This document describes how Endpoint Security for macOS can be used with a device management system.

Mobile Device Management (MDM) is the management of mobile devices through use and security. Mobile devices are managed through a strategy that shows necessary information about each device, determines which applications can be installed, and remotely secures mobile devices if they are lost or stolen. MDM can also track a mobile device's location by the user and geographical location.


This document is only for Check Point's Endpoint Security for macOS product.


  • Endpoint Security Remote Access VPN is not supported.

  • This document is valid for all macOS Client releases starting from E82.00


Apple MDM Profile Configuration

The profile configuration is documented in Apple MDM Profile Configuration. A device management integrated with Apple can install Apple MDM profiles so that installation becomes silent for the end user. Check Point provides the files (here) which can be conveniently imported to the device manager.

Device Management Deployments

For client deployment, use one of these workflows.

  1. (Recommended*) MDM installation script generated from a Tiny agent downloaded from the Endpoint Security Management Server (E86.30 and higher). Use the cloud-based Endpoint Server version R81(123) or R81.10 (56) or higher to download a macOS Tiny agent.

    For on-premises, use the Endpoint Security Management Server R81.20 or higher.

    The downloaded tiny agent is run to create a script that is uploaded to the MDM and deployed to managed clients. The script downloads the Endpoint Client's initial client and then installs the full client as assigned by the software deployment policy on the Endpoint Security Management Server instance used.

  2. MDM custom .pkg. Compile and deploy a custom “MDM pkg”, which contains files from an Endpoint Security macOS ZIP file (exported from an Endpoint Security Management Server). Some device management systems, such as JAMF Pro, bring a graphical utility to create the “MDM pkg”. If necessary, Check Point can provide a Terminal script.

  3. cpConfigTool (E86.20 and higher – EA status) Deploy the release .pkg, which is downloaded from the Check Point Support Center. After the deployment is complete, the MDM script can configure a client with the installed cpConfigTool utility. Check Point provides template scripts for deployment and uninstallation. These are parameterized to make it possible to configure with a server connection token, capabilities to install, and organizational password to use for uninstallation.

  4. MDM custom .dmg creates and deploys a custom “MDM dmg”, which contains files from an Endpoint Security macOS ZIP file (exported from an Endpoint Security Management Server). It may be necessary to further process the .dmg, which depends on the MDM used.

*This is preferred as the Endpoint Security Management Server software deployment policies handle Endpoint Client upgrades and changes of deployed blades. How to handle this on the MDM used is vendor specific and is not described in this guide.