Skip to main content
Skyhigh Security

Silently Installing SCP 4.6+ macOS using MDM (Jamf)

User consent is required to load any third-party system extensions (for products using network extension on macOS Big Sur 11.1.x and later). As SCP 4.6.0 uses couple of Network System Extension for network events, so prior approval of the following are required:

  • Network Extension Transparent Proxy
  • Content Filter configurations
Install SCP Silently

You can install SCP without any manual user intervention

  1. Create the following profiles:
    • System Extensions Profile
    • Content Filter Profile
    • App Proxy Filter (VPN) Profile
  2. Push them to the endpoint. For instance, using JamF.
  3. Install SCP using the following Profile settings:  

 

 Profile

Settings

 

 

 

 

 

 

 

 

 

 

 

 

System Extensions Profile

  1. Add System Extensions Profile.

  2. Configure following:

    Property

    Value

    Allowed Team IDs and System Extensions

    Allow users to approve system extensions

    Uncheck/disable

    System Extension Types

    Allowed System Extensions

    Team Identifier

    P2BNL68L2C

    Allowed system extensions

    • com.trellix.CMF.networkextension

    • com.trellix.endpointsecurity

    Allowed Team IDs and System Extensions
    Allow users to approve system extensions Uncheck/disable
    System Extension Types Removal System Etxensions
    Team Identifier P2BNL68L2C
    Allowed system extensions
    • com.trellix.CMF.networkextension
    • com.trellix.endpointsecurity

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Content Filter Profile

  1. Add Content Filter Profile.

  2. Configure following:

    Property

    Value

    Filter Sockets (Socket Filter)

    True

    Filter Data Provider Bundle Identifier (Socket Filter Bundle Identifier)

    com.trellix.CMF.networkextension

    Filter Data Provider Designated Requirement (Socket Filter Designated Requirement)

    anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field.
    1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L
    2C)

    Filter Packets (Network Filter)

    True

    Filter Packet Provider Bundle Identifier (Network Filter Bundle Identifier)

    com.trellix.CMF.networkextension

    Filter Packet Provider Designated Requirement (Network Filter Designated Requirement)

    anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field.
    1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L
    2C)

    Plugin Bundle ID (Identifier)

    com.trellix.containerapp

    User Defined Name (Filter Name)

    TrellixSystemExtensions

    Filter Type

    Plug-in

 

 

 

 

 

 

 

 

 

 

 

 

 

App Proxy Filter Profile

You can use the following Proxy profile for the approval of the extension Proxy components (VPN Profile):

  1. Add VPN

  2. Configure following:

    Property

    Value

    Connection Name

    TrellixProxyExtension

    VPN Type

    VPN

    Connection Type

    Custom SSL

    Identifier

    com.trellix.containerapp

    Server

    localhost

    Provider Bundle Identifier

    com.trellix.CMF.networkextension

    User Authentication

    Certificate

    Provider Type

    App-Proxy

    Include All Networks

    False (unchecked)

    Exclude Local Networks

    False (unchecked)

    Provider Designated Requirement

    anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate 0.113635.100.6.2.6] /* exists */ and
    certificaleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.84te leaf[field.1.2.840.113635.100.6.1.13] /*
    exists */ and certificate leaf[subject.OU] = P2BNL68L2C)

    Identity Certificate

    None

     

Uninstall SCP 

A prompt appears for entering the administrator credentials to uninstall the system extension for both SCP standalone and managed with Trellix ePO. If no credentials are entered or incorrect credentials are entered, the SCP removal does not continue. Provide correct credentials for successfully uninstalling SCP. For MDM-managed system, no administrator credentials are required. Jamf has provided a configuration profile through which Client Proxy can be silently uninstalled from the end point without the user's intervention.

 

  • Was this article helpful?