Generally, when deploying macOS Antivirus or Endpoint Security solutions remotely via an MDM solution, before the security agent is installed, it needs to have pre-approved permissions like Full Disk Access, System Extensions, VPN, Notifications etc for the agent to function correctly. Therefore the configuration profiles have to be deployed prior to deploying the agent.
To deploy ESET Endpoint Security on macOS Mac fleet using JumpCloud, there are 5 steps:
- Deploy the System Extensions using a preconfigured JumpCloud policy.
- Craft and deploy the configuration profiles for Full Disk Access, VPN and Firewall via custom policy.
- Create the Agent Live Installer script from ESET PROTECT On-Prem.
- Deploy the installer script via JumpCloud Commands.
- Verify that the Endpoint Protection is installed.
Deploy the System Extensions using preconfigured JumpCloud policy:
First, we begin by deploying the required System Extensions using JumpCloud's Mac System Extension Policy.
- Login to the JumpCloud Admin Console and navigate to Policy Management.
- Search for macOS System Extension policy and configure it with the following values:
- Policy Name - ESET System Extensions
- team ID -
P8DQRXPVLP - Bundle IDs -
com.eset.endpointcom.eset.networkcom.eset.firewallcom.eset.devices
- Security Extension - Enabled
- Driver Extension - Disabled
- Network Extension - Disabled
- Save the policy and assign to the target Mac device(s).
Craft and deploy the configuration profiles for Full Disk Access, VPN and Firewall:
Full Disk Access permissions for the Endpoint Security agent can be deployed using JumpCloud’s Application Privacy Preferences Policy. However only one identifier can be configured in a single policy and there are five identifiers to be configured for FDA as listed below. For each policy, under Privacy Preferences check 'Allow Access To All Files' option.
Endpoint Security Identifier:
- Identifier:
com.eset.ees.g2 - Identifier Type: Bundle ID
- Code Requirement:
identifier "com.eset.ees.g2" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
Realtime Identifier:
- Identifier:
com.eset.endpoint - Identifier Type: Bundle ID
- Code Requirement:
identifier "com.eset.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
Network Identifier:
- Identifier:
com.eset.network - Identifier Type: Bundle ID
- Code Requirement:
identifier "com.eset.network" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
Firewall Identifier:
- Identifier:
com.eset.firewall - Identifier Type: Bundle ID
- Code Requirement:
identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
Uninstaller Identifier:
- Identifier:
com.eset.Uninstaller - Identifier Type: Bundle ID
- Code Requirement:
identifier "com.eset.app.Uninstaller" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
Alternatively, if you do not wish to have five individual policies for the same FDA permission, you can create a custom MDM configuration profile using iMazing Profile Editor adding all five identifiers in a single 'Privacy Preferences Policy Control' payload and deploy the profile using JumpCloud's Mac MDM Custom Configuration Profile policy.
For VPN and Firewall configurations, since there are no preconfigured policies available, you can leverage Apple Configurator and iMazing Profile Editor to create custom MDM profiles with the values listed below and deploy it via JumpCloud Mac MDM Custom Configuration Profile policy.
VPN Payload: (I recommend using Apple Configurator for this payload)
- Name: ESET VPN
- VPN Type: VPN
- Connection type: Custom SSL
- Identifier:
com.eset.network.manager - server:
localhost - Provider Bundle Identifier:
com.eset.network - User Authentication: Certificate
- Provider Type: App-proxy
- Provider Designated Requirement:
identifier "com.eset.network" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP - Identity Certificate: None
- Idle Timer: Do not disconnect
- Proxy Setup: None
- Account: Skip this field and ignore the error when saving
Content Filter (Firewall) Payload: (I recommend using iMazing Profile Editor for this payload)
- Filter Type: Plugin
- Filter Name: ESET Firewall
- Identifier:
com.eset.firewall.manager - Filter order: Firewall
- Socket filter:
com.eset.firewall - Socket filter designated requirement:
identifier "com.eset.firewall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
| ⛔️ Note - When creating custom configuration profiles using either Apple Configurator or iMazing Profile Editor, ensure you also add Payload Organization (your company name), Payload Scope (System) and Target Device Type (Mac). |
Finally deploy all the policies configured so far to your target Mac device(s), to grant pre-approved permissions to the ESET Endpoint Security agent.
Create a Live Agent Installer script from ESET PROTECT On-Prem:
- Login to the ESET PROTECT Dashboard.
- From the left pane, select Installers, then click on 'CREATE INSTALLER' if you do not have any existing installers and select 'Customize Installer' at the bottom right.
- On the 'Create installer' wizard, select macOS. For Distribution select 'Deploy Agent first (Agent script installer)' option. If you want you can customize more settings from the wizard, as per your requirement.
- Click 'SAVE & DOWNLOAD' and installer file in .tar.gz format will be downloaded. Extract the gz file to retrieve the installer script - PROTECTAgentInstaller.sh.
| ⛔️ Note - You can use the same installer and installer script for multiple devices. |
Deploy the Installer script via JumpCloud Commands:
- In JumpCloud Admin Console, navigate to Commands and set up a new Command.
- Under Files, upload the PROTECTAgentInstaller.sh script and by-default it is saved in
/tmp/PROTECTAgentInstaller.shfile destination. - Configure the below command, set to run as '
root' and time out set to '600' seconds:chmod +x /tmp/PROTECTAgentInstaller.sh sh /tmp/PROTECTAgentInstaller.sh rm /tmp/PROTECTAgentInstaller.sh
- Assign the command to target Mac device(s) and execute the command.
- Upon successful executing of the Command, we see the below command result:
Verify the Endpoint Agent is installed:
We see the end point registered in ESET PROTECT under Computers:
