Silently Installing SCP 4.6+ macOS using MDM (Jamf)

Last updated
Save as PDF

User consent is required to load any third-party system extensions (for products using network extension on macOS Big Sur 11.1.x and later). As SCP 4.6.0 uses couple of Network System Extension for network events, so prior approval of the following are required:

Network Extension Transparent Proxy
Content Filter configurations

Install SCP Silently

You can install SCP without any manual user intervention

Create the following profiles:
- System Extensions Profile
- Content Filter Profile
- App Proxy Filter (VPN) Profile
Push them to the endpoint. For instance, using JamF.
Install SCP using the following Profile settings:

Profile

Settings

System Extensions Profile

Add System Extensions Profile.

Configure following:

Property	Value
Allowed Team IDs and System Extensions
Allow users to approve system extensions	Uncheck/disable
System Extension Types	Allowed System Extensions
Team Identifier	P2BNL68L2C
Allowed system extensions	com.trellix.CMF.networkextension com.trellix.endpointsecurity
Allowed Team IDs and System Extensions
Allow users to approve system extensions	Uncheck/disable
System Extension Types	Removal System Etxensions
Team Identifier	P2BNL68L2C
Allowed system extensions	com.trellix.CMF.networkextension com.trellix.endpointsecurity

Content Filter Profile

Add Content Filter Profile.

Configure following:

Property	Value
Filter Sockets (Socket Filter)	True
Filter Data Provider Bundle Identifier (Socket Filter Bundle Identifier)	com.trellix.CMF.networkextension
Filter Data Provider Designated Requirement (Socket Filter Designated Requirement)	anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field. 1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = P2BNL68L 2C)
Filter Packets (Network Filter)	True
Filter Packet Provider Bundle Identifier (Network Filter Bundle Identifier)	com.trellix.CMF.networkextension
Filter Packet Provider Designated Requirement (Network Filter Designated Requirement)	anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate leaf[field. 1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = P2BNL68L 2C)
Plugin Bundle ID (Identifier)	com.trellix.containerapp
User Defined Name (Filter Name)	TrellixSystemExtensions
Filter Type	Plug-in

App Proxy Filter Profile

You can use the following Proxy profile for the approval of the extension Proxy components (VPN Profile):

Add VPN

Configure following:

Property	Value
Connection Name	TrellixProxyExtension
VPN Type	VPN
Connection Type	Custom SSL
Identifier	com.trellix.containerapp
Server	localhost
Provider Bundle Identifier	com.trellix.CMF.networkextension
User Authentication	Certificate
Provider Type	App-Proxy
Include All Networks	False (unchecked)
Exclude Local Networks	False (unchecked)
Provider Designated Requirement	anchor apple generic and identifier "com.trellix.CMF.networkextension" and (certificate 0.113635.100.6.2.6] /* exists / and certificaleaf[field.1.2.840.113635.100.6.1.9] / exists / or certificate 1[field.1.2.84te leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = P2BNL68L2C)
Identity Certificate	None

Uninstall SCP

A prompt appears for entering the administrator credentials to uninstall the system extension for both SCP standalone and managed with Trellix ePO. If no credentials are entered or incorrect credentials are entered, the SCP removal does not continue. Provide correct credentials for successfully uninstalling SCP. For MDM-managed system, no administrator credentials are required. Jamf has provided a configuration profile through which Client Proxy can be silently uninstalled from the end point without the user's intervention.