Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy Skyhigh Client using Intune

  1. Last updated
  2. Save as PDF

This topic provides step-by-step instructions for deploying the Skyhigh Client on macOS devices using Microsoft Intune. It also explains how to monitor the Skyhigh Client status, which ensures the client is functioning seamlessly across managed devices.  

Validate Deployment and Monitoring the Status of the Skyhigh Client 

To validate deployment and monitoring the status of the Skyhigh Client:

  1. Enroll the Device
  2. Create Skyhigh Client Profiles
  3. Deploy Skyhigh Client and Skyhigh Client Policy

Enroll the Device

Enrolling the device in Microsoft Intune helps you in enabling centralized management, enforcing policies, and remotely deploying the Skyhigh Client.

Download the Company Portal App

To download the company portal app:

  1. Open App Store on your Mac device.
  2. Search Company Portal.
  3. Download and install the Company Portal app.

Sign In to Company Portal

Open the Company Portal app, and sign in with the login credentials.

Start Enrollment

Click Start to initiate the process.

Install Management Profile 

  1. Click Install Management Profile on your macOS.
    This profile enables Intune to manage your device.
  2. You are directed to System Preferences > Profiles.
  3. Click Install on the profile page to enable the profile installation.
  4. Follow the on-screen instructions and grant permission to install the profile.

Complete Enrollment

After installing the profile, the Company Portal confirms that you have successfully enrolled in Intune. Restart the device to finalize the enrollment.

Access Work Resources

After enrollment, you should be able to access work apps, email, and resources as required.

Create Skyhigh Client Profiles

In this section, you can create following profiles to ensures effective security and traffic filtering on managed devices to configure Skyhigh Client:

  1. Update the following profiles:

    • System Extension Profile

      • Allowed System Extensions

      • Removable System Extensions

    • Content Filter Profile

    • App Proxy Filter (VPN) profile

      • VPN profile

      • Packet Tunnel profile

  2. Push profiles to the endpoint.

To create system extensions profile:

  1. Navigate to Devices >  macOS devices > Configuration.
  2. Click the Create button and then click New Policy.
    The Create a profile right panel opens.
    By default, macOS is selected in the Platform drop-down list.
  3. From the Profile type drop-down list, select Settings catalog as profile type.
  4. Click Create.
  5. The Create profile window opens.

    clipboard_ece9be1bd209013d21006f2c76e68fda0.png
     
  6. Enter the details under the Basics, Configuration settings, Scope tags, Assignments, and Review + create tabs.

Basics

To configure the Basics tab:

  1. In the Basics tab, enter the following details: 
    • Name - Enter a name for the policy.
    • Description - Enter a description for the policy.
    • Platform - By default, macOS is selected as the platform.
  2. Click Next.
    The Configuration settings tab displays.

    clipboard_e5ff81290311375a92d0cfd38a3001de9.png

Configuration settings 

To configure Configuration settings tab:

  1. Click Add settings.
  2. In the Settings picker field, search for System Extension​​​​​.
  3. From the search result, select System Configuration > System Extensions.
  4. Under Setting name selection, check the Allowed System Extensions and Allowed Team Identifiers boxes.
  5. Click Removable system extension and Team identifier:

    clipboard_eacd805d94c2bd401ac57a7d17b1f1068.png
     
  6. Under the Allowed System Extensions section, click + Edit instance to configure settings.
    The configure instance panel displays.
  7. Under the System Extensions settings, add the following extensions:
    • com.skyhighsecurity.epclient.networkextension
    • com.skyhighsecurity.epclient
  8. In the Team Identifier field, enter W6824P2V89 as the team identifier.
  9. Click Save.
  10. Under the Removable System Extensions section, click + Edit instance to configure settings.
    The configure instance panel appears.
  11. Under the System Extensions settings, add the following extensions:
    • com.skyhighsecurity.epclient.networkextension
    • com.skyhighsecurity.epclient
  12. In the Team Identifier field, enter W6824P2V89 as the team identifier:

    clipboard_e7539dd49dc926a1d04d98a4935907f79.png
  13. Click Save.
  14. Click Next.
    The Scope tags tab opens.

Scope Tags

To configure the Scope tags tab:

  1. Default is selected under the Scope tags tab. 
  2. Click Next.
    The Assignments tab opens:

    clipboard_ec01df5d5f79b28c792bfa7d549cf43ce.png

Assignments

To configure the Assignments tab:

  1. In the Assignments tab, select the Add groups sub tab and add the groups.
  2. Select the Add all users sub tab and add all the users.
  3. Select the Add all devices sub tab and add the devices.
  4. Click Next.
    The Review + create tab opens.

    clipboard_ea89d503245fd0d80e7a4484c7def5d16.png

Review the system extensions profile and click Create:
 

clipboard_e4657152ff9b09f06d8ecd0b331805ee6.png

The System Extensions profile is created.

To view the report for the system extension profile created: 

  1. Navigate to Devices > macOS devices.
  2. Click the Configuration tab.
  3. Click the profile created to view the report:

    clipboard_e55efe5e877d5bdbe3c5439116a536fd5.png
     

Create Content Filter Profile

To create Content Filter profile:

  1. Navigate to Devices >  macOS devices > Configuration.
  2. Click the Create button and then click New Policy.
    The Create a profile right panel opens.
  3. By default, macOS is selected in the Platform drop-down list.
  4. From the Profile type drop-down list, select Settings catalog as profile type.
  5. Click Create.
    The Create profile window opens.

    clipboard_efb830fd8938b5e8f3cdc25fdf46c1019.png

  6. Enter the details under the Basics, Configuration settings, Scope tags, Assignments, and Review + create tabs.

To configure the Basics tab:

  1. In the Basics tab, enter the following details: 

    • Name - Enter the name for the policy.

    • Description - Enter a description for the policy.

    • Platform - By default, macOS is selected as the platform.

  2. Click Next.
    The Configuration settings tab displays.

    clipboard_e710489185238a0c47918e9938761034d.png

Configuration settings 

To configure the Configuration settings tab:

  1. Click Add settings.
  2. In the Settings picker field, search for Web.
  3. From the search result, select Web > Web Content Filter.
  4. Under the Setting name section, select the following settings and enter the values:
Setting Name Values
Plugin Bundle ID com.skyhighsecurity.epclient
Filter Data Provider Designated Requirement anchor apple generic and identifier "com.skyhighsecurity.epclient.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89
Filter Data Provider Bundle Identifier com.skyhighsecurity.epclient.networkextension
Filter Sockets True
Filter Type Built-in
   

The Scope tags tab opens.

clipboard_e0471d942e841323676050d93ff1ac910.png

 

Scope tags

To configure the Scope tags tab:

  1. Default is selected under scope tags.
  2. Click Next.
    The Assignments tab opens.

    clipboard_e786889aa9c01d68be047019cd2013fe5.png

Assignments

To configure the Assignments tab:

  1. In the Assignments tab, select the Add groups sub tab and add the groups.
  2. Click Next.
    The Review + create tab opens.

    clipboard_ee8855b5411faa7d36322b75d1a1c73df.png
     

Review + create

Review the system extensions profile and click Create:

clipboard_e5addc1264a708c1bb2a13e5d70e4a8ec.png
 

To view the report click on the content filter profile created:

  1. Navigate to Devices > macOS devices.
  2. Click the Configuration tab.
  3. Click the profile created to view the report:

    clipboard_e5ac73f1c74f28e8178cf32616725339d.png
     

Create a VPN Profile for App Proxy 

To configure a VPN profile for App Proxy:

  1. Navigate to Devices >  macOS devices > Configuration.
  2. Click the Create button and then click New Policy.
    The Create a profile right panel opens.
  3. By default, macOS is selected in the Platform drop-down list.
  4. From the Profile drop-down list, select Templates.
  5. Search and select VPN as the template name.
    The VPN profile window opens.

    clipboard_e4aeae6da9e8a76e841ec0fecf4df7af2.png
     
  6. Enter the details in the Complete the Basics, Configuration settings, Assignments, and Review + create tabs.

Basics 

To configure the Basics tab:

  1. In the Basics tab, enter the following details: 

    • Name - Enter a name for the policy.

    • Description - Enter a description for the policy.

    • Platform - By default, macOS is selected as platform.

    • Profile type - By default, VPN is selected as profile type.

  2. Click the Review + Save button.
    The Configuration settings tab opens.

    clipboard_e515967783f431b4d278c16ecf0ed6066.png

Configurations settings

Configure base VPN and Custom VPN settings as follows: 

Base VPN:

Key Values
VPN identifier com.skyhighsecurity.epclient
Connection type Custom VPN
VPN server address localhost
Deployment Channel User channel
Authentication method Username and password
Connection name vpn_profile_App-Proxy

 

Custom VPN

Enter key and value pairs for the custom VPN attributes:

Key Values
VPN Type VPN
Provider Bundle Identifier com.skyhighsecurity.epclient.networkextension
Provider Type App-Proxy
Include All Networks False
Exclude Local Networks False
Provider Designated Requirement anchor apple generic and identifier "com.skyhighsecurity.epclient.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89)
Identity Certificate None

The Assignments tab opens.

clipboard_e6f3d5621aac45c78f4ceda9f64eedf7c.png

Assignments 

To configure the Assignments tab:

  1. In the Assignments tab, select Add groups.
  2. Click Next.
    The Review + create tab opens.

    clipboard_e9f0568ef4bd093574aac31eee0eaf1fb.png

Review the VPN profile for the app proxy filter and click Create:

clipboard_ef0b68eb3b35ae6c302dd55ee8d8e0a9c.png

To view the report click on the content filter profile created:

  1. Navigate to Devices > macOS devices.
  2. Click the Configuration tab.
  3. Click the View report button to view the report for the profile created:

    clipboard_e45767349c901152f0ac1cacb082da141.png

Create a VPN Profile for Packet Tunnel 

This section describes how to create a VPN profile for packet tunnel.

To create VPN profile for Packet tunnel:

  1. Navigate to Devices >  macOS devices > Configuration.
  2. Click the Create button and then click New Policy.
    The Create a profile right panel opens.
  3. By default, macOS is selected in the Platform drop-down list.
  4. From the Profile drop-down list, select Templates.
  5. Search for and select VPN as the template name.
    The VPN profile window opens.

    clipboard_e731e6d23ccd679c3f063d2134770e0fa.png
     
  6. Enter the details in the Complete the Basics, Configuration settings, Assignments, and Review + create tabs.

Basics 

To configure the Basics tab:

  1. In the Basics tab, enter the following details: 

    • Name - Enter a name for the policy.

    • Description - Enter a description for the policy.

    • Platform - By default, macOS is selected as platform.

    • Profile type - By default, VPN is selected as profile type.

  2. Click Next.
    The Configurations Settings tab opens.

    clipboard_e3145b99e418f788f7292aba7903f2d87.png

Configurations settings 

Configure the Base VPN and Custom VPN settings as follows: 

Base VPN:

Key Values
Deployment Channel User channel
Connection name vpn_profile_Packet_tunnel
VPN server address localhost
Authentication method Username and password
Connection type Custom VPN
VPN identifier com.skyhighsecurity.epclient

Custom VPN

Enter key and value pairs for the custom VPN attributes:

Key Values
VPN Type VPN
Provider Bundle Identifier com.skyhighsecurity.epclient.networkextension
Provider Type Packet-tunnel
Include All Networks False
Exclude Local Network False
Provider Designated Requirement anchor apple generic and identifier "com.skyhighsecurity.epclient.networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89)
Identity Certificate None

The Assignments tab opens.
 

clipboard_e86f4390b83b210f00da3aa050492f10b.png

 

Assignments 

To configure the Assignments tab:

  1. In the Assignments tab, select Add groups.
  2. Click Next.
    The Review + create tab opens.

    clipboard_e0c878a698f79614c207794b62f510ca2.png

Review the VPN profile for packet tunnel filter and click Create:

clipboard_e015b9fdf8120c772acb80d55973339a0.png
 

To view the VPN Profile Packet tunnel report:

  1. Navigate to Devices > macOS devices.
  2. Click the Configuration tab.
  3. Click the View report button to view the report for the profile created:

    clipboard_e40e70da1aa172f3cd062efaf24e9a375.png

Deploy Skyhigh Client and Apply Skyhigh Client Policy

Deploying the Skyhigh Client and applying the policies on managed devices ensures consistent security enforcement and effective traffic control.

  1. Navigate to Apps > macOS apps.
  2. Click the Create button.
  3. From the App type drop-down list, select macOS app (PKG).
  4. Click Select.

    clipboard_eae039417ed8fddf1c3cc017f7bd4fb48.png
     
  5. In the App package file field, browse and select SC package (.pkg) file:

    clipboard_ecdd9f1da4cf9371083959b73ceb5792a.png
     
  6. Click OK.
  7. Enter the following settings:
     
    Fields Values
    Name Skyhigh Security
    Description Skyhigh Client Proxy
    Publisher Skyhigh Security
    Ignore app version Yes
    Category Other app
    Show this as a featured app in the Company Portal Yes
    Developer Skyhigh Security
    Owner Skyhigh Security
    Logo Select the Skyhigh Security Logo

    clipboard_eb01d6c3f63641fbb75995f1fe08c7b40.png
     
  8. Click Next.
    The Program tab opens.
  9. Under the post-install script, run the script to place. 
  10. Click Next.
    The Requirements tab opens.
  11. From the Minimum operating system drop-down list, select macOS Venture 13.0:

    clipboard_e74b25a3fcf0dc06e26944b3973a6a9ac.png
     
  12. Click Next.
    The Detection rules tab opens.
  13. Enter the following details:
    • Ignore app version = Yes
    • Add the Bundle ID’S:
      com.skyhighsecurity.scsystemtray 5.0.0
      com.skyhighsecurity.epclient 5.0.0
      com.skyhighsecurity.epclient.networkextension 5.0.0

      clipboard_e7a53cd8ece03c0481e1dc1dceee5f410.png
       
  14. Click Next.
    The Assignments tab opens.

Assignments

To configure the Assignments tab:

  1. Click Add Groups to add the groups.
  2. Click Next.
    The Review + create tab opens.

    clipboard_ef9d45072b858fc3f6010b455597e9d64.png

Review + create

Review the installation script and click Create:

clipboard_e0aec0de573d8f93391bc857f4dcf2d7e.png
 

Create  Skyhigh Client Compliance Script to Monitor Skyhigh Client Status

This section describes creating a script that monitors the Skyhigh Client status on managed devices. This script ensures that the client is installed, running, and functioning properly.

To create an Skyhigh Client Compliance Script to Monitor Skyhigh Client Status:

  1. Navigate to Devices >  Platform > macOS > Scripts.
  2. Click Add.

    clipboard_e3c058edd8af1a61d2b67f9281a5bfdb6.png

    The Add script window opens.
  3. In the Basics tab, enter the following details:
    • Name - Enter a name for the script.
    • Description - Enter a description for the script:

      clipboard_e9b1280d3ce8417422a9c698deb23d3c1.png
       
  4. Click Next.
  5. In the Script settings tab:  
    • Upload the script file. 
    • Toggle Run script as signed-in user to No.
    • Hide script notifications on devices to Not Configured.
    • Script frequency to Not Configured.
    • Max number of times to retry if script fails to Not Configured:

      clipboard_ed35ceef1b2742481b0686037d3eb2dc6.png
       
  6. Click Next.
  7. In the Assignments tab, select Add groups, Add all users, and Add all devices.
  8. Click Next:

    clipboard_e9f9d6b020e4f8f0aa853509575792cfb.png
     
  9. ​​​Review the Skyhigh Client compliance script and click Add:

    clipboard_e61995e21d3b9fc1db25ad280fefcc4f9.png


 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.