Views:

Setting the Permissions

In creating MDM profiles, the following items are required to ensure no pop-ups will show on the macOS endpoint after initial installation of the Trend Micro Mac security agents:

For Apex One (Mac), Cloud One (Mac), and WFBS (Mac)

Starting from macOS Big Sur 11.0, Kernel Extension will not be loaded by the system to comply with changes to the Apple guidelines for software developer. With that, the Trend Micro Mac Security agent has been updated with our Endpoint Security and Network Extension frameworks.

Required fields for System Extension MDM Profile is as follows:

System Extension Required fields
   
<key>AllowedSystemExtensionTypes</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>EndpointSecurityExtension</string>
<string>NetworkExtension</string>
</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.icore.es</string>
<string>com.trendmicro.icore.netfilter</string>
</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>
 
The current version of "iMazing Profile Editor" does not support this type, you can make corresponding changes on the sample file to meet your needs.

Unfamiliar Domain

Click the image to enlarge.

 

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, refer to this Apple Article: Content Filter Providers.

Required fields for Web Content Filter MDM profile creation is as follows:

Web Content Filter Required fields
   
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

Full Disk Access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data, such as Mail, Messages, TimeMachine, and Safari files. This means you need to manually grant permission for certain applications to access these protected areas of your macOS endpoint. In earlier versions of macOS (10.13 and lower), this permission is automatically granted during installation of your product.

 
If Full Disk Access is not enabled, your product is unable to scan all areas of your macOS endpoint. This means the Trend Micro Mac Security Agent cannot fully protect your macOS endpoint against malware and other network security threats, and product can only scan a limited portion of your system folders and hard drive, potentially resulting in unnecessary clutter remaining on your macOS endpoint.
 

In creating the MDM profile for Full Disk Access, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

  • Installer path:
    • /Applications/TrendMicroSecurity.app
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.es.systemextension
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.netfilter.systemextension
  • Required:
    • Properties:Accessibility → Allow
    • Properties:Admin Files → Allow
    • Properties:All Files → Allow
    • Apple Events:Finder → Allow
    • Apple Events:SystemUIServer → Allow
    • Apple Events:System Events → Allow

    iCoreService

    iCoreES

    Trend Micro Security Permissions

    NetFilter

    Click the image(s) to enlarge.

From macOS 13.0 Ventura, LaunchAgents and LaunchDaemons (in both /Library and ~/Library) are now managed from the System Settings > General > Login Items pane. They are the items under "Allow in the Background".

For Trend Vision One / XDR Agent for Mac

Team Identifier E8P47U2H32
Bundle Identifier com.trendmicro.icore.es.sa
Team Identifier E8P47U2H32
Bundle Identifier com.trendmicro.icore.netfilter.sa

Trend Micro Mac Security Agent installation will copy server info files to install path. In other words, the installer will access user's "Desktop/Downloads/Documents" folder, if "tmsminstall.pkg" is in "Desktop/Downloads/Documents".

From macOS10.13, system will display an alert if installers access "Desktop/Downloads/Documents folder". "installation.mobileconfig" profile is just for giving the installer permission to access these folders, so that an alert will not appear.

Installer Permission Prompt

Click the image to enlarge.

In creating the MDM profile for Installation permission, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

  • Installer path:
    • /System/Library/CoreServices/Installer.app
  • Required Permissions:
    • Properties:Desktop Folder → Allow
    • Properties:Documents Folder → Allow
    • Properties:Downloads Folder → Allow

    PPPC Installer Config

    Click the image to enlarge.

By adding below profile settings into MDM and deploy to the Managed Mac computer, the Chrome / Firefox extensions will be enabled automatically and a pop-up message for Chrome and FireFox will no longer appear:

 
  • For Safari, it is not possible make an automated browser extension deployment via MDM due to Apple's restriction.
  • For Chrome, after installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if Apex One (Mac) has not been installed. The function of "Trend Micro Toolbar for Mac" is still in-preview and it cannot be uninstalled by the uninstaller yet.
  • For FireFox, It may appear that MDM has been configured but there is still a pop-up prompting to install FireFox Extension. This is a timing issue and FireFox Extension should have been installed successfully and you can ignore the pop-up.
 

OS Version System
Extension		 Web Content
Filter		 Full Disk
Access		 Kernel
Extension		 Installation Service Management -
Managed Login
Items
macOS Sequoia (15.x.x)
macOS Sonoma (14.x.x)
macOS Ventura (13.x.x)
macOS Monterey (12.x.x)
macOS Big Sur (11.x.x)
 
  • means this type of configuration file needs to be added, otherwise there will be a system or product dialog box pop-up.
  • means such configuration files are not required, and there may be errors when adding these files. It is recommended that the same systems be grouped together and be distributed with the same configuration.
 

Each bundle identifier is assigned a combined .mobileconfig for Apex One (Mac), WFBS (Mac), Cloud One (Mac) and Trend Vision One (Mac).

Bundle Identifier Sample MDM Profile
Full Disk Access
System Extension
Web Content Filter

Service Management - Managed Login Items
Installation
Browser Plugin Extension
 
  • "iMazing Profile Editor" or "Apple Configurator 2" or other third-party tools, none of them can complete each setting perfectly. After using them to generate the ".mobileconfig" file, it needs to be compared with the example file given to prevent missing settings and wrong settings.
  • Trend Vision One (Mac) does not utilize Browser Plugin Extension.
 

MDM Deployment steps

This section is mainly used by people who have already understood the basics of Workspace One UEM (Vmware Airwatch) and want to use "Custom Profiles" to enable the Trend Micro Mac Security Agent to obtain the necessary permissions for normal operation without being on duty.

Step 1: Agent Enrollment

  1. Log in to Airwatch/Workspace One, and go to Devices page, add a device, push mail notification to Mac Agent, Install and enroll this agent.

     
    For detailed steps, please refer to Workspace One guide.
     

    Add Device

    Workspace One Install

Step 2. Create Profile

Add a profile. Do the following:

  1. Click the Add button in the top bar, then choose Profile.

    Add Profile

  2. Select macOS.

    Add macOS Profile

  3. Click Device Profile.

    Device Profile

  4. Set the profile as General Information.

    General Information

Step 3. Create Kernel Extension Profile

As Mac OS release 11.x Big Sur edition, its settings are different with 10.15.x Catalina, we need to generate 2 profiles:

Profile Contained Setting Target OS
Mac_MDM_Profile1
  • Kernel Extension Policy

  • Privacy Preferences

    This privacy contains at least 2 apps:

    • com.trendmicro.tmsm.MainUI
    • com.trendmicro.icore
 10.15.x Catalina
Mac_MDM_Profile2
  • System Extension Policy

  • Privacy Preferences

    This privacy contains all 4 apps:

    • com.trendmicro.tmsm.MainUI
    • com.trendmicro.icore
    • com.trendmicro.icore.es
    • com.trendmicro.icore.netfilter
  • Content Filter
 11.x Big Sur

Create Profile1 (For 10.15.x Catalina)

  1. Generate "Kernel Extension" profile.

    Kernel Extension

    Allowed Team Identifiers Allowed Kernel Extensions
    E8P47U2H32
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.kext.KERedirect
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.kext.filehook

  2. Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

    Privacy Preferences

    Identifier Allowed Content Apple Events-1 Apple Events-2 Apple Events-3

    Identifier:
    com.trendmicro.tmsm.MainUI

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:

    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    Identifier
    Click to enlarge    		 Allowed Content
    Click to enlarge    		 Apple Events-1
    Click to enlarge    		 Apple Events-2
    Click to enlarge    		 Apple Events-3
    Click to enlarge

Step 4. Create System Extension Profile

Create Profile2 (For 11.x Big Sur)

  1. Generate "System Extension" profile.

    Generate System Extension

    Allowed System Extension Types Allowed System Extensions

    Team Identifier*
    E8P47U2H32

    Endpoint Security:checkmark

    Network: checkmark
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.icore.es
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.icore.netfilter

  2. Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

    Privacy Preferences

    For the configuration details, please refer to the following table:

    Identifier Allowed Content Apple Events-1 Apple Events-2 Apple Events-3

    Identifier:
    com.trendmicro.tmsm.MainUI

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore.es

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore.netfilter

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

  3. Generate "Web Content Filter" profile.

    Web Content Filter

    **The 2 Key/Value pairs are:

    Key Value
    FilterDataProviderBundleIdentifier com.trendmicro.icore.netfilter
    FilterDataProviderDesignatedRequirement identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

Others

  1. Generate installation profile

    Installation Profile

    Define App

    Click the image(s) to enlarge.
    • Identifier Type: /System/Library/CoreServices/Installer.app
    • Code Requirement: identifier "com.apple/installer" and anchor apple
  2. Install the browser extensions. Refer to the following links:

  1. Log in to the Jamf Now console, and go to Devices page to see the enrolled or active Mac devices.

    Devices Page

    Click the image to enlarge.

     
    If there's no device in your device list, you have two ways to enroll your device
    • Auto: Use ADE to enroll device automatically
    • Manual: Click "Enroll This Device", then download the configuration profile to start the enrollment.
     
  2. Click Blueprints and select your target blueprint.

    Blueprints

    Click the image to enlarge.

  3. Select Custom Profiles tab, then add or upload your profiles.

    Custom Profile

    Click the image to enlarge.

  4. Upload all ".mobileconfig" files.

    Upload profiles

    Click the image to enlarge.

  5. Verify if all profiles have been configured.

    Verify profile configurations

    Click the image to enlarge.

Troubleshooting Common Issues

Error Message/Code Solution
Error Code: ConfigProfilePluginDomain:-319

ConfigProfilePluginDomain:-319

Click the image to enlarge.

 Upgrade the system to macOS10.13 or later.
Error Code: SPErrorDomain:10

SPErrorDomain:10

Click the image to enlarge.

 Change the level of security used on your startup disk. For details refer to Change startup disk security settings on a Mac with Apple silicon.
 
This error message on Jamf Now can be ignored as kernel extension on M1 is not needed.
 

For reference on how to deploy the Security Agent for Mac using Jamf Pro, refer to the following link:

Using Jamf Pro to deploy Trend Vision One, Apex One, or Cloud One for Mac

  1. Login in to Microsoft Intune.
  2. Click Devices > macOS to enter macOS devices setting page.

    Devices Page

    Click the image to enlarge.

  3. Select Configuration profiles > Create profile, then select Templates on the "Create a profile" pane.

    Configuration Profiles

    Click the image to enlarge.

    Below are the two ways to create a profile:

    • Select Custom, and upload the self-created ".mobileconfig" file. In this way, all types of profiles can be deployed.
    • Select Extensions. In this way, only "Kernel Extension" and "System Extension" can be deployed.
  4. Configure the "Custom" settings of the macOS Profile:

    Below is an example for System Extensions:

    1. Provide the name and description of the macOS Profile.

      Basic Info

      Click the image to enlarge.

    2. Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file.

      Config Profile

      Click the image to enlarge.

    3. Set the Included groups or Excluded groups according to your needs.

      Custom - Assignments

      Click the image to enlarge.

    4. You can view the progress of deployment, if there is no update for a long time, you can click the Assignments button below to execute again.

      System Extensions

      Click the image to enlarge.

    5. Once finished, the Deployment Status will show "Deploy succeeded".

      Deployment Succeeded

      Click the image to enlarge.

    6. Repeat the above operation to deploy all ".mobileconfig" profiles.

      Configuration Profiles

      Click the image to enlarge.

    7. Check status on the mac machine, and verify if the Full Disk Access is already present on the Profiles.

      Full Disk Access Status

      Click the image to enlarge.

To create an Apex One (Mac) profile using FileWave MDM:

  1. Go to the FileWave Console to get started.
  2. On the dashboard console, create a new desktop fileset:

    FileWave Dashboard

    Click the image to enlarge.

  3. Under System Extensions, provide the Apex One (Mac) agent identifiers to allow access to the Mac machines:
    Team Identifier E8P47U2H32
    BundleID com.trendmicro.icore.es,com.trendmicro.icore.netfilter

    System Extensions

    Click the image to enlarge.

  4. Add the allowed Security and Privacy settings as follows:
    • Full Disk Access:
      IDENTIFIER com.trendmicro.icore
      CODE REQUIREMENT identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
      Receiver Identifier com.apple.systemevents
      Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple
    • Apex One (Mac) agent UI:
      IDENTIFIER com.trendmicro.tmsm.MainUI
      CODE REQUIREMENT identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
      Receiver Identifier com.apple.systemevents
      Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple
    • Apex One (Mac) Endpoint Sensor:
      Receiver Identifier com.trendmicro.icore.es
      Receiver Identifier Type Bundle ID
      Receiver Code Requirement identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • Apex One (Mac) Network Filter:
      Receiver Identifier com.trendmicro.icore.netfilter
      Receiver Identifier Type Bundle ID
      Receiver Code Requirement identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • Apple System Events:
      Receiver Identifier com.apple.systemevents
      Receiver Identifier Type Bundle ID
      Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple

    App Path or Bundle ID

    Click the image to enlarge.

  5. Deploy the FileWave profile to the Mac machine and then deploy the Apex One (Mac) agents after. A restart is needed for the profile to take effect on the machines.
Keywords: mdm config for apex one mac,config checklist mdm for apex one mac,extension for MDM apex one mac,jamf profile,MS intune profile,intune profile,filewave profile,3rd party mdm profile creation
Comments (0)