MDM Deployment for MacOS Agents with Internet Security

Introduction

The Harmony SASE system includes Web Security features. When Internet Security is enabled on the workspace, the system deploys a locally installed Certificate, Content Filter, and System Extension to perform SSL decryption. These components are typically installed post-login, requiring user approval. Admins can pre-deploy these configurations to eliminate the need for user approval and prevent potential misconfigurations of web security components.

Deploying the Agent through MDM

Downloading the Certificate 

• For information on how to download the certificate, see Downloading the Secure Web Gateway (SWG) root Certificate.
• Once the certificate is downloaded, add it to your deployment through MDM.

Deploying the Content Filter and System Extension

• For your convenience, we have generated a .mobileconfig file with the needed configurations that can be deployed using MDM:
  Harmony SASE.mobileconfig
• Alternatively, a Workspace Admin can manually configure the Content Filter and System Extension for deployment through MDM.
  
  Note

  Each vendor may assign different names to these values.
  • Deploy a Content Filter:
    • Filter Type: Plug-in
    • Connection Name: Harmony SASE
    • Identifier: com.safervpn.osx.smb
    • Filter Webkit traffic: Yes
    • Filter Socket Traffic: Yes
    • Socket Filter Bundle ID: com.safervpn.osx.smb
    • Socket Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"
    • Filter Network Pockets: Yes
    • Pocket Bundle ID: com.safervpn.osx.smb
    • Packet Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"
    • Filter Grade: Firewall
  • Deploy a System Extension:
    • Navigate to where you add the VPN Payload Profiles and add a MacOS profile and context Device Profile.
    • Allow User Overrides: Yes
    • Allowed System Extension Types: Network
    • Team ID: 924635PD62
    • Bundle Identifier: com.safervpn.osx.smb.proxy