MDM Deployment of the Harmony SASE MacOS Agent with Internet Security

The Harmony SASE system includes Web Security features. When Internet Security is enabled on the workspace, the system deploys a locally installed extension, content filter, and certificate to perform SSL decryption. These components are typically installed post-login, requiring user approval. Administrators can pre-deploy these configurations to eliminate the need for user approval and prevent potential misconfigurations of web security components.

Deploying the Agent through MDM

Downloading the Certificate

  1. For information on how to download the certificate, see Downloads.

  2. Once the certificate is downloaded, add it to the deployment through MDM.

Deploying the Content Filter and System Extension

  • Download the .mobileconfig file and certificate for deployment through MDM:

    Harmony SASE.mobileconfig

  • Alternatively, a Workspace Administrator can manually configure the Content Filter and System Extension for deployment through MDM.

    Note - Each vendor may assign different names to these values.

    • Deploy a Content Filter:

      • Filter Type: Plug-in

      • Connection Name: Harmony SASE

      • Identifier: com.safervpn.osx.smb

      • Filter Webkit traffic: Yes

      • Filter Socket Traffic: Yes

      • Socket Filter Bundle ID: com.safervpn.osx.smb

      • Socket Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"

      • Filter Network Pockets: Yes

      • Pocket Bundle ID: com.safervpn.osx.smb

      • Packet Requirement: identifier "com.safervpn.osx.smb" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "924635PD62"

      • Filter Grade: Firewall

    • Deploy a System Extension:

      • Navigate to where you add the VPN Payload Profiles and add a MacOS profile and context Device Profile.

      • Allow User Overrides: Yes

      • Allowed System Extension Types: Network

      • Team ID: 924635PD62

      • Bundle Identifier: com.safervpn.osx.smb.proxy