Apple MDM Profile Configuration
Installing Endpoint Security for macOS manually on an Endpoint requires the user to manually approve Endpoint Security components to use installed system and kernel extensions as well as granting them Full Disk Access.
The use of a third-party software deployment tools, such as JAMF or Intune, prevents the above scenario thru the deployment of the necessary MDM payloads to the MDM-managed endpoint.
It is difficult and error-prone to construct the profiles. Therefore, it is recommended to import these Check Point preconfigured files:
|
File |
Affected Blades |
|---|---|
|
|
All |
|
|
Media Encryption & Port Protection |
|
|
Anti-Bot |
|
|
Firewall |
|
|
Application Control |
|
|
Note - The FileVault blade triggers a system notification that cannot be suppressed by a MDM. |
Managing Legacy Kernel Extensions in macOS
The Media Encryption & Port Protection blade installs a Kernel Extension, which necessitates a system reboot. In certain Mobile Device Management (MDM) solutions such as Jamf, it is possible to deploy a script that initiates a Kernel Cache rebuild and subsequent reboot.
In addition, On Apple Silicon, it is necessary to follow the instructions described in the Apple Support documentation, here.
With macOS 11 or higher, more steps are necessary to load and use legacy kernel extensions. This necessitates user approval in Security & Privacy preferences. In addition, users must restart their computers to load the kernel extension into the kernel cache. To complete this additional process with MDM, use the technologies in JAMF Pro. See Managing Legacy Kernal Extension in macOS Using Jamf Pro. Similar flows must exist in other MDM systems used to archive the necessary restart.
|
|
Best Practice - We recommend to configure the kernel extension in JAMF Pro as described in the steps that follow. For the script that triggers the restart policy, click here. |
Step 1: Create the JAMF script that sends a JAMF custom event that triggers a policy for restart.
-
Navigate to Computers > Management Settings > Script.
-
Click + New.
-
Select General > Display Name. If necessary, add other settings.
-
From the downloaded script archive, open the script
triggerMdmRestartWithCacheRebuildEvent.shin a text editor and copy all the content. -
Select Script and paste the copied script.
-
Click Save.
Step 2: Create the policy that executes the script in Step 1 regularly to monitor if the restart policy should be triggered.
-
Navigate to Computers > Policies > + New.
-
Select General and enter a display name.
-
Click Trigger at Login and Recurring Check-in.
-
Select Scripts > click Configure and add the script with the display name as configured above.
-
Set priority to before.
-
For the Parameter 4 value, set the name of the event that triggers a restart policy (described in Step 3). For example,
approveAndRebootForEPKexts.
Step 3: Create the policy that runs when the event is triggered.
-
Navigate to Computers > Policies > + New.
-
Select General and enter a display name.
-
Select Custom Trigger and select the same name for the custom event. For example,
approveAndRebootForEPKexts, which was used as a parameter to the script in the policy defined above. -
Select the Restart Options > MDM Restart with Kernel Cache Rebuild and add these text paths:
-
/Library/Extensions/USB_Blocking.kext -
/Library/Application Support/Checkpoint/Endpoint Security/esfs/Contents/Resources/mount_esfs.app/Contents/Extensions/11/esfs.kext -
/Library/Application Support/Checkpoint/Endpoint Security/esfs/Contents/Resources/mount_esfs.app/Contents/Extensions/12/esfs.kext
-
-
Set No User Logged in Action to Restart immediately and User Logged in Action to Restart with a delay of one minute. Select Start the restart timer immediately.
-
Click Save.