This topic provides step-by-step instructions for deploying the Check Point SASE on macOS endpoints managed by Jamf Pro. It covers all configuration profiles required for a fully silent, zero-touch installation, including the SASE root certificate deployment that enables TLS/SSL inspection without end-user prompts.
Check Point SASE is a cloud-native Secure Access Service Edge platform within the Hybrid Mesh Network Security pillar, providing secure internet access via an integrated Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA) to private resources, and application-level access controls. The installed on endpoints enforces these policies locally and tunnels traffic through the Check Point global PoP infrastructure.
Deploying through Jamf Pro enables organizations to push the agent, configuration profiles, and certificates silently to managed Macs, eliminating manual enrollment steps and ensuring security posture from first boot.
Note -
The Check Point SASE was originally developed under the Perimeter 81 brand. While the product is now branded as Check Point SASE under the Hybrid Mesh Network Security pillar, the macOS application bundle installs as "Harmony SASE.app." Some underlying identifiers still retain legacy naming: bundle identifiers use com.safervpn.osx.smb, the agent configuration plist domain is com.perimeter81d, and infrastructure domains use *.perimeter81.com. These legacy identifiers appear throughout this topic where technically required.
Note -
Four configuration profiles (System Extensions, Content Filter, VPN Payload, and the Root Certificate) must be deployed BEFORE the agent installer runs. If any are missing, end users receive interactive approval prompts that can block or delay the connection.
Prerequisites
Jamf Pro version 10.25 or later (required for macOS 11+ system extension management).
macOS 11 Big Sur or later on target endpoints.
Active Check Point SASE subscription with administrator access to the Check Point Infinity Portal.
Target Macs enrolled and MDM-supervised in Jamf Pro.
Endpoints must reach
*.perimeter81.comand*.checkpoint.com. For the complete list of required URLs, ports, and protocol details, see sk182251.version 11.5 or later recommended for Transparent Internet Access support.
Per-tenant root CA certificate (.cer) downloaded from the Check Point SASE portal.
Note -
If you are managing deployment via MDM, disable the auto-update client setting in the Check Point SASE web console (Settings > General) to prevent looping installation issues when Jamf and the SASE auto-updater conflict.
Download the SASE Agent and Certificate
Download the macOS Agent Installer
Log in to the Check Point Infinity Portal and navigate to the Check Point SASE .
Go to Devices > Downloads and select the Agents tab.
Download the macOS agent installer (.pkg file). Note the version number.
Alternatively, click Copy Link to copy the direct download link for use in a Jamf script.
For more information, see Downloads.
Obtain the Root Certificate for TLS Inspection
Check Point SASE generates a dedicated root CA certificate per tenant for TLS/SSL full inspection. This certificate must be trusted on every endpoint for HTTPS inspection to function without certificate errors.
Default Behavior (Agent-Based Users): For remote users connecting via the , the default per-tenant TLS inspection certificate is automatically deployed and trusted during initial agent activation. In most deployments where the default certificate has not been regenerated, no separate certificate push via MDM is required.
When MDM Certificate Deployment Is Required: If an administrator has regenerated or rotated the TLS inspection certificate in the SASE portal after agents were initially deployed, the updated certificate must be redistributed to all endpoints. MDM deployment via Jamf Pro ensures this happens silently. Additionally, for organizations that want to guarantee certificate trust is established before the agent's first connection attempt (for example, zero-touch provisioning scenarios), pre-deploying the certificate via a Jamf configuration profile is the recommended approach.
To download the active full inspection certificate:
In the Check Point SASE portal, go to Policy > SSL Inspection (or the equivalent Internet Access policy area).
Under Download Full Inspection Certificate, click Download Certificate.
Save the .cer file. This is the file you upload to Jamf Pro as a certificate configuration profile.
Note -
Apple MDM best practice for distributing CA certificates is through configuration profile certificate payloads, not installer PKGs. Jamf Pro (and all major MDMs such as Intune and Workspace ONE) expect CA certificates to be delivered as configuration profiles. This approach is tenant-specific, easily updatable if the certificate is rotated, and aligns with Apple's TLS inspection and network extension model.
Create Configuration Profiles in Jamf Pro
Three configuration profiles must be created and deployed to target Macs BEFORE the agent is installed. These are in addition to the certificate configuration profile covered in Deploy the SASE Certificate via Jamf Pro. All profiles must be set at the Computer level, not User level.
System Extensions Profile
This profile pre-approves the Check Point SASE network system extension so users do not receive the "System Extensions Blocked" notification.
In Jamf Pro, navigate to Computers > Configuration Profiles > New.
Set a name such as "Check Point SASE – System Extensions."
Set Level to Computer Level and Distribution Method to Install Automatically.
Select the System Extensions payload from the Options tab.
Configure these settings:
Allow users to approve system extensions - Checked (enabled)
System extension types (dropdown) - Allowed system extensions
Team Identifier - 924635PD62
Allowed System Extensions (Bundle ID) - com.safervpn.osx.smb.proxy
Note -
The Jamf System Extensions payload dropdown offers both "Allowed system extension types" and "Allowed system extensions." These are different options. "Allowed system extension types" only accepts a Team ID and a type category (for example, Network Extension) — it does not allow specifying a bundle identifier and blanket-approves all extensions of that type from the team. Instead, select Allowed system extensions which takes both a Team Identifier and a specific Bundle Identifier, restricting approval to only the Check Point SASE network extension.
Content Filter Profile
This profile authorizes the SASE content filter (network packet and socket filtering) to prevent proxy configuration prompts.
Create a new Configuration Profile named "Check Point SASE – Content Filter."
Select the Content Filter payload and configure these settings:
Filter Type - Plug-in
Connection Name - Check Point SASE
Identifier - com.safervpn.osx.smb
Filter WebKit Traffic - Yes
Filter Socket Traffic - Yes
Socket Filter Bundle ID - com.safervpn.osx.smb
Filter Network Packets - Yes
Packet Bundle ID - com.safervpn.osx.smb
Filter Grade - Firewall
Socket Requirement and Packet Requirement (use the same value for both):
identifier "com.safervpn.osx.smb" and anchor apple generic
and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = "924635PD62"VPN Payload Profile
This profile pre-authorizes the VPN tunnel so users are not prompted with a proxy configuration approval dialog from the .
Create a new Configuration Profile named "Check Point SASE – VPN Payload."
Select the VPN payload and configure these settings:
Connection Name - Check Point SASE
VPN Type - VPN
Connection Type - Custom SSL
Identifier - com.safervpn.osx.smb
Server - localhost
Provider Bundle Identifier - com.safervpn.osx.smb.proxy
User Authentication - Password
Provider Type - App-Proxy
Idle Timer - Do not disconnect
Proxy Setup - None
Provider Designated Requirement:
identifier "com.safervpn.osx.smb.proxy"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = "924635PD62")Deploy the SASE Certificate via Jamf Pro
This is the critical step that enables silent TLS inspection. The certificate must be installed before the agent so the agent can establish trusted HTTPS inspection sessions without prompting the user for admin credentials.
Create the Certificate Configuration Profile
In Jamf Pro, go to Computers > Configuration Profiles > New.
Name it "Check Point SASE – Root Certificate." Set Level to Computer Level.
Set Distribution Method to Install Automatically.
Select the Certificate payload from the Options sidebar.
Click Configure and upload the .cer file downloaded from the Check Point SASE portal.
Ensure Allow access to all applications is enabled so all processes on the endpoint trust this CA.
Select the Scope tab and assign the same Smart Groups or target computers that will receive the .
Click Save.
Important -
The certificate configuration profile and all three other configuration profiles (System Extensions, Content Filter, VPN Payload) must be installed on the endpoint BEFORE the policy runs. Jamf configuration profiles assigned at the Computer level with Install Automatically deploy during enrollment or the next check-in, ensuring they are in place before the agent installer executes.
Verify Certificate Installation
After the configuration profile is installed, verify the certificate is present and trusted:
# List installed configuration profiles
sudo profiles show -all | grep -i "Check Point SASE"
# Check the System Keychain for the SASE root certificate
security find-certificate -a -p /Library/Keychains/System.keychain | \
openssl x509 -noout -subject | grep -i "check point\|sase"If the certificate profile appears in the profiles list and the certificate is found in the System Keychain, deployment was successful.
Package and Deploy the SASE Agent
Upload the Agent PKG
Go to Jamf Pro > Settings > Computer Management > Packages.
Click New and upload the Check Point SASE macOS .pkg installer.
Set a display name such as "CP-SASE-Agent-v12.x."
Click Save.
Create the Pre-Deployment Script
A pre-install script configures the agent's workspace, region, and (optionally) tenant token for Transparent Internet Access. This script must run before the agent PKG installs so the agent picks up the configuration on first launch.
Go to Settings > Computer Management > Scripts > New.
Name it "Check Point SASE – Pre-Install Configuration."
Set Language to Shell/Bash and paste the following script:
#!/bin/bash
# Define variables
WORKSPACE="your-workspace-name"
REGION="US" # Options: US, EU, AU, IN
TENANT_TOKEN="your-tenant-token-here" # Required for v11.5+ Transparent Registration
# Write configuration to the agent plist
defaults write com.perimeter81d workspace "$WORKSPACE"
defaults write com.perimeter81d region "$REGION"
# Optional: Add Token for Transparent Registration
if [ -n "$TENANT_TOKEN" ]; then
defaults write com.perimeter81d TENANT_TOKEN "$TENANT_TOKEN"
fi
exit 0Note -
The TENANT_TOKEN enables Transparent Internet Access (available in agent v11.5+), which enforces internet security policies immediately upon installation without requiring end-user sign-in. Generate your tenant token from the Check Point SASE portal under Devices > Downloads. The workspace name and tenant token are unique to your organization. For more information, see Deploying the Agent.
Click Save.
Warning -
Do not run chown -R on the application bundle as a post-install step. On modern macOS, System Integrity Protection prevents modifying ownership on files inside a code-signed application bundle. Running chown -R on "/Applications/Harmony SASE.app" will fail with "Operation not permitted" on every file inside Contents/, the Jamf policy will report as failed (exit code 1), and if the ownership change were to succeed, it would invalidate the app's code signature. The PKG installer already sets correct permissions. No post-install ownership script is needed.
Create the Agent Installation Policy
Go to Computers > Policies > New.
Name it "Install Check Point SASE Agent."
Under Trigger, enable Recurring Check-in (or a Custom trigger if staging).
Set Execution Frequency to Once per computer.
Click the Scripts payload. Add the Pre-Install Configuration script and set Priority to Before.
Click the Packages payload, click Configure, and add the SASE agent .pkg. Action: Install.
Under Scope, assign the same Smart Groups as the certificate and profiles.
Click Save.
Scope and Assign Policies
Use Jamf Pro Smart Groups to organize your deployment targets. A recommended approach:
SASE – All Targets - All managed Macs that should receive the agent (for example, by department, building, etc.)
SASE – Agent Installed - Application Title is "Harmony SASE" – used to confirm successful deployment
SASE – Agent Missing - Application Title does not have "Harmony SASE" – used for remediation policies
Assign all four configuration profiles and the agent installation policy to the "SASE – All Targets" Smart Group. Use the "SASE – Agent Missing" group for ongoing check-in-based remediation.
Verification and Troubleshooting
Verify a Successful Deployment
The Check Point SASE icon appears in the macOS menu bar without any pending approval prompts.
System Preferences > Profiles shows four Check Point SASE configuration profiles installed at the Computer level (System Extensions, Content Filter, VPN Payload, Root Certificate).
Keychain Access > System Keychain contains the Check Point SASE root CA certificate marked as trusted.
Running the agent connects successfully to the nearest SASE PoP.
Common Issues
Symptom | Resolution |
|---|---|
"System Extensions Blocked" popup | System Extensions profile not installed before agent. Remove the agent, confirm the profile is scoped and installed, then reinstall the agent. |
"Would like to Add Proxy Configurations" popup | VPN Payload or Content Filter profile missing. Deploy the missing profiles and reinstall the agent. |
"You are making changes to System Certificate Trust" prompt | Certificate configuration profile was not installed before the agent. Deploy the Root Certificate profile and reinstall the agent. |
Disk space fills in /Library/SystemExtensions/.staging | Known symptom when system extension approval is pending. Deploy the System Extensions profile and the issue resolves. |
"Further steps are needed" error after MDM deployment | All four configuration profiles must be present before agent activation. Verify with: |
Agent auto-update loop with MDM | Disable auto-update in the Check Point SASE console: Settings > General > Update Client toggle off. |
TLS certificate errors in browsers or apps after SASE connects | Root certificate not trusted. Verify the certificate configuration profile is installed via: |
Post-install script fails with "Operation not permitted" on chown -R | Do not run |
Useful Diagnostic Commands
# List installed configuration profiles
sudo profiles show -all
# Check system extensions status
systemextensionsctl list
# Verify the SASE agent process
ps aux | grep -i "Harmony SASE"
# Check certificate trust
security verify-cert -c /path/to/cert.cer
# View SASE agent logs
log show --predicate 'subsystem == "com.safervpn.osx.smb"' --last 1hKey Identifiers Quick Reference
Team ID (Apple Developer) - 924635PD62
Application Name (on disk) - Harmony SASE.app
Application Bundle ID - com.safervpn.osx.smb
System Extension Bundle ID - com.safervpn.osx.smb.proxy
Agent Configuration Plist Domain - com.perimeter81d
VPN Server (local proxy) - localhost
VPN Connection Type - Custom SSL
Provider Type - App-Proxy
Content Filter Type - Plug-in
Content Filter Grade - Firewall
Agent Install Path - /Applications/Harmony SASE.app
Support Email - sase-support@checkpoint.com
Transparent Internet Access (Silent Deployment)
Starting with Check Point SASE version 11.5, the Transparent Internet Access feature enforces internet security policies immediately upon agent installation, without requiring any end-user interaction. When deployed via MDM:
The remote installation process bypasses both device and member registration.
Users receive the latest security policies even if they have not signed in to the agent.
Internet Access policy enforcement begins as soon as the agent is running, providing protection from the moment of deployment.
This is ideal for large-scale deployments where you want immediate SWG protection without waiting for users to individually authenticate. For more information, see Deploying the Agent.
Note -
Private Access remains restricted until the user authenticates and registers on the platform.