User consent is required to load any third-party system extensions (for products using network extension on macOS Big Sur 11.1.x and later). As SCP 4.6.0 uses couple of Network System Extension for network events, so prior approval of the following are required:
- Network Extension Transparent Proxy
- Content Filter configurations
Install SCP Silently
You can install SCP without any manual user intervention
- Create the following profiles:
- System Extensions Profile
- Content Filter Profile
- App Proxy Filter (VPN) Profile
- Push them to the endpoint. For instance, using JamF.
- Install SCP using the following Profile settings:
Profile
|
Settings
|
System Extensions Profile
|
-
Add System Extensions Profile.
-
Configure following:
Property
|
Value
|
Allowed Team IDs and System Extensions |
Allow users to approve system extensions
|
Uncheck/disable
|
System Extension Types
|
Allowed System Extensions
|
Team Identifier
|
P2BNL68L2C
|
Allowed system extensions
|
|
Allowed Team IDs and System Extensions |
Allow users to approve system extensions |
Uncheck/disable |
System Extension Types |
Removal System Etxensions |
Team Identifier |
P2BNL68L2C |
Allowed system extensions |
- com.trellix.CMF.networkextension
- com.trellix.endpointsecurity
|
|
Content Filter Profile
|
-
Add Content Filter Profile.
-
Configure following:
Property
|
Value
|
Filter Sockets (Socket Filter)
|
True
|
Filter Data Provider Bundle Identifier (Socket Filter Bundle Identifier)
|
com.trellix.CMF.networkextension
|
Filter Data Provider Designated Requirement (Socket Filter Designated Requirement)
|
anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field.
1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L
2C)
|
Filter Packets (Network Filter)
|
True
|
Filter Packet Provider Bundle Identifier (Network Filter Bundle Identifier)
|
com.trellix.CMF.networkextension
|
Filter Packet Provider Designated Requirement (Network Filter Designated Requirement)
|
anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field.
1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L
2C)
|
Plugin Bundle ID (Identifier)
|
com.trellix.containerapp
|
User Defined Name (Filter Name)
|
TrellixSystemExtensions
|
Filter Type
|
Plug-in
|
|
App Proxy Filter Profile
|
You can use the following Proxy profile for the approval of the extension Proxy components (VPN Profile):
-
Add VPN
-
Configure following:
Property
|
Value
|
Connection Name
|
TrellixProxyExtension
|
VPN Type
|
VPN
|
Connection Type
|
Custom SSL
|
Identifier
|
com.trellix.containerapp
|
Server
|
localhost
|
Provider Bundle Identifier
|
com.trellix.CMF.networkextension
|
User Authentication
|
Certificate
|
Provider Type
|
App-Proxy
|
Include All Networks
|
False (unchecked)
|
Exclude Local Networks
|
False (unchecked)
|
Provider Designated Requirement
|
anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate 0.113635.100.6.2.6] /* exists */ and
certificaleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.84te leaf[field.1.2.840.113635.100.6.1.13] /*
exists */ and certificate leaf[subject.OU] = P2BNL68L2C)
|
Identity Certificate
|
None
|
|
Uninstall SCP
A prompt appears for entering the administrator credentials to uninstall the system extension for both SCP standalone and managed with Trellix ePO. If no credentials are entered or incorrect credentials are entered, the SCP removal does not continue. Provide correct credentials for successfully uninstalling SCP. For MDM-managed system, no administrator credentials are required. Jamf has provided a configuration profile through which Client Proxy can be silently uninstalled from the end point without the user's intervention.