Apple MDM Profile Configuration

Installing Endpoint Security for macOS manually on an Endpoint requires the user to manually approve Endpoint Security components to use installed system and kernel extensions as well as granting them Full Disk Access.

The use of third-party software deployment tools, such as JAMF or Intune, prevents the above scenario by deploying the necessary MDM payloads to MDM-managed endpoints.

Note - Configuring profiles is difficult and also error-prone. Check Point recommends to import these pre-configured configuration profile files.

File

Affected Blades

EPS_MDM/profiles/Endpoint Security for macOS (Privacy Preferences).mobileconfig

Needed for all blade configurations and Harmony Endpoint versions.

EPS_MDM/profiles/Endpoint Security for macOS Network Extension.mobileconfig

Same file as Firewall Network Filter.mobileconfig which was distributed in legacy configurations.

This file is required when you are using any of these security blades:

  • Anti-Bot and URL Filtering

  • Firewall and Application Control

Legacy profiles

Note - These profiles are relevant only for Endpoint Security client E88.00 and lower.

EPS_MDM/profiles/Endpoint Security for macOS (Kernel Extensions - deprecated).mobileconfig

New installation of Media Encryption & Port Protection security blade until E88.00.

EPS_MDM/profiles/Endpoint Security for macOS Anti-Bot Network Filter.mobileconfig

Anti-Bot and URL Filtering security blades until E88.00.

EPS_MDM/profiles/Endpoint Security for macOS Application Control Network Filter.mobileconfig

Firewall and Application Control security blades until E87.71.

Note - The FileVault blade triggers a system notification that cannot be suppressed by a MDM.

Managing Legacy Kernel Extensions in macOS

Note - These kernel extensions are applicable only for Endpoint Security client for macOS E88.00 and lower.

The Media Encryption & Port Protection blade installs a Kernel Extension, which necessitates a system reboot. In certain Mobile Device Management (MDM) solutions such as Jamf, it is possible to deploy a script that initiates a Kernel Cache rebuild and subsequent reboot.

In addition, On Apple Silicon, it is necessary to follow the instructions described in the Apple Support documentation, here.

With macOS 11 or higher, more steps are necessary to load and use legacy kernel extensions. This necessitates user approval in Security & Privacy preferences. In addition, users must restart their computers to load the kernel extension into the kernel cache. To complete this additional process with MDM, use the technologies in JAMF Pro. See Managing Legacy Kernal Extension in macOS Using Jamf Pro. Similar flows must exist in other MDM systems used to archive the necessary restart.

Best Practice - We recommend to configure the kernel extension in JAMF Pro as described in the steps that follow. For the script that triggers the restart policy, click here.

Step 1: Create the JAMF script that sends a JAMF custom event that triggers a policy for restart.

  1. Navigate to Computers > Management Settings > Script.

  2. Click + New.

  3. Select General > Display Name. If necessary, add other settings.

  4. From the downloaded script archive, open the script triggerMdmRestartWithCacheRebuildEvent.sh in a text editor and copy all the content.

  5. Select Script and paste the copied script.

  6. Click Save.

Step 2: Create the policy that executes the script in Step 1 regularly to monitor if the restart policy should be triggered.

  1. Navigate to Computers > Policies > + New.

  2. Select General and enter a display name.

  3. Click Trigger at Login and Recurring Check-in.

  4. Select Scripts > click Configure and add the script with the display name as configured above.

  5. Set priority to before.

  6. For the Parameter 4 value, set the name of the event that triggers a restart policy (described in Step 3). For example, approveAndRebootForEPKexts.

Step 3: Create the policy that runs when the event is triggered.

  1. Navigate to Computers > Policies > + New.

  2. Select General and enter a display name.

  3. Select Custom Trigger and select the same name for the custom event. For example, approveAndRebootForEPKexts, which was used as a parameter to the script in the policy defined above.

  4. Select the Restart OptionsMDM Restart with Kernel Cache Rebuild and add these text paths:

    • /Library/Extensions/USB_Blocking.kext

    • /Library/Application Support/Checkpoint/Endpoint Security/esfs/Contents/Resources/mount_esfs.app/Contents/Extensions/11/esfs.kext

    • /Library/Application Support/Checkpoint/Endpoint Security/esfs/Contents/Resources/mount_esfs.app/Contents/Extensions/12/esfs.kext

  5. Set No User Logged in Action to Restart immediately and User Logged in Action to Restart with a delay of one minute. Select Start the restart timer immediately.

  6. Click Save.