Skip to main content
Skyhigh Security

Silently Installing SCP 4.8+ with Cloud Firewall in macOS using MDM (Jamf)

If you're installing SCP 4.6+ without any Cloud Firewall policy, refer to Silently Installing SCP 4.6+ using MDM (macOS) to learn about the installation of SCP using MDM (Jamf) in macOS.

If you're using Cloud Firewall policy to install SCP 4.8, follow the steps mentioned here:

User consent is required to load any third-party system extensions (for products using network extensions on macOS Big Sur 11.1.x and later). As SCP 4.8.0 (with Firewall policy pushed via SSE) uses a couple of Network System Extension for network events, prior approval of the following is required:

  • Network Extension Transparent Proxy
  • Content Filter configurations

Jamf is a third-party MDM tool used for endpoint management. You can install SCP via Jamf.

Enroll a Device to Jamf

You can enroll a device into a Jamf using the URL and an administrator login.

  • After the application deployment is set up, you can enroll a device by invoking a URL on the device and logging in as an administrator. 
  • You must turn on the user-initiated enrollment for iOS devices in the Jamf console. The enrollment URL is the following website: https://xyz.jamfcloud.com/enroll/ where xyz is the URL portion provided by Jamf. 

NOTE: Make sure the URL link has the “https” prefix or the URL may not load in a browser.


Follow the below steps to enroll a device to Jamf

  1. Go to URL https://mfepsdev.jamfcloud.com/enroll/
  2. In the Assign to user field, enter Jamf login credentials.
  3. Skip over the Select the site to use for enrolling this computer or mobile device.
  4. Click Enroll. Notice window appears, click Accept to continue.
    1.png
  5. Click Continue to Install CA certificates. Click Download
  6. You need an MDM profile for your organization for enrollment. Click Continue.
  7. Go to Privacy & Security > Profiles >MDM Profile. Click Install to install the downloaded configurations.

clipboard_ecfd3c540557706c894842a56bf51bba0.png

  1.  Profiles are installed. 
  2. From the main menu, In the Jamf dashboard, go to Computers. A list of all the managed accounts via the Jamf accounts is displayed.

Create Profiles

To install Client Proxy, create a profile for System Extension, Content Filter, and App Proxy Filter and push these packages to the selected endpoints.

  1. Go to the Jamf dashboard.
  2. In Content Management click on Configuration Profiles.
  3. Click  New to create a new profile. 
  4. In the Option go to the General tab, and enter the Name for the profile. 
    3.png
  5. Enter the purpose of the profile in the Description.
  6. Use the respective Site from the drop down. Choose the required Category.

Install the Client Proxy

To install the Client Proxy, create profiles for System Extension Payloads, Content Filter Payload and App Proxy Filter Profiles and push these packages to the selected endpoints.

  1. Create Profiles.
  2. Update the following profiles:
    • System Extension Profile
    • Content Filter Profile
    • App Proxy Filter (VPN) profile
  3. Install SCP using the following Profile settings:  
    1. In Options go to System Extension to configure system extensions.

 Profile

Settings

 

 

 

 

 

 

System Extensions Profile

  1. Add System Extensions Profile.

  2. Configure following:

    Property

    Value

    Allow users to approve system extensions

    Check/Enable

    Allowed Team IDs and System Extensions  
    Display Name FWaaS_system_extensions_allowed

    System Extension Types

    Allowed System Extensions

    Team Identifier

    W6824P2V89

    Allowed system extensions

    • com.skyhighsecurity.epclient.networkextension
    • com.skyhighsecurity.epclient
    Allowed Team IDs and System Extensions  
    Display Name FWaaS_system_extensions_removal
    System Extension Types Removable System Extensions
    Team Identifier W6824P2V89
    Allowed system extensions
    • com.skyhighsecurity.epclient.networkextension
    • com.skyhighsecurity.epclient

 

  • Click Configure. The system Extensions window appears.

4.png

  • Choose System Extension Types from the dropdown, and Enter Team Identifier. Choose System Extension Types.

5.png

  • Click Save.
  1. Choose Payload details from the table below and fill in the fields. 

 

 

 

 

 

 

Content Filter Profile

  1. Add Content Filter Profile.

  2. Configure following:

    Property

    Value

    Filter Name

    FWaaS_content_filter_profile

    Identifier

    com.skyhighsecurity.epclient

    Network Filter
     
    Enabled
    Network Filter Bundle Identifier com.trellix.CMF.networkextension
    Network Filter Designated Requirement anchor apple generic and identifier "com.skyhighsecurity.epclient" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89)

 

  • To create content filter details, go to Content Filter in the options.
  • Enter the Filter name and Identifier. 
  • Enter details from the Content Filter Payload.

6.png

  • Click Save
  1. Configure the VPN package.

 

 

 

 

 

 

 

 

 

 

 

App Proxy Filter Payload

You can use the following Proxy payload for the approval of the extension Proxy components (VPN Payload):

  1. Add VPN

  2. Configure following:

    Property

    Value

    Connection Name

    FWaaS_VPN

    VPN Type

    VPN

    Connection Type

    Custom SSL

    Identifier

    com.skyhighsecurity.epclient

    Server

    localhost

    Provider Bundle Identifier

    com.skyhighsecurity.epclient.networkextension

    User Authentication

    Certificate

    Provider Type

    Packet-tunnel

    Include All Networks

    False (unchecked)

    Exclude Local Networks

    False (unchecked)

    Provider Designated Requirement

    anchor apple generic and identifier "com.skyhighsecurity.epclient" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = W6824P2V89)

    Enable VPN on demand

    False

    Prohibit users from disabling on-demand VPN settings False
    Idle Timer Do not disconnect

7.png

  1. Go to the Scope tab to specify the target user. Choose Specific Computers and Specific Users
    8.png
  2. Click Save, Profile is saved to your managed device.
  3. Deploy Client Proxy using self service.

Deploy SCP using Self Service

  1. Go to the Jamf server at  https://mfepsdev.jamfcloud.com, then select Full jamf pro from the dropdown to get all the features.

  2. Navigate to Content Management > Policies> New > General. Use the respective Site from the drop down. Choose the required Category.

  3. Go to the Options tab, and click on Packages. Add the Client Proxy package you wish to install.
  4. In Actions, choose Install.
  5. Go to the scope tab, select target computer and target users.
  6. Add the machine you want the Client Proxy to be installed,
  7. Make sure to add the below configuration to get it reflected in the Self Service portal (in the above policy).
  8. Go to the client machine and open Self Service from Application, choose to install the configured package.
    9.png

NOTE: On VPN Status modifications, the system settings pop-up window might show VPN is trying to modify your system settings. Upon cancelling the pop-up will not affect any of the functionalities.  

 

 

Uninstall SCP 

A prompt appears for entering the administrator credentials to uninstall the system extension for both SCP standalone and managed with Trellix ePO. If no credentials are entered or incorrect credentials are entered, the SCP removal does not continue. Provide correct credentials for successfully uninstalling SCP. For an MDM-managed system, no administrator credentials are required. Jamf has provided a configuration profile through which Client Proxy can be silently uninstalled from the endpoint without the user's intervention.

  • Was this article helpful?