# Digital Guardian Compatibility When both DG and dope are deployed, dope.endpoint may intercept browser traffic before Digital Guardian, causing DG's DLP policies to not apply. ### The Issue macOS processes network extensions in order. By default, the most recently installed transparent proxy handles traffic first.\ \ This means: * Browser → Dope (intercepts) → DG (sees traffic from Dope, not the browser, so ignores it) → Internet {% hint style="info" %} DG only monitors traffic from browsers (Chrome, Firefox, Safari, Edge). It must come first in the network extension ordering to function. {% endhint %} ### The Fix Deploy this MDM profile to set explicit ordering so that DG processes traffic before dope.security: ```xml PayloadContent PayloadDisplayName DopeSecurityApp PayloadIdentifier com.apple.vpn.managed.3FC862E3-0F98-45DA-9BA0-B00D74C6E820 PayloadType com.apple.vpn.managed PayloadUUID 798346BB-9A01-40B3-8EA6-377B26B00180 PayloadVersion 1 UserDefinedName DopeSecurityApp TransparentProxy AuthenticationMethod Password ProviderBundleIdentifier security.dope.DopeSecurityApp.Redirector ProviderDesignatedRequirement anchor apple generic and identifier "security.dope.DopeSecurityApp.Redirector" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 63JU25B8Q7) Order 999 RemoteAddress localhost VPNSubType security.dope.DopeSecurityApp.Redirector VPNType TransparentProxy VendorConfig Group 63JU25B8Q7.security.dope.DopeSecurityApp PayloadDisplayName DGWebProxy PayloadIdentifier com.apple.vpn.managed.DGWebProxy PayloadType com.apple.vpn.managed PayloadUUID 91FFBEFB-B887-420D-A701-9E377BA08764 PayloadVersion 1 UserDefinedName DGWebProxy TransparentProxy AuthenticationMethod Password ProviderBundleIdentifier com.digitalguardian.webproxy ProviderDesignatedRequirement identifier "com.digitalguardian.webproxy" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = HLGBMCXUS7 Order 100 RemoteAddress localhost VPNSubType com.digitalguardian.webproxy VPNType TransparentProxy PayloadDescription Sets NETransparentProxy provider ordering so Digital Guardian receives flows before Dope Security. PayloadDisplayName Transparent Proxy Order: Digital Guardian before Dope Security PayloadEnabled PayloadIdentifier security.dope.networkextension.transparentproxy.order PayloadOrganization Dope Security Inc. PayloadRemovalDisallowed PayloadScope System PayloadType Configuration PayloadUUID DE2A62BB-014D-494B-BCC6-0F90BE6C508E PayloadVersion 1 ``` ### Notes * A reboot may be required after deploying the ordering profile * The `Order` key only works with MDM, not manual installation * Without MDM, the only way to control order is through installation/reinstallation timing (DG, then Dope)