Views:

Setting the Permissions

Required

In creating MDM profiles, the following items are required to ensure no pop-ups will show on the macOS endpoint after initial installation of the Trend Micro Mac security agents:

For Apex One (Mac), Cloud One (Mac), and WFBS (Mac)

From macOS 10.13 to macOS 10.15, Apple requires user approval before loading new, third-party kernel extensions. The Trend Micro Mac security agent uses kernel extensions for the Core Shields real-time protection features. To ensure that your product can fully protect your system, you need to manually allow the extensions.

Kernel Extension is not required on machines with Apple Silicon.

Required fields for Kernel Extension MDM Profile creation are as follows:

Kernel Extension Required fields

   
<key>AllowedKernelExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.kext.KERedirect</string>
<string>com.trendmicro.kext.filehook</string>
</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
<string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>

"AllowedKernelExtensions" and "AllowedTeamIdentifiers" are all required.

Kernel Extension

> System Extensions

Starting from macOS Big Sur 11.0, Kernel Extension will not be loaded by the system to comply with changes to the Apple guidelines for software developer. With that, the Trend Micro Mac Security agent has been updated with our Endpoint Security and Network Extension frameworks.

com.trendmicro.icore.es.sa: Endpoint Security is a C API for monitoring system events for potentially malicious activity. These events include process executions, mounting file systems, forking processes, and raising signals.
Reference: https://developer.apple.com/documentation/endpointsecurity
com.trendmicro.icore.netfilter.sa: Customize and extend core networking features.
Reference: https://developer.apple.com/documentation/networkextension

Required fields for System Extension MDM Profile is as follows:

System Extension Required fields

   
<key>AllowedSystemExtensionTypes</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>EndpointSecurityExtension</string>
<string>NetworkExtension</string>
</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.icore.es</string>
<string>com.trendmicro.icore.netfilter</string>
</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>

The current version of "iMazing Profile Editor" does not support this type, you can make corresponding changes on the sample file to meet your needs.

^{Click the image to enlarge.}

> Web Content Filter

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, refer to this Apple Article: Content Filter Providers.

Required fields for Web Content Filter MDM profile creation is as follows:

Web Content Filter Required fields

   
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

> Full Disk Access

Full Disk Access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data, such as Mail, Messages, TimeMachine, and Safari files. This means you need to manually grant permission for certain applications to access these protected areas of your macOS endpoint. In earlier versions of macOS (10.13 and lower), this permission is automatically granted during installation of your product.

If Full Disk Access is not enabled, your product is unable to scan all areas of your macOS endpoint. This means the Trend Micro Mac Security Agent cannot fully protect your macOS endpoint against malware and other network security threats, and product can only scan a limited portion of your system folders and hard drive, potentially resulting in unnecessary clutter remaining on your macOS endpoint.

In creating the MDM profile for Full Disk Access, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /Applications/TrendMicroSecurity.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.es.systemextension
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.netfilter.systemextension
Required:
- Properties:Accessibility → Allow
- Properties:Admin Files → Allow
- Properties:All Files → Allow
- Apple Events:Finder → Allow
- Apple Events:SystemUIServer → Allow
- Apple Events:System Events → Allow
^{Click the image(s) to enlarge.}

> Service Management - Managed Login Items (New in macOS 13.0 Ventura)

From macOS 13.0 Ventura, LaunchAgents and LaunchDaemons (in both /Library and ~/Library) are now managed from the System Settings > General > Login Items pane. They are the items under "Allow in the Background".

For Trend Vision One / XDR Agent for Mac

> Kernel Extension

Team Identifier	E8P47U2H32
Bundle ID	com.trendmicro.kext.KERedirectSA
Team Identifier	E8P47U2H32
Bundle ID	com.trendmicro.kext.filehookSA

> System Extension Profile (macOS 11.x)

Team Identifier	E8P47U2H32
Bundle Identifier	com.trendmicro.icore.es.sa
Team Identifier	E8P47U2H32
Bundle Identifier	com.trendmicro.icore.netfilter.sa

Optional

> Installation

Trend Micro Mac Security Agent installation will copy server info files to install path. In other words, the installer will access user's "Desktop/Downloads/Documents" folder, if "tmsminstall.pkg" is in "Desktop/Downloads/Documents".

From macOS10.13, system will display an alert if installers access "Desktop/Downloads/Documents folder". "installation.mobileconfig" profile is just for giving the installer permission to access these folders, so that an alert will not appear.

^{Click the image to enlarge.}

In creating the MDM profile for Installation permission, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /System/Library/CoreServices/Installer.app
Required Permissions:
- Properties:Desktop Folder → Allow
- Properties:Documents Folder → Allow
- Properties:Downloads Folder → Allow
^{Click the image to enlarge.}

> Browser Plug-in Extension

By adding below profile settings into MDM and deploy to the Managed Mac computer, the Chrome / Firefox extensions will be enabled automatically and a pop-up message for Chrome and FireFox will no longer appear:

For Safari, it is not possible make an automated browser extension deployment via MDM due to Apple's restriction.
For Chrome, after installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if Apex One (Mac) has not been installed. The function of "Trend Micro Toolbar for Mac" is still in-preview and it cannot be uninstalled by the uninstaller yet.
For FireFox, It may appear that MDM has been configured but there is still a pop-up prompting to install FireFox Extension. This is a timing issue and FireFox Extension should have been installed successfully and you can ignore the pop-up.

Additional Information and Sample MDM Profiles

OS Version	System Extension	Web Content Filter	Full Disk Access	Kernel Extension	Installation	Service Management - Managed Login Items
macOS Sonoma (14.x.x)	✔	✔	✔	✘	✔	✔
macOS Ventura (13.x.x)	✔	✔	✔	✘	✔	✔
macOS Monterey (12.x.x)	✔	✔	✔	✘	✔	✘
macOS Big Sur (11.x.x)	✔	✔	✔	✘	✔	✘
macOS Catalina (10.15.x)	✘	✘	✔	✔	✔	✘
macOS Mojave (10.14.x)	✘	✘	✔	✔	✔	✘
macOS High Sierra (10.13.x)	✘	✘	✘	✔	✘	✘

✔ means this type of configuration file needs to be added, otherwise there will be a system or product dialog box pop-up.
✘ means such configuration files are not required, and there may be errors when adding these files. It is recommended that the same systems be grouped together and be distributed with the same configuration.

Each bundle identifier is assigned a combined .mobileconfig for Apex One (Mac), WFBS (Mac), Cloud One (Mac) and Trend Vision One (Mac).

Bundle Identifier	Sample MDM Profile
Full Disk Access	FullDiskAccess_Unified.mobileconfig
Kernel Extension	KernelExtension_Unified.mobileconfig
System Extension	SystemExtension_Unified.mobileconfig
Web Content Filter	WebContentFilter_Unified.mobileconfig
Service Management - Managed Login Items	SMLoginItems.mobileconfig
Installation	installation.mobileconfig
Browser Plugin Extension	Google Chrome Extension Mozilla Firefox Extension

"iMazing Profile Editor" or "Apple Configurator 2" or other third-party tools, none of them can complete each setting perfectly. After using them to generate the ".mobileconfig" file, it needs to be compared with the example file given to prevent missing settings and wrong settings.
Trend Vision One (Mac) does not utilize Browser Plugin Extension.

MDM Deployment steps

For Airwatch and Workspace One

This section is mainly used by people who have already understood the basics of Workspace One UEM (Vmware Airwatch) and want to use "Custom Profiles" to enable the Trend Micro Mac Security Agent to obtain the necessary permissions for normal operation without being on duty.

Step 1: Agent Enrollment

Log in to Airwatch/Workspace One, and go to Devices page, add a device, push mail notification to Mac Agent, Install and enroll this agent.

For detailed steps, please refer to Workspace One guide.

Step 2. Create Profile

Add a profile. Do the following:

Click the Add button in the top bar, then choose Profile.
Select macOS.
Click Device Profile.
Set the profile as General Information.

Step 3. Create Kernel Extension Profile

As Mac OS release 11.x Big Sur edition, its settings are different with 10.15.x Catalina, we need to generate 2 profiles:

Profile	Contained Setting	Target OS
Mac_MDM_Profile1	Kernel Extension Policy Privacy Preferences This privacy contains at least 2 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore	10.15.x Catalina
Mac_MDM_Profile2	System Extension Policy Privacy Preferences This privacy contains all 4 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore com.trendmicro.icore.es com.trendmicro.icore.netfilter Content Filter	11.x Big Sur

Create Profile1 (For 10.15.x Catalina)

Generate "Kernel Extension" profile.

Allowed Team Identifiers	Allowed Kernel Extensions
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.KERedirect
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.filehook

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge

Step 4. Create System Extension Profile

Create Profile2 (For 11.x Big Sur)

Generate "System Extension" profile.

Allowed System Extension Types	Allowed System Extensions
Team Identifier* E8P47U2H32 Endpoint Security:checkmark Network: checkmark	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.es
	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.netfilter

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

For the configuration details, please refer to the following table:

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Generate "Web Content Filter" profile.

**The 2 Key/Value pairs are:

Key	Value
FilterDataProviderBundleIdentifier	com.trendmicro.icore.netfilter
FilterDataProviderDesignatedRequirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Others

Generate installation profile

^{Click the image(s) to enlarge.}
- Identifier Type: /System/Library/CoreServices/Installer.app
- Code Requirement: identifier "com.apple/installer" and anchor apple
Install the browser extensions. Refer to the following links:
- Google Chrome Extension
- Mozilla Firefox Extension

For Jamf Now

Log in to the Jamf Now console, and go to Devices page to see the enrolled or active Mac devices.

^{Click the image to enlarge.}
If there's no device in your device list, you have two ways to enroll your device
- Auto: Use ADE to enroll device automatically
- Manual: Click "Enroll This Device", then download the configuration profile to start the enrollment.
Click Blueprints and select your target blueprint.

^{Click the image to enlarge.}
Select Custom Profiles tab, then add or upload your profiles.

^{Click the image to enlarge.}
Upload all ".mobileconfig" files.

^{Click the image to enlarge.}
Verify if all profiles have been configured.

^{Click the image to enlarge.}

Troubleshooting Common Issues

Error Message/Code	Solution
Error Code: ConfigProfilePluginDomain:-319 ^{Click the image to enlarge.}	Upgrade the system to macOS10.13 or later.
Error Code: SPErrorDomain:10 ^{Click the image to enlarge.}	Change the level of security used on your startup disk. For details refer to Change startup disk security settings on a Mac with Apple silicon. This error message on Jamf Now can be ignored as kernel extension on M1 is not needed.

For Jamf Pro

For reference on how to deploy the Security Agent for Mac using Jamf Pro, refer to the following link:

Using Jamf Pro to deploy Trend Vision One, Apex One, or Cloud One for Mac

For Microsoft InTune

Login in to Microsoft Intune.
Click Devices > macOS to enter macOS devices setting page.

^{Click the image to enlarge.}
Select Configuration profiles > Create profile, then select Templates on the "Create a profile" pane.

^{Click the image to enlarge.}

Below are the two ways to create a profile:
- Select Custom, and upload the self-created ".mobileconfig" file. In this way, all types of profiles can be deployed.
- Select Extensions. In this way, only "Kernel Extension" and "System Extension" can be deployed.
Configure the "Custom" settings of the macOS Profile:
Below is an example for System Extensions:
1. Provide the name and description of the macOS Profile.
  
  ^{Click the image to enlarge.}
2. Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file.
  
  ^{Click the image to enlarge.}
3. Set the Included groups or Excluded groups according to your needs.
  
  ^{Click the image to enlarge.}
4. You can view the progress of deployment, if there is no update for a long time, you can click the Assignments button below to execute again.
  
  ^{Click the image to enlarge.}
5. Once finished, the Deployment Status will show "Deploy succeeded".
  
  ^{Click the image to enlarge.}
6. Repeat the above operation to deploy all ".mobileconfig" profiles.
  
  ^{Click the image to enlarge.}
7. Check status on the mac machine, and verify if the Full Disk Access is already present on the Profiles.
  
  ^{Click the image to enlarge.}

For FileWave

To create an Apex One (Mac) profile using FileWave MDM:

Go to the FileWave Console to get started.
On the dashboard console, create a new desktop fileset:

^{Click the image to enlarge.}
Under System Extensions, provide the Apex One (Mac) agent identifiers to allow access to the Mac machines:

Team Identifier E8P47U2H32
BundleID com.trendmicro.icore.es,com.trendmicro.icore.netfilter

^{Click the image to enlarge.}

Add the allowed Security and Privacy settings as follows:

Full Disk Access:

IDENTIFIER	com.trendmicro.icore
CODE REQUIREMENT	identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) agent UI:

IDENTIFIER	com.trendmicro.tmsm.MainUI
CODE REQUIREMENT	identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) Endpoint Sensor:

Receiver Identifier	com.trendmicro.icore.es
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apex One (Mac) Network Filter:

Receiver Identifier	com.trendmicro.icore.netfilter
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apple System Events:

Receiver Identifier com.apple.systemevents
Receiver Identifier Type Bundle ID
Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple

Receiver Identifier	com.apple.systemevents
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

^{Click the image to enlarge.}

Deploy the FileWave profile to the Mac machine and then deploy the Apex One (Mac) agents after. A restart is needed for the profile to take effect on the machines.

Keywords: mdm config for apex one mac,config checklist mdm for apex one mac,extension for MDM apex one mac,jamf profile,MS intune profile,intune profile,filewave profile,3rd party mdm profile creation

Creating and Configuring MDM Profile(s) for Trend Micro Security Agent for Mac

Product / Version includes:

Worry-Free Plug-In - Security For MACAll , Apex One (Mac)All , Cloud One - Endpoint and Workload SecurityAll

Last updated: 2023/12/13

Solution ID: KA-0011072

Category: Configure

Summary

By using a MDM, administrators can give Apex One (Mac), Vision One (Mac), Cloud One (Mac), and WFBS agents the necessary permissions for them to work normally without any additional operations from the end-user. When MDM is deployed correctly, the Apex One (Mac), Cloud One (Mac), Vision One (Mac) and WFBS agents will not show any pop-ups (asking for permission and etc.) to the end-user.

Setting the Permissions

EXPAND ALL

Required

In creating MDM profiles, the following items are required to ensure no pop-ups will show on the macOS endpoint after initial installation of the Trend Micro Mac security agents:

For Apex One (Mac), Cloud One (Mac), and WFBS (Mac)

> Kernel Extensions

Kernel Extension is not required on machines with Apple Silicon.

Required fields for Kernel Extension MDM Profile creation are as follows:

Kernel Extension Required fields

   
<key>AllowedKernelExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.kext.KERedirect</string>
<string>com.trendmicro.kext.filehook</string>
</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
<string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>

"AllowedKernelExtensions" and "AllowedTeamIdentifiers" are all required.

Kernel Extension

> System Extensions

com.trendmicro.icore.es.sa: Endpoint Security is a C API for monitoring system events for potentially malicious activity. These events include process executions, mounting file systems, forking processes, and raising signals.
Reference: https://developer.apple.com/documentation/endpointsecurity
com.trendmicro.icore.netfilter.sa: Customize and extend core networking features.
Reference: https://developer.apple.com/documentation/networkextension

Required fields for System Extension MDM Profile is as follows:

System Extension Required fields

   
<key>AllowedSystemExtensionTypes</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>EndpointSecurityExtension</string>
<string>NetworkExtension</string>
</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.icore.es</string>
<string>com.trendmicro.icore.netfilter</string>
</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>

The current version of "iMazing Profile Editor" does not support this type, you can make corresponding changes on the sample file to meet your needs.

^{Click the image to enlarge.}

> Web Content Filter

Required fields for Web Content Filter MDM profile creation is as follows:

Web Content Filter Required fields

   
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

> Full Disk Access

In creating the MDM profile for Full Disk Access, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /Applications/TrendMicroSecurity.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.es.systemextension
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.netfilter.systemextension
Required:
- Properties:Accessibility → Allow
- Properties:Admin Files → Allow
- Properties:All Files → Allow
- Apple Events:Finder → Allow
- Apple Events:SystemUIServer → Allow
- Apple Events:System Events → Allow
^{Click the image(s) to enlarge.}

> Service Management - Managed Login Items (New in macOS 13.0 Ventura)

For Trend Vision One / XDR Agent for Mac

> Kernel Extension

Team Identifier	E8P47U2H32
Bundle ID	com.trendmicro.kext.KERedirectSA
Team Identifier	E8P47U2H32
Bundle ID	com.trendmicro.kext.filehookSA

> System Extension Profile (macOS 11.x)

Team Identifier	E8P47U2H32
Bundle Identifier	com.trendmicro.icore.es.sa
Team Identifier	E8P47U2H32
Bundle Identifier	com.trendmicro.icore.netfilter.sa

Optional

> Installation

^{Click the image to enlarge.}

In creating the MDM profile for Installation permission, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /System/Library/CoreServices/Installer.app
Required Permissions:
- Properties:Desktop Folder → Allow
- Properties:Documents Folder → Allow
- Properties:Downloads Folder → Allow
^{Click the image to enlarge.}

> Browser Plug-in Extension

For Safari, it is not possible make an automated browser extension deployment via MDM due to Apple's restriction.
For Chrome, after installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if Apex One (Mac) has not been installed. The function of "Trend Micro Toolbar for Mac" is still in-preview and it cannot be uninstalled by the uninstaller yet.
For FireFox, It may appear that MDM has been configured but there is still a pop-up prompting to install FireFox Extension. This is a timing issue and FireFox Extension should have been installed successfully and you can ignore the pop-up.

Additional Information and Sample MDM Profiles

OS Version	System Extension	Web Content Filter	Full Disk Access	Kernel Extension	Installation	Service Management - Managed Login Items
macOS Sonoma (14.x.x)	✔	✔	✔	✘	✔	✔
macOS Ventura (13.x.x)	✔	✔	✔	✘	✔	✔
macOS Monterey (12.x.x)	✔	✔	✔	✘	✔	✘
macOS Big Sur (11.x.x)	✔	✔	✔	✘	✔	✘
macOS Catalina (10.15.x)	✘	✘	✔	✔	✔	✘
macOS Mojave (10.14.x)	✘	✘	✔	✔	✔	✘
macOS High Sierra (10.13.x)	✘	✘	✘	✔	✘	✘

✔ means this type of configuration file needs to be added, otherwise there will be a system or product dialog box pop-up.
✘ means such configuration files are not required, and there may be errors when adding these files. It is recommended that the same systems be grouped together and be distributed with the same configuration.

Each bundle identifier is assigned a combined .mobileconfig for Apex One (Mac), WFBS (Mac), Cloud One (Mac) and Trend Vision One (Mac).

Bundle Identifier	Sample MDM Profile
Full Disk Access	FullDiskAccess_Unified.mobileconfig
Kernel Extension	KernelExtension_Unified.mobileconfig
System Extension	SystemExtension_Unified.mobileconfig
Web Content Filter	WebContentFilter_Unified.mobileconfig
Service Management - Managed Login Items	SMLoginItems.mobileconfig
Installation	installation.mobileconfig
Browser Plugin Extension	Google Chrome Extension Mozilla Firefox Extension

"iMazing Profile Editor" or "Apple Configurator 2" or other third-party tools, none of them can complete each setting perfectly. After using them to generate the ".mobileconfig" file, it needs to be compared with the example file given to prevent missing settings and wrong settings.
Trend Vision One (Mac) does not utilize Browser Plugin Extension.

MDM Deployment steps

For Airwatch and Workspace One

Step 1: Agent Enrollment

Log in to Airwatch/Workspace One, and go to Devices page, add a device, push mail notification to Mac Agent, Install and enroll this agent.

For detailed steps, please refer to Workspace One guide.

Step 2. Create Profile

Add a profile. Do the following:

Click the Add button in the top bar, then choose Profile.
Select macOS.
Click Device Profile.
Set the profile as General Information.

Step 3. Create Kernel Extension Profile

As Mac OS release 11.x Big Sur edition, its settings are different with 10.15.x Catalina, we need to generate 2 profiles:

Profile	Contained Setting	Target OS
Mac_MDM_Profile1	Kernel Extension Policy Privacy Preferences This privacy contains at least 2 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore	10.15.x Catalina
Mac_MDM_Profile2	System Extension Policy Privacy Preferences This privacy contains all 4 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore com.trendmicro.icore.es com.trendmicro.icore.netfilter Content Filter	11.x Big Sur

Create Profile1 (For 10.15.x Catalina)

Generate "Kernel Extension" profile.

Allowed Team Identifiers	Allowed Kernel Extensions
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.KERedirect
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.filehook

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge

Step 4. Create System Extension Profile

Create Profile2 (For 11.x Big Sur)

Generate "System Extension" profile.

Allowed System Extension Types	Allowed System Extensions
Team Identifier* E8P47U2H32 Endpoint Security:checkmark Network: checkmark	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.es
	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.netfilter

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

For the configuration details, please refer to the following table:

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Generate "Web Content Filter" profile.

**The 2 Key/Value pairs are:

Key	Value
FilterDataProviderBundleIdentifier	com.trendmicro.icore.netfilter
FilterDataProviderDesignatedRequirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Others

Generate installation profile

^{Click the image(s) to enlarge.}
- Identifier Type: /System/Library/CoreServices/Installer.app
- Code Requirement: identifier "com.apple/installer" and anchor apple
Install the browser extensions. Refer to the following links:
- Google Chrome Extension
- Mozilla Firefox Extension

For Jamf Now

Log in to the Jamf Now console, and go to Devices page to see the enrolled or active Mac devices.

^{Click the image to enlarge.}
If there's no device in your device list, you have two ways to enroll your device
- Auto: Use ADE to enroll device automatically
- Manual: Click "Enroll This Device", then download the configuration profile to start the enrollment.
Click Blueprints and select your target blueprint.

^{Click the image to enlarge.}
Select Custom Profiles tab, then add or upload your profiles.

^{Click the image to enlarge.}
Upload all ".mobileconfig" files.

^{Click the image to enlarge.}
Verify if all profiles have been configured.

^{Click the image to enlarge.}

Troubleshooting Common Issues

Error Message/Code	Solution
Error Code: ConfigProfilePluginDomain:-319 ^{Click the image to enlarge.}	Upgrade the system to macOS10.13 or later.
Error Code: SPErrorDomain:10 ^{Click the image to enlarge.}	Change the level of security used on your startup disk. For details refer to Change startup disk security settings on a Mac with Apple silicon. This error message on Jamf Now can be ignored as kernel extension on M1 is not needed.

For Jamf Pro

For reference on how to deploy the Security Agent for Mac using Jamf Pro, refer to the following link:

Using Jamf Pro to deploy Trend Vision One, Apex One, or Cloud One for Mac

For Microsoft InTune

Login in to Microsoft Intune.
Click Devices > macOS to enter macOS devices setting page.

^{Click the image to enlarge.}
Select Configuration profiles > Create profile, then select Templates on the "Create a profile" pane.

^{Click the image to enlarge.}

Below are the two ways to create a profile:
- Select Custom, and upload the self-created ".mobileconfig" file. In this way, all types of profiles can be deployed.
- Select Extensions. In this way, only "Kernel Extension" and "System Extension" can be deployed.
Configure the "Custom" settings of the macOS Profile:
Below is an example for System Extensions:
1. Provide the name and description of the macOS Profile.
  
  ^{Click the image to enlarge.}
2. Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file.
  
  ^{Click the image to enlarge.}
3. Set the Included groups or Excluded groups according to your needs.
  
  ^{Click the image to enlarge.}
4. You can view the progress of deployment, if there is no update for a long time, you can click the Assignments button below to execute again.
  
  ^{Click the image to enlarge.}
5. Once finished, the Deployment Status will show "Deploy succeeded".
  
  ^{Click the image to enlarge.}
6. Repeat the above operation to deploy all ".mobileconfig" profiles.
  
  ^{Click the image to enlarge.}
7. Check status on the mac machine, and verify if the Full Disk Access is already present on the Profiles.
  
  ^{Click the image to enlarge.}

For FileWave

To create an Apex One (Mac) profile using FileWave MDM:

Go to the FileWave Console to get started.
On the dashboard console, create a new desktop fileset:

^{Click the image to enlarge.}
Under System Extensions, provide the Apex One (Mac) agent identifiers to allow access to the Mac machines:

Team Identifier E8P47U2H32
BundleID com.trendmicro.icore.es,com.trendmicro.icore.netfilter

^{Click the image to enlarge.}

Add the allowed Security and Privacy settings as follows:

Full Disk Access:

IDENTIFIER	com.trendmicro.icore
CODE REQUIREMENT	identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) agent UI:

IDENTIFIER	com.trendmicro.tmsm.MainUI
CODE REQUIREMENT	identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) Endpoint Sensor:

Receiver Identifier	com.trendmicro.icore.es
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apex One (Mac) Network Filter:

Receiver Identifier	com.trendmicro.icore.netfilter
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apple System Events:

Receiver Identifier com.apple.systemevents
Receiver Identifier Type Bundle ID
Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple

Receiver Identifier	com.apple.systemevents
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

^{Click the image to enlarge.}

Deploy the FileWave profile to the Mac machine and then deploy the Apex One (Mac) agents after. A restart is needed for the profile to take effect on the machines.

Was this article helpful?

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Team Identifier	E8P47U2H32
BundleID	com.trendmicro.icore.es,com.trendmicro.icore.netfilter