Table of contents

Configure Mobile Device Management on Workload Security for the macOS agent

Using Mobile Device Management (MDM), administrators can configure the necessary permissions for macOS agents to work without additional operations required from the end-user. In addition to setting permissions, the sections below provide instructions to properly deploy MDM so that Trend Cloud One - Endpoint & Workload Security for macOS agents operates for the end-user without pop-ups (asking for permission, for example).

Configure required permissions

Before creating MDM profiles for Trend Cloud One - Endpoint & Workload Security for macOS agents, you need to perform a number of configurations to ensure messages do not display on the macOS endpoint after the initial installation of Trend Cloud One - Endpoint & Workload Security for macOS agents.

Configure kernel extensions

macOS10.15 requires user approval before loading new third-party kernel extensions. Trend Cloud One - Endpoint & Workload Security for Mac agents uses kernel extensions for the Core Shields real-time protection features. To ensure that your product can fully protect your system, you need to manually allow the extensions.

The following kernel extension MDM profile creation fields are required:

<key>AllowedKernelExtensions</key>
<dict>
    <key>E8P47U2H32</key>
    <array>
        <string>com.trendmicro.kext.KERedirect</string>
        <string>com.trendmicro.kext.filehook</string>
        </array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
    <string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>

Configure system extensions

To comply with changes to the Apple guidelines for software developers, starting from macOS Big Sur 11.0, kernel extensions are not loaded by the system. With that, Trend Cloud One - Endpoint & Workload Security for macOS agent has been updated with our Endpoint Security and Network Extension frameworks:

The following system extension fields are required:

<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensionTypes</key>
<dict>
    <key>E8P47U2H32</key>
        <array>
            <string>EndpointSecurityExtension</string>
            <string>NetworkExtension</string>
        </array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
    <key>E8P47U2H32</key>
    <array>
        <string>com.trendmicro.icore.es</string>
        <string>com.trendmicro.icore.netfilter</string>
    </array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>

Configure web content filter

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, see Content Filter Providers.

When creating an MDM profile, the following web content filter fields are required:

<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

Configure full disk access

For specific configuration instructions, see Creating and Configuring MDM Profiles for Trend Micro Security Agent for Mac.

Full disk access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data in your Mail, Messages, TimeMachine, and Safari files, for example. You need to manually grant permission for certain applications to access these protected areas of your macOS endpoint.

Note that in earlier versions of macOS (10.13 and earlier), this permission is automatically granted during installation of your product.

If full disk access is not enabled, Workload Security is unable to scan all areas of your macOS endpoint. This means it cannot fully protect your endpoint against malware and other network security threats, and can only scan a limited portion of your system folders and hard drive.

Configure browser plugin extension

Optionally, add the profile settings into MDM and deploy them to the managed macOS computer to enable Chrome or Firefox extensions automatically and avoid pop-up messages:

After installing the Google Chrome Extension, Chrome downloads and install Trend Micro Toolbar for Mac from the Chrome Store, even if the Trend Cloud One - Endpoint & Workload Security agent for macOS has not been installed. Note that Trend Micro Toolbar for Mac does not yet have the full range of functionality and cannot be uninstalled.

After installing the Mozilla Firefox Extension, it may appear that MDM has been configured but a pop-up still prompts you to install the Firefox Extension. This is a timing issue. In fact, Firefox Extension has been installed successfully and you can ignore the pop-up.

For the Safari browser, it is impossible to automate browser extension deployment via MDM due to Apple restrictions.

Deploy agents from Mobile Device Management (MDM)

After you configure Mobile Device Management on Workload Security for the macOS agent, you can import deployment scripts in your MDM solution to install the agent: