--- title: "MDM Deployment for MacOS Agents with Internet Security" slug: "mdm-deployment-with-internet-security-mac" updated: 2026-04-07T09:00:17Z published: 2026-04-07T09:00:17Z canonical: "support.perimeter81.com/mdm-deployment-with-internet-security-mac" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt > Use this file to discover all available pages before exploring further. # MDM Deployment for MacOS Agents with Internet Security ## Introduction The Check Point SASE system includes Web Security features. When **Internet Security** is enabled on the workspace, the system deploys a locally installed *Certificate*, *Content Filter*, and *System Extension* to perform SSL decryption. These components are typically installed post-login, requiring user approval. Admins can pre-deploy these configurations to eliminate the need for user approval and prevent potential misconfigurations of web security components. ## Deploying the Agent through MDM ### Downloading the Certificate - For information on how to download the certificate, see [Downloading the Secure Web Gateway (SWG) root Certificate](/v1/docs/swg-certificate). - Once the certificate is downloaded, add it to your deployment through MDM. ### Deploying the Content Filter and System Extension - For your convenience, we have generated a .mobileconfig file with the needed configurations that can be deployed using MDM: [Harmony SASE.mobileconfig](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Harmony%20SASE.mobileconfig) - Alternatively, a Workspace Admin can manually configure the ***Content Filter*** and ***System Extension***for deployment through MDM. NoteEach vendor may assign different names to these values. - Deploy a **Content Filter:** - **Filter Type**: Plug-in - **Connection Name**: Check Point SASE - **Identifier**: com.safervpn.osx.smb - **Filter Webkit traffic**: Yes - **Filter Socket Traffic**: Yes - **Socket Filter Bundle ID**: com.safervpn.osx.smb - **Socket Requirement**: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62" - **Filter Network Pockets**: Yes - **Pocket Bundle ID**: com.safervpn.osx.smb - **Packet Requirement**: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62" - **Filter Grade**: Firewall - Deploy a **System Extension**: - Navigate to where you add the VPN Payload Profiles and add a **MacOS** profile and context **Device Profile.** - **Allow User Overrides**: Yes - **Allowed System Extension Types**: Network - **Team ID**: 924635PD62 - **Bundle Identifier**: com.safervpn.osx.smb.proxy