Digital Guardian Compatibility

When both DG and dope are deployed, dope.endpoint may intercept browser traffic before Digital Guardian, causing DG's DLP policies to not apply.

The Issue

macOS processes network extensions in order. By default, the most recently installed transparent proxy handles traffic first. This means:

  • Browser → Dope (intercepts) → DG (sees traffic from Dope, not the browser, so ignores it) → Internet

DG only monitors traffic from browsers (Chrome, Firefox, Safari, Edge). It must come first in the network extension ordering to function.

The Fix

Deploy this MDM profile to set explicit ordering so that DG processes traffic before dope.security:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		
		<dict>
			<key>PayloadDisplayName</key>
			<string>DopeSecurityApp</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.3FC862E3-0F98-45DA-9BA0-B00D74C6E820</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>798346BB-9A01-40B3-8EA6-377B26B00180</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>DopeSecurityApp</string>
			<key>TransparentProxy</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>security.dope.DopeSecurityApp.Redirector</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "security.dope.DopeSecurityApp.Redirector" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 63JU25B8Q7)</string>
				<key>Order</key>
				<integer>999</integer>
				<key>RemoteAddress</key>
				<string>localhost</string>
			</dict>
			<key>VPNSubType</key>
			<string>security.dope.DopeSecurityApp.Redirector</string>
			<key>VPNType</key>
			<string>TransparentProxy</string>
			<key>VendorConfig</key>
			<dict>
				<key>Group</key>
				<string>63JU25B8Q7.security.dope.DopeSecurityApp</string>
			</dict>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>DGWebProxy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.DGWebProxy</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>91FFBEFB-B887-420D-A701-9E377BA08764</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>DGWebProxy</string>
			<key>TransparentProxy</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>com.digitalguardian.webproxy</string>
				<key>ProviderDesignatedRequirement</key>
				<string>identifier "com.digitalguardian.webproxy" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = HLGBMCXUS7</string>
				<key>Order</key>
				<integer>100</integer>
				<key>RemoteAddress</key>
				<string>localhost</string>
			</dict>
			<key>VPNSubType</key>
			<string>com.digitalguardian.webproxy</string>
			<key>VPNType</key>
			<string>TransparentProxy</string>
		</dict>
	</array>

	<key>PayloadDescription</key>
	<string>Sets NETransparentProxy provider ordering so Digital Guardian receives flows before Dope Security.</string>
	<key>PayloadDisplayName</key>
	<string>Transparent Proxy Order: Digital Guardian before Dope Security</string>
	<key>PayloadEnabled</key>
	<true/>
	<key>PayloadIdentifier</key>
	<string>security.dope.networkextension.transparentproxy.order</string>
	<key>PayloadOrganization</key>
	<string>Dope Security Inc.</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>DE2A62BB-014D-494B-BCC6-0F90BE6C508E</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Notes

  • A reboot may be required after deploying the ordering profile

  • The Order key only works with MDM, not manual installation

  • Without MDM, the only way to control order is through installation/reinstallation timing (DG, then Dope)

PreviousUsing IntuneNextInstalling using Intune on Win

Last updated