVIRisKbm1DT2psRzMxbE90Yjg3WUJsa3B0WmlY
			VzlOV3dmcWVCaHlhWlJRcmxURGQ5VDJkRWhLdzBsTjMrelprbU4v
			WQp0QkNkbSs0bWU4WHBVV05Bc0NCTVJYRStqajVjbXZ5SlJHNmxh
			UTZJVi92T08xNjNrSUF4UkhTYyt3M0NjY1lXCklua2pJdnJhcEoy
			UWNjWnJEcnEreEhISnFLZEJ1b2FwTTBpN0o4dExSUUlEQVFBQm8w
			SXdRREFkQmdOVkhRNEUKRmdRVXJBWGZFTnk4Nlh0TFZxRUF1REJh
			alNvL1J6d3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFMQmdO
			VgpIUThFQkFNQ0FRWXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJB
			RUFiRWRLeUFUdzB0KzB6QUJENlM3NzVoa2ozCmNMU2JwSXNjLzFt
			T0ZpdE1Jck4wTjFCSFFrZ0FlaHJsK2F0anVpM2dXQktGZCtJYWpO
			MWZqUTRRdG9BUVQyUWMKTVFzajVZWlNWeURlUjdQaTF3UHdtUG01
			YmlFaFFER0RVSG42RWd0RDF0MWNMWnlmNnRuUE9meFZ3VDlQZ0dP
			QQpGRWNVS3BNNjlMRzNJMWtFa0ljOTI5cTNUZXFXbGZGZi9kWnUy
			eWg4SDhBUUttcXh1dno1K3A0Q2ZHT0U0QzdjCmIzUEFZclJlQmY1
			aXptdlNxREFjSjNpRTdON0ZRaG5lR3ZNK1NNbWJnUy83ZndYaVpP
			clZvY2JvdCtSM2N1eXAKd2hIUmxaa2pXK1ZJQWsvNkJBeStZQ0x4
			MXZiVGZtd3J6M3Eva3p4cU5pMURydk5WWXByVU9KK2dZOU09Ci0t
			LS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
			</data>
			<key>PayloadDisplayName</key>
			<string>Certificate</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pem.16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadType</key>
			<string>com.apple.security.pem</string>
			<key>PayloadUUID</key>
			<string>16D10826-5C9D-4C3E-968C-BE5792B1AAF2</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Privacy Preferences Policy Control #1</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.TCC.configuration-profile-policy.979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadType</key>
			<string>com.apple.TCC.configuration-profile-policy</string>
			<key>PayloadUUID</key>
			<string>979E8021-9009-488A-9387-BFD0A394B1CC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Services</key>
			<dict>
				<key>SystemPolicyAllFiles</key>
				<array>
					<dict>
						<key>Allowed</key>
						<true/>
						<key>CodeRequirement</key>
						<string>anchor apple generic and identifier "security.dope.DopeSecurityApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "63JU25B8Q7")</string>
						<key>Identifier</key>
						<string>security.dope.DopeSecurityApp</string>
						<key>IdentifierType</key>
						<string>bundleID</string>
						<key>StaticCode</key>
						<false/>
					</dict>
				</array>
			</dict>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Dope - Login + Background Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.servicemanagement.979E8021-9009-488A-9387-BFD0A394B1CD</string>
			<key>PayloadType</key>
			<string>com.apple.servicemanagement</string>
			<key>PayloadUUID</key>
			<string>B8F2A3C1-4D5E-4F6A-8B9C-1D2E3F4A5B6C</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Rules</key>
			<array>
				<dict>
					<key>RuleType</key>
					<string>TeamIdentifier</string>
					<key>RuleValue</key>
					<string>63JU25B8Q7</string>
					<key>Comment</key>
					<string>dope.security - all login and background items</string>
				</dict>
			</array>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>DopeSecurityApp</string>
	<key>PayloadIdentifier</key>
	<string>DOPE.D66FA254-FEC6-4BBD-80CC-7CFB4A93CF8E</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>FFC74072-37BC-46C4-B376-81547F290B9F</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Anti-tampering on Mac

To prevent end-users from tampering or disabling the endpoint, there are several permissions that must be part of the above MDM profile. You'll know that these are in effect as they will show up inside of your System Preferences:

The Login & Background Items is fixed to be On
The Network Extension is fixed to be On

These settings were updated to prevent disabling in MacOS 15 onwards

Deploying the .zip

After deploying the MDM profile, you can now upload the .zip and have it deployed to your target systems.

It's unusual, but if you need a DMG for any reason, you can run this command:

hdiutil create -format UDZO -srcfolder dope_security_mac_1.0.9723 dope_1-0-9721.dmg

After deploying MDM & the installer to your target devices, users will no longer be required to enter your password or accept other permissions. That's it!

PreviousDisable EndpointNextUsing JAMF

Last updated