JumpCloud Community

In this article, we will go through the process of deploying Bitdefender Endpoint Security Tools on macOS endpoints using JumpCloud.

Bitdefender Endpoint Security is one of the popular Endpoint Security tools out there and it can be deployed remotely on Mac endpoints using an MDM solution.

When deploying the Bitdefender Endpoint Security Tools (BEST), first you need to grant the neccessary permissions and accesses to the security agent, prior to deploying the agent itself. This way the end users would not be prompted to approve the permissions on their end.

To deploy BEST on MacOS devices using JumpCloud, there are 5 steps involved:

• Create an uninstall password for Bitdefender Endpoint Security Tools.
• Generate and deploy an SSL certificate for the Agent.
• Deploy the MDM Configuration Profile(s) to preapprove the Agent permissions.
• Deploy the Agent using a script via JumpCloud Commands.
• Verify that the Endpoint Protection is installed.

Create an uninstall password for Bitdefender Endpoint Security Tools

In some situations, users with Administrator privileges on their Mac can uninstall the Bitdefender Endpoint Security Agent, leaving the system unprotected. You can prevent such unauthorized actions by setting up an uninstall password from the GravityZone Control Center.

To set the Uninstall Password from the Installation packages:

• Log in to GravityZone Control Center.
• Go to the Network page from the left side menu and click on the Installation Packages section.
• Select the package that you want to install or click on CREATE to create a fresh Installation Package as per the requrement. 
• Under Settings, select the Set uninstall password check box.
• Enter a password considering the complexity requirements and click Save.
  
• You can now use this package to deploy BEST on the endpoints. In the future, if BEST has to be uninstalled from the endpoint, the specified uninstall password has to be entered.
• Instead, if you wish to protect the existing endpoints in your network through policy. Refer the steps from here.

Generate and deploy an SSL certificate for the Agent

Bitdefender Endpoint Security Agent requires an SSL certificate to properly work. You generate a certificate and deploy it to the Mac endpoints to have it automatically approved and ready to use without end user interaction.

Generate the SSL Certificate: (These steps have to performed on IT Admin's Mac)

First generate a PEM certificate with an associated private key using the below command:

openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=MyBEST CA SSL' -keyout rootCA.key -out rootCA.pem

Next, generate a PFX certificate named certificate.pfx using the PEM and KEY files from the previous step. This certificate needs to be always trusted and password protected with the MD5 hash of the uninstall password.

Calculate the MD5 hash value of the uninstall password using the below command. An alphanumerical hash output would be generated, which we require for next steps.

md5 -s UNINSTALL_PASSWORD

Now, use the below command to generate the certificate.pfx:

openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out certificate.pfx

At this point, the Terminal would prompt for the Export password, which is the MD5 hash of the uninstall password generated above.

 Finally the certificate.pfx file is ready to be deployed.

Deploy the SSL Certificate to the endpoint Keychain using JumpCloud Policy:

• Login to the Admin Console, navigate to Policy Management, search for macOS Install Certificate policy and configure it with the following values:
  • Policy Name - BEST SSL Certificate
  • Certificate Type - PKCS #12
  • Passphrase - MD5 hash of the uninstall password
  • Base64-Encoded Certificate - upload the certificate.pfx
  • Set Payload Certificate Filename - Unchecked
• Assign the policy to the target Mac device(s) and this certificate would be installed in the 'System' Keychain.
  

Deploy the same SSL certificate on the machine in the path /Library/DeployCert using JumpCloud Commands:

In the Admin Console, navigate to JumpCloud Commands and setup a new Command as shown below:

• Name - Deploy Cert
• Run As - root
• Type - Mac
• Command -
  

  mkdir -p /Library/DeployCert
  mv /tmp/certificate.pfx /Library/DeployCert/
  chmod -x /Library/DeployCert 
  chmod +w /Library/DeployCert

• Timeout - 180 Seconds
• Under Files, upload the certificate.pfx file.

Assign the command to target Mac device(s) and execute the command to push the certificate to the specified folder.

After the PFX certificate is installed, trusted in Keychain, and deployed to /Library/DeployCert, BEST will use it for MITM and the local user will no longer be prompted to install the SSL certificate.

The certificate deployed to /Library/DeployCert will have priority over the Bitdefender CA SSL certificate that has been previously installed and trusted in Keychain. Following this procedure, BEST will stop using Bitdefender CA SSL and will load instead the new certificate.

Deploy the MDM Configuration Profile to preapprove the Endpoint Agent permissions

Bitdefender provides a preconfigured macOS MDM configuration profile, which approves System Extension, grants Full Disk Access, configures Notification, sets up Content Filter and deploys the certificate for BEST to function optimally without any end user interaction.

• Download the MDM configuration profile available here.
• Login to the Admin Console, navigate to Policy Management and deploy the profile as-is using JumpCloud's Mac MDM Custom Configuration Profile policy.
• Once deployed, we can verify the configuration profile on the Mac endpoint under System Settings > General > Device Management (on macOS 15 and above) OR System Settings > Privacy & Security > Profiles (on macOS 14 and below).
  

Alternatively, if you wish to configure the permissions yourself, you can leverage JumpCloud's Mac System Extension Policy and Application Privacy Preferences Policy. to grant permissions to the Agent.

To preapprove the System Extension:

• Login to the Admin Console and navigate to Policy Management.
• Search for macOS System Extension policy and configure it with the following values:
  • Policy Name - BEST System Extension
  • team ID -GUNFMW623Y
  • Bundle ID - com.bitdefender.cst.net.dci.dci-network-extension
  • Security Extension - Enabled
  • Driver Extension - Disabled
  • Network Extension - Disabled
• Save the policy and assign to the target Mac device(s).

To grant Full Disk Access:

Full Disk Access permissions for the Security agent can be deployed using Application Privacy Preferences Policy. However only one identifier can be configured in a single policy and there are two identifiers to be configured for FDA as listed below. For each policy, under Privacy Preferences check 'Allow Access To All Files' option.

BDLDaemon.app:

• Identifier:  com.bitdefender.epsecurity.BDLDaemonApp
• Identifier Type: Bundle ID
• Code Requirement: anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

EndpointSecurityforMac.app:

• Identifier: com.bitdefender.EndpointSecurityforMac
• Identifier Type: Bundle ID
• Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y

To deploy Web Content Filter: (I recommend using iMazing Profile Editor for this payload)

Create a custom MDM configuration profile for Web Content Filter and deploy it using Mac MDM Custom Configuration Profile policy.

• Filter Type: Plugin
• User Defined Name: Bitdefender
• Plugin Bundle ID: com.bitdefender.epsecurity.BDLDaemonApp
• Enable Packet Filtering: Checked
• Filter Packet Provider Bundle ID: com.bitdefender.cst.net.dci.dci-network-extension
• Filter Packet Provider Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

Deploy the Agent using a script via JumpCloud Commands

First, you need the DMG installation package URL to add to the installation script. To obtain your installation package link, log in to GravityZone Control Center, navigate to Network > Installation packages > Send download links and copy the link for macOS DMG Downloader.

In JumpCloud Commands, configure the below script set to run as 'root, timeout set to '300' seconds:

#!/bin/bash
BD_TEMP="/var/tmp/temp_bd"	
mkdir -p $BD_TEMP && cd $_
curl -L -O DMG_DOWNLOAD_URL    #replace the DMG download URL here as captured earlier
hdiutil attach setup_downloader.dmg -nobrowse -quiet
/Volumes/Endpoint\ for\ MAC/SetupDownloader.app/Contents/MacOS/SetupDownloader --silent
hdiutil detach /Volumes/Endpoint\ for\ MAC/
rm -rf $BD_TEMP

Assign the Command to target Mac device(s) and excute it to deploy the Bitdefender Endpoint Security Agent.

Verify that the Endpoint Protection is installed

Finally, you verify that BEST has been installed successfully as seen on the endpoint as well as the GravityZone Control Center.

Screenshot from the Mac Endpoint:

Screenshot of the device registered in the GravityZone's Network section:

For silent uninstallation of the password-protected BEST, refer the steps from Silent uninstallation of password-protected Bitdefender Endpoint Security Tools in macOS article. Hereafter, macOS endpoints can be secured and scanned remotely from the GravityZone portal. For further information and assistance with the Bitdefender Agent, you may reach out to Bitdefender Support team from here or refer their Knowledge Base from here.