Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy and Monitor the Status of the Skyhigh Client Proxy (SCP) in macOS using Intune

  1. Last updated
  2. Save as PDF

This topic provides step-by-step instructions for deploying the Skyhigh Client Proxy (SCP) on macOS devices using Microsoft Intune. It also explains how to monitor the SCP status, which ensures the client is functioning seamlessly across managed devices. 

Steps for Validating SCP Deployment and Monitoring the Status of the Skyhigh Client Proxy

  1. Enroll the Device
  2. Create SCP Profiles
  3. Deploy SCP and SCP Policy
  4. Create an SCP Compliance Script to Monitor SCP Status

Enroll the Device

Enrolling the device in Microsoft Intune helps you in enabling centralized management, enforcing policies, and remotely deploying the SCP.

Download the Company Portal App
  1. Open App Store on your Mac device.
  2. Search Company Portal.
  3. Download and install Company Portal app.
Sign In to Company Portal 

Open Company Portal app, and sign in with login credentials. 

Start Enrollment 

Click Start to initiate the process.

Install Management Profile
  1. Click Install Management Profile on your Mac.
    This profile allows Intune to manage your device.
  2. You are directed to System Preferences > Profiles.
  3. Click Install on the profile page to allow the profile installation.
  4. Follow on-screen instructions and grant permission to install the profile.
Complete Enrollment

Once the profile is installed, the Company Portal confirms that you have successfully enrolled in Intune. Restart the device to finalize the enrollment.

Access Work Resources

Once enrolled, you should be able to access work apps, email, and resources as required.

Create SCP Profiles

In this section, you can create profiles to configure the SCP client: the System Extensions Profile, Content Filter Profile, and App Proxy Filter (VPN) Profile. This ensures effective security and traffic filtering on managed devices.

  1. Create the following profiles:
  • System Extensions Profile
  • Content Filter Profile
  • App Proxy Filter (VPN) Profile
  1. Push profiles to the endpoint.
Create System Extensions Profile
  1. Navigate to Devices >  macOS > Configuration > Create > New Policy.
  2. Create a profile panel opens. By default, macOS is selected as the platform.
  3. In the Create a profile panel, select Settings catalog as profile type.
  4. Click Create.

system_extension1_1_1.png

The Create profile window opens. 

Complete the Basics, Configuration settings, Scope tags, Assignments, and Review + create tabs: 

Basics
  1. In the Basics tab, enter the following details: 
    • Name - Enter a name for the policy.
    • Description - Enter a description for the policy.
  2. By default, MacOS is selected as the platform.
  3. Click Next.

Screenshot (1)_1.png


Configuration settings 
  1. Click Add settings.
  2. In the Settings picker field, search for System Extension​​​​​.
  3. From the search result, select System Configuration > System Extensions.
  4. Under Setting name selection, select the Allowed System Extensions and Allowed Team Identifiers checkbox.

systemextension2_1.png

  1. Under the System Extensions section, toggle Allow User Overrides to True.
  2. Under the Allowed System Extensions section, click + Edit instance to configure settings.
    The configure instance panel appears.
  3. Under the System Extensions settings, add the following extensions : 
  • com.trellix.CMF.networkextension
  • com.trellix.endpointsecurity
  1. In the Team Identifier field, enter P2BNL68L2C as the team identifier.
  2. Click Save.
  3. Click Next.

system extension5_1_1.png

Scope tags
  1. Default is selected under scope tags. 
  2. Click Next.

Screenshot (3)_1.png

Assignments
  1. In the Assignments tab, select Add groups, Add all users, and Add all devices.
  2. Click Next.

2025-04-11_22-19-35.png

Review + create

Review the system extensions profile and click Create.

Screenshot (6) (1)_11.png

Create Content Filter Profile
  1. Navigate to Devices >  macOS > Configuration > Create > New Policy.
  2. Create a profile panel opens. By default, macOS is selected as the platform.
  3. In the Create a profile panel, select Settings catalog as profile type.
  4. Click Create.

system_extension1_1_1.png

The Create profile window opens. 

Complete the Basics, Configuration settings, Scope tags, Assignments, and Review + create tabs: 

Basics
  1. In the Basics tab, enter the following details: 
    • Name - Enter a name for the policy.
    • Description - Enter a description for the policy.
  2. By default, MacOS is selected as the platform.
  3. Click Next.

Screenshot (1)_1.png

Configuration settings 
  1. Click Add settings.
  2. In the Settings picker field, search for Web.
  3. From the search result, select Web > Web Content Filter.
  4. Under the Setting name section, select the following settings and enter the values:
Setting name Values
Filter Data Provider Bundle Identifier com.trellix.CMF.networkextension
Filter Data Provider Designated Requirement anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field. 1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L 2C)
Filter Packet Provider Bundle Identifier  com.trellix.CMF.networkextension
Filter Packet Provider Designated Requirement anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field. 1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L 2C)
Filter Packets True
Filter Sockets True
Filter Type Plug-in
Plugin Bundle ID com.trellix.containerapp
User Defined Name TrellixSystemExtensions
  1. Click Next.

Screenshot (9) (1)_11.png

Scope tags
  1. Default is selected under scope tags. 
  2. Click Next.

Screenshot (3)_1.png

Assignments 
  1. In the Assignments tab, select Add groups, Add all users, and Add all devices.
  2. Click Next.

2025-04-11_22-19-35.png

Review + create

Review the content filter profile and click Create.

Screenshot (13)_11.png

Create a VPN Profile for App Proxy Filter 
  1. Navigate to Devices >  macOS > Configuration > Create > New Policy.
  2. Create a profile panel opens. By default, macOS is selected as the platform.
  3. Select Templates as profile type.
  4. Search and select VPN as the template name.
  5. Click Create.

vpn1_1.png

The VPN profile window opens. 

Complete the Basics, Configuration settings, Scope tags, Assignments, and Review + create tabs: 

Basics 
  1. In the Basics tab, enter the following details: 
    • Name - Enter a name for the policy.
    • Description - Enter a description for the policy.
  2. By default, macOS and VPN are selected as the platform and profile type.
  3. Click Next.vpn2_1.png
Configurations settings

Configure base VPN and Custom VPN settings as follows: 

Base VPN

Key Value
Deployment Channel User channel
Connection name  vpn_profile_
VPN server address localhost
Authentication method Username and password
Connection type Custom VPN
VPN identifier com.trellix.containerapp

Custom VPN

Enter key and value pairs for the custom VPN attributes:

key Value
VPN Type VPN
Provider Bundle Identifier com.trellix.CMF.networkextension
Provider Type App-Proxy
Include All Networks False
Exclude Local Networks False
Provider Designated Requirement anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate 0.113635.100.6.2.6] /* exists */ and certificaleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.84te leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L2C)
Identity Certificate None

vpn3_1.png

Click Next.

Scope tags
  1. Default is selected under scope tags. 
  2. Click Next.

Screenshot (3)_1.png

Assignment 
  1. In the Assignments tab, select Add groups, Add all users, and Add all devices.
  2. Click Next.

2025-04-11_22-19-35.png

Review + create

Review the VPN profile for app proxy filter and click Create.

2025-04-10_14-14-18.png

Deploy SCP and Apply SCP Policy

Deploying the SCP and applying the policies on managed devices ensures consistent security enforcement and effective traffic control.

  1. Navigate to Apps > Platform > macOS apps > Create.

1.png

  1. Select macOS app (PKG) for app type.

2025-04-14_09-17-23.png

  1. Browse and select the SCP package (.pkg) file.
  2. Click Ok.

install8.png

  1. Enter the following settings:
    • Name = Skyhigh Security 
    • Description = Skyhigh Client Proxy
    • Publisher = Skyhigh Security
    • Ignore app version = Yes
    • Category = Other app
    • Show this as a featured app in the Company Portal = Yes
    • Developer= Skyhigh Security
    • Owner = Skyhigh Security
    • Logo = Select the Skyhigh Security Logo

2025-04-14_09-35-20_11.png

  1. Click Next.
  2. In the Program tab, under the post-install script, run the script to place scppolicy.opg under usr/local/McAfee/SCP/policy.

#!/bin/bash

#Define the source and destination paths

SOURCE="/Users/test/Documents/scppolicy.opg"

DESTINATION="/usr/local/McAfee/Scp/policy/scppolicy.opg"

# Define the permissions mode (e.g., 755 for read/write/execute for owner, read/execute for others)

PERMISSION_MODE="755"

cp -f "$SOURCE" "$DESTINATION"  # Copy the file with sudo

#chmod "$PERMISSION_MODE" "$DESTINATION"  # Set the file permissions

exit 0

 install9_1.png

  1. Click Next.
  2. In the Requirements tab, select macOS Monterey 12.0 as the minimum operating system.

install12.png

  1. Click Next.
  2. In the Detection rules tab, enter the following details: 
    • Ignore app version > Yes
    • Add the Bundel ID’S: 
App Bundle ID (CF BlunderIdentifier) App version (CFBundleShortVersionString)
com.mcafee.Menulet 10.7.10
com.trellix.agentMonitor.helperApplication 10.7.10
com.mcafee.maStatusMonitorHelper 10.7.10
com.mcafee.console 10.7.10
com.trellix.containerapp 10.7.10
com.skyhighsecurity.epclient 4.9.3

 

install13_bundel id_1.png

  1. In the Assignments tab, select Add group, Add all users, and Add all devices.
  2. Click Next.

install5_11.png

  1. Review the Add App and click Create.

install14.png

NOTE: To upgrade SCP, deploy the latest SCP build along with the updated policy. Create a new application in Intune and assign it to the appropriate group or to all users/devices as needed.

Create an SCP Compliance Script to Monitor SCP Status 

Create a script that monitors the SCP status on managed devices. This script ensures that the client is installed, running, and functioning properly.

  1. Navigate to Devices >  Platform > macOS > Scripts > Add.

clipboard_e94096356652ed816d54a7f1ff6ae0d37_1.png

The Add script window opens. 

  1. In the Basics tab, enter the following details: 

    Name - Enter a name for the script.
    Description - Enter a description for the script.

add script.png

  1. Click Next.
  2. In the Script settings tab:  
    1. Upload the script file. 
    2. Toggle Run script as signed-in user to No.
    3. Hide script notifications on devices to Not Configured.
    4. Script frequency to Not Configured.
    5. Max number of times to retry if script fails to Not Configured

2025-04-11_09-22-01_1.png

  1. Click Next.
  2. In the Assignments tab, select Add groups, Add all users, and Add all devices. 

2025-04-11_09-27-05.png

  1. Click Next.
  2. Review the SCP compliance script and click Add.

2025-04-11_09-29-52_1.png

NOTE: 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.