MDM troubleshooting for MacOS

How to resolve MDM Deployment issues on MacOS

Symptoms

1. Disk space rapidly fills the system directory /Library/SystemExtensions/.staging.
2. Users will receive a “Harmony SASE Would like to Add Proxy Configurations” notification giving users the ability to “Don’t Allow” connection.
   
3. Users will receive a “System Extensions Blocked” notification until the Harmony SASE system extensions are enabled.
4. Users cannot log in to the agent with the error "Further steps are needed" after deploying the agent with MDM
   

Solution using an MDM tool

1. Create a Content Filter for Harmony SASE
   • To Create a Content Filter profile, please add the following “Device Profile” with the provided configuration:
     • Filter Type: Plug-in
     • Connection Name: Harmony SASE
     • Identifier: com.safervpn.osx.smb
     • Filter Webkit traffic: Yes
     • Filter Socket Traffic: Yes
     • Socket Filter Bundle ID: com.safervpn.osx.smb
     • Socket Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"
     • Filter Network Pockets: Yes
     • Pocket Bundle ID: com.safervpn.osx.smb
     • Packet Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"
     • Filter Grade: Firewall
       
       
2. Configure P81 System Extensions
   • Navigate to where you add the VPN Payload Profiles and add a “MacOS” profile and context “Device Profile”
     • Allow User Overrides: Yes
     • Allowed System Extension Types: Network
     • Team ID: 924635PD62
     • Bundle Identifier: com.safervpn.osx.smb.proxy