Deploy Skyhigh Client Using Jamf
This topic details how to deploy Skyhigh Client using Jamf.
User consent is required to load any third-party system extensions (for products using network extensions on macOS). As Skyhigh Client macOS 5.0.0 uses a couple of Network System Extensions for network events, prior approval of the following is required:
- Network Extension Transparent Proxy
- Content Filter Configurations
- Network Extension Packet Tunnel Provider
Jamf is a third-party MDM tool used for device management. You can install Skyhigh Client via Jamf.
Enroll a Device to Jamf
You can enroll a device into Jamf using the URL and an administrator login.
- After the application deployment is set up, you can enroll a device by invoking a URL on the device and logging in as an administrator.
- You must turn on the user-initiated enrollment for iOS devices in the Jamf console. The enrollment URL is the following website: https://xyz.jamfcloud.com/enroll/ , where xyz is the URL portion provided by Jamf.
NOTE: Ensure that the URL link consists the prefix https or the URL may not load in a browser.
To enroll a device in Jamf:
- Navigate to the https://mfepsdev.jamfcloud.com/enroll/ URL.
- In the Assign to user field, enter Jamf login credentials.
- Skip over the Select the site to use for enrolling this computer or mobile device.
- Click Enroll.
The Notice window displays. - Click Accept to continue:
- Click Continue to Install CA certificates.
- Click Download.
- You need an MDM profile for your organization for enrollment. Click Continue.
- Navigate to Privacy & Security > Profiles > MDM Profile.
- Click Install to install the downloaded configurations:
Profiles are installed.
- From the main menu, In the Jamf dashboard, navigate to Computers.
A list of all the managed accounts via the Jamf accounts displays.
Create Profiles
To install Skyhigh Client, create a profile for System Extension, Content Filter, and App Proxy Filter and push these packages to the selected devices:
- Navigate to the Jamf dashboard.
- Click New to create a new profile.
- In Content Management, click Configuration Profiles.
- Navigate to Options tab and select General.
- In the Name field, enter the name of the profile .
- In the Description field, enter the purpose of the profile.
- From the Site drop-down list, select the site to add the profile.
- From the Category drop-down list, select a category to add to the profile.
- From the Level drop-down list, select the level at which the profile is applied:
- Click the Save button to save the profile details:
The profile is created.
Install the Skyhigh Client
To install the Skyhigh Client, create profiles for System Extension Payloads, Content Filter Payload and App Proxy Filter Profiles and push these packages to the selected devices:
- Create Profiles.
- Update the following profiles:
- System Extension Profile
- Allowed System Extensions
- Removable System Extensions
- Content Filter Profile
- App Proxy Filter (VPN) profile
- VPNprofile
- Packet Tunnel profile
- System Extension Profile
- Install and uninstall SC using the following Profile settings:
System Extension Profile
To configure a System Extension Profile:
- Navigate to Configuration Profiles and click the Options tab.
- Select System Extensions to define settings for system extension.
- Click Configure:
Allowed System Extensions
To configure the allowed system extensions:
- From the System extension types drop-down list, select Allowed system extensions.
- In the Team identifier field, enter team identifier.
- Under the Allowed System Extension section, select the applicable system extension.
- Configure the following System Extension Profile:
Property
Value
Allow users to approve system extensions
Uncheck/disable Allowed Team IDs and System Extensions Display Name System_extensions_allowed System Extension Types
Allowed System Extensions
Team Identifier
W6824P2V89
Allowed system extensions
- com.skyhighsecurity.epclient.networkextension
- com.skyhighsecurity.epclient
- Click Save to save the changes:
Removable System Extensions
To configure the removable system extensions:
- From the System extension types drop-down list, select Removable system extensions.
- In the Team identifier field, enter team identifier.
- Under the Removable System Extensions section, select the applicable system extension.
- Configure the following System Extension Profile:
Profile
Settings
System Extensions Profile
- Add System Extensions Profile.
- Configure following:
Property
Value
Removable Team IDs and System Extensions Display Name System_extensions_removal System Extension Types Removable System Extensions Team Identifier W6824P2V89 Allowed system extensions - com.skyhighsecurity.epclient.networkextension
- com.skyhighsecurity.epclient
- Click the Save button to save the changes:
Create a Content Filter Profile
To create a content filter profile:
- Navigate to Configuration Profiles and select the Options tab.
- Select Content Filter.
- Enter the Filter name and Identifier.
- Enter details from the Content Filter Payload:
- Select Payload details from the table below and fill in the fields:
Profile Settings Content Filter Profile
-
Add Content Filter Profile.
-
Configure following:
Property
Value
Filter Sockets (Socket Filter)
True
Plugin Bundle ID (Identifier)
com.skyhighsecurity.epclient
Filter Packets (Network Filter)
False Filter Data Provider Bundle Identifier (Socket Filter Bundle Identifier) com.skyhighsecurity.epclient.networkextension Filter Type Plug-in Filter Data Provider Designated Requirement (Socket Filter Designated Requirement) anchor apple generic and identifier "com.skyhighsecurity.epclient.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89)
-
-
Add Content Filter Profile.
-
Click Save to save the changes.
Configure the VPN Profile
VPN Profile have two payload configuration to be added:
- Packet-tunnel
- App-proxy
Packet-tunnel Payload
To configure the Packet-tunnel Payload:
- Navigate to Configuration Profiles and select the Options tab.
- Select VPN:
- Configure with the following Packet-tunnel Payload settings and fill in the fields:
|
Packet-tunnel Payload |
You can use the following Proxy payload for the approval of the extension Packet-tunnel components (VPN Payload):
|
App-Proxy Payload
To configure the App-Proxy Payload:
- Navigate to Configuration Profiles and select the Options tab.
- Select VPN:
- Configure with the following settings for App Proxy Payload:
|
App-Proxy Payload |
You can use the following Proxy payload for the approval of the extension Proxy components (VPN Payload):
|
- Navigate to the Scope tab to specify the target user and target computers.
- In the Target Computers field, select Specific Computers and in the Target Users field, select Specific Users:
- Click Save.
Profile is saved to your managed device.
Deploy SC using Self Service
To deploy Skyhigh Client using self service:
-
Navigate to the Jamf server at https://mfepsdev.jamfcloud.com, then select Full jamf pro from the drop-down list to get all the features.
-
Navigate to Content Management > Policies > New > General. Use the respective Site from the drop-down list and select the required Category.
-
Under to the Options tab, click Packages.
-
Add the Skyhigh Client package you wish to install.
-
From the Actions drop-down list, select Install.
-
Under the Scope tab, select target computer and target users.
-
Add the machine you want the Skyhigh Client to be installed.
-
Ensure to add the below configuration to display in the Self Service portal (in the above policy).
- Navigate to the client machine and open Self Service from Application, select to install the configured package:
NOTE: On VPN Status modifications, the system settings pop-up displays the following message: VPN is trying to modify your system settings. Upon cancelling the pop-up, any of the functionalities are not affected.
Uninstall Skyhigh Client
A prompt appears for entering the admin credentials to uninstall the system extension for both Skyhigh Client standalone and managed with Trellix ePO. If no credentials are entered or incorrect credentials are entered, the Skyhigh Client removal does not continue. Provide correct credentials for successfully uninstalling new Skyhigh Client. For an MDM-managed system, no admin credentials are required. Jamf has provided a configuration profile through which the new Skyhigh Client can be silently uninstalled from the device without the user's intervention.