Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Creating and Configuring MDM Profile for Apex One (Mac) and Worry-Free Business Security (WFBS) Agent for Mac

    • Updated:
    • 20 Sep 2021
    • Product/Version:
    • Apex One (Mac)
    • Worry-Free Plug-In - Security For MAC
    • Platform:
Summary

By using a MDM, administrators can give Apex One (Mac) and WFBS agents the necessary permissions for them to work normally without any additional operations from the end-user. When MDM is deployed correctly, the Apex One (Mac) and WFBS agents will not show any pop-ups (asking for permission and etc.) to the end-user.

Details
Public

Setting the Permissions

In creating MDM profiles for Apex One (Mac), the following items are required to ensure no pop-ups will show on the macOS endpoint after initial installation of Apex One (Mac) agents:

From macOS10.13 to macOS10.15, they require user approval before loading new, third-party kernel extensions. Apex One (Mac) uses kernel extensions for the Core Shields real-time protection features. To ensure that your product can fully protect your system, you need to manually allow the extensions.

Required fields for Kernel Extension MDM Profile creation are as follows:

Kernel Extension Required fields
   
<key>AllowedKernelExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.kext.KERedirect</string>
		<string>com.trendmicro.kext.filehook</string>
		</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
	<string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
 
"AllowedKernelExtensions" and "AllowedTeamIdentifiers" are all required.

Kernel Extension

 

Starting from macOS Big Sur 11.0, Kernel Extension will not be loaded by the system to comply with changes to the Apple guidelines for software developer. With that, Apex One (Mac) has been updated with our Endpoint Security and Network Extension frameworks.

Required fields for System Extension MDM Profile is as follows:

System Extension Required fields
   
<key>AllowedSystemExtensionTypes</key>
<dict>
	<key>E8P47U2H32</key>
		<array>
			<string>EndpointSecurityExtension</string>
			<string>NetworkExtension</string>
		</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.icore.es</string>
		<string>com.trendmicro.icore.netfilter</string>
	</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>
 
The current version of "iMazing Profile Editor" does not support this type, you can make corresponding changes on the sample file to meet your needs.

Unfamiliar Domain

Click the image to enlarge.

 

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, refer to this Apple Article: Content Filter Providers.

Required fields for Web Content Filter MDM profile creation is as follows:

Web Content Filter Required fields
   
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

Full Disk Access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data, such as Mail, Messages, TimeMachine, and Safari files. This means you need to manually grant permission for certain applications to access these protected areas of your macOS endpoint. In earlier versions of macOS (10.13 and lower), this permission is automatically granted during installation of your product.

 
If Full Disk Access is not enabled, your product is unable to scan all areas of your macOS endpoint. This means Apex one (Mac) cannot fully protect your macOS endpoint against malware and other network security threats, and product can only scan a limited portion of your system folders and hard drive, potentially resulting in unnecessary clutter remaining on your macOS endpoint.
 

In creating the MDM profile for Full Disk Access, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

  • Installer path:
    • /Applications/TrendMicroSecurity.app
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.es.systemextension
    • /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.netfilter.systemextension
  • Required:
    • Properties:Accessibility → Allow
    • Properties:Admin Files → Allow
    • Properties:All Files → Allow
    • Apple Events:Finder → Allow
    • Apple Events:SystemUIServer → Allow
    • Apple Events:System Events → Allow

    iCoreService

    iCoreES

    Trend Micro Security Permissions

    NetFilter

    Click the image(s) to enlarge.

Apex One (Mac) installation will copy server info files to install path. In other words, Apex One (Mac) installer will access user's "Desktop/Downloads/Documents" folder, if "tmsminstall.pkg" is in "Desktop/Downloads/Documents".

From macOS10.13, system will display an alert if installers access "Desktop/Downloads/Documents folder". "installation.mobileconfig" profile is just for giving the installer permission to access these folders, so that an alert will not appear.

Installer Permission Prompt

Click the image to enlarge.

In creating the MDM profile for Installation permission, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

  • Installer path:
    • /System/Library/CoreServices/Installer.app
  • Required Permissions:
    • Properties:Desktop Folder → Allow
    • Properties:Documents Folder → Allow
    • Properties:Downloads Folder → Allow

    PPPC Installer Config

    Click the image to enlarge.

By adding below profile settings into MDM and deploy to the Managed Mac computer, the Chrome / Firefox extensions will be enabled automatically and a pop-up message for Chrome and FireFox will no longer appear:

 
  • For Safari, it is not possible make an automated browser extension deployment via MDM due to Apple's restriction.
  • For Chrome, after installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if Apex One (Mac) has not been installed. The function of "Trend Micro Toolbar for Mac" is still in-preview and it cannot be uninstalled by the uninstaller yet.
  • For FireFox, It may appear that MDM has been configured but there is still a pop-up prompting to install FireFox Extension. This is a timing issue and FireFox Extension should have been installed successfully and you can ignore the pop-up.
 
OS VersionSystem ExtensionWeb Content FilterFull Disk AccessKernel ExtensionInstallation
macOS Big Sur (11.x.x)
macOS Catalina (10.15.x)
macOS Mojave (10.14.x)
macOS High Sierra (10.13.x)
macOS Sierra (10.12.x)
 
 
  • means this type of configuration file needs to be added, otherwise there will be a system or product dialog box pop-up.
  •  means such configuration files are not required, and there may be errors when adding these files. It is recommended that the same systems be grouped together and be distributed with the same configuration.
 

Different products have different bundle identifiers, so different ".mobileconfig" files need to be generated for different IDs. Below are some examples:

 
"iMazing Profile Editor" or "Apple Configurator 2" or other third-party tools, none of them can complete each setting perfectly. After using them to generate the ".mobileconfig" file, it needs to be compared with the example file given to prevent missing settings and wrong settings.
 

MDM Deployment steps for Apex Mac

This section is mainly used by people who have already understood the basics of Workspace One UEM (Vmware Airwatch) and want to use "Custom Profiles" to enable Apex One for Mac to obtain the necessary permissions for normal operation without being on duty.

Step 1: Agent Enrollment

  1. Log in to Airwatch/Workspace One, and go to Devices page, add a device, push mail notification to Mac Agent, Install and enroll this agent.

     
    For detailed steps, please refer to Workspace One guide.
     

    Add Device

    Workspace One Install

Step 2. Create Profile

Add a profile. Do the following:

  1. Click the Add button in the top bar, then choose Profile.

    Add Profile

  2. Select macOS.

    Add macOS Profile

  3. Click Device Profile.

    Device Profile

  4. Set the profile as General Information.

    General Information

Step 3. Create Kernel Extension Profile

As Mac OS release 11.x Big Sur edition, its settings are different with 10.15.x Catalina, we need to generate 2 profiles:

ProfileContained SettingTarget OS
Mac_MDM_Profile1
  • Kernel Extension Policy
  • Privacy Preferences

    This privacy contains at least 2 apps:

    • com.trendmicro.tmsm.MainUI
    • com.trendmicro.icore
10.15.x Catalina
Mac_MDM_Profile2
  • System Extension Policy
  • Privacy Preferences

    This privacy contains all 4 apps:

    • com.trendmicro.tmsm.MainUI
    • com.trendmicro.icore
    • com.trendmicro.icore.es
    • com.trendmicro.icore.netfilter
  • Content Filter
11.x Big Sur

Create Profile1 (For 10.15.x Catalina)

  1. Generate "Kernel Extension" profile.

    Kernel Extension

    Allowed Team IdentifiersAllowed Kernel Extensions
    E8P47U2H32
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.kext.KERedirect
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.kext.filehook
  2. Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

    Privacy Preferences

    IdentifierAllowed ContentApple Events-1Apple Events-2Apple Events-3

    Identifier:
    com.trendmicro.tmsm.MainUI

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:

    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier
    Click to enlarge
    Allowed Content
    Click to enlarge
    Apple Events-1
    Click to enlarge
    Apple Events-2
    Click to enlarge
    Apple Events-3
    Click to enlarge

Step 4. Create System Extension Profile

Create Profile2 (For 11.x Big Sur)

  1. Generate "System Extension" profile.

    Generate System Extension

    Allowed System Extension TypesAllowed System Extensions

    Team Identifier*
    E8P47U2H32

    Endpoint Security:checkmark

    Network: checkmark

    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.icore.es
    • Team Identifier:
      E8P47U2H32
    • Bundle ID:
      com.trendmicro.icore.netfilter
  2. Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

    Privacy Preferences

    For the configuration details, please refer to the following table:

    IdentifierAllowed ContentApple Events-1Apple Events-2Apple Events-3

    Identifier:
    com.trendmicro.tmsm.MainUI

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore.es

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Identifier:
    com.trendmicro.icore.netfilter

    Identifier Type:
    BUNDLEID
    BUNDLEID

    Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Accessibility:
    Allow

    System Policy All Files:
    Allow

    System Policy Sys Admin Files:
    Allow

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.finder

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemuiserver

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

    Apple Events
    Allow

    Receiver Identifier:
    com.apple.systemevents

    Receiver Identifier Type:
    BUNDLEID

    Receiver Code Requirement:
    identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

  3. Generate "Web Content Filter" profile.

    Web Content Filter

    **The 2 Key/Value pairs are:

    KeyValue
    FilterDataProviderBundleIdentifiercom.trendmicro.icore.netfilter
    FilterDataProviderDesignatedRequirementidentifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

Others

  1. Generate installation profile

    Installation Profile

    Define App

    Click the image(s) to enlarge.

  2. Install the browser extensions. Refer to the following links:
  1. Log in to the Jamf Now console, and go to Devices page to see the enrolled or active Mac devices.

    Devices Page

    Click the image to enlarge.

     
    If there's no device in your device list, you have two ways to enroll your device
    • Auto: Use ADE to enroll device automatically
    • Manual: Click "Enroll This Device", then download the configuration profile to start the enrollment.
     
  2. Click Blueprints and select your target blueprint.

    Blueprints

    Click the image to enlarge.

  3. Select Custom Profiles tab, then add or upload your profiles.

    Custom Profile

    Click the image to enlarge.

  4. Upload all ".mobileconfig" files.

    Upload profiles

    Click the image to enlarge.

  5. Verify if all profiles have been configured.

    Verify profile configurations

    Click the image to enlarge.

Troubleshooting Common Issues

Error Message/CodeSolution
Error Code: ConfigProfilePluginDomain:-319

ConfigProfilePluginDomain:-319

Click the image to enlarge.

Upgrade the system to macOS10.13 or later.
Error Code: SPErrorDomain:10

SPErrorDomain:10

Click the image to enlarge.

Change the level of security used on your startup disk. For details refer to Change startup disk security settings on a Mac with Apple silicon.
 
This error message on Jamf Now can be ignored as kernel extension on M1 is not needed.
 
  1. Log in to Jamf Pro, click Computers at the top of the page, and then go to Configuration Profiles > New.

    Computers

    Click the image to enlarge.

  2. Use the General payload to configure basic settings and look for Privacy Preferences Policy Control > App Access.

    Privacy Preferences

    Click the image to enlarge.

  3. Add the following configurations:

    App Access

    Identifier: com.trendmicro.tmsm.MainU
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • App or Service:
      • SystemPolicyAllFiles
      • Allow

    com.trendmicro.tmsm.MainUI

    Click the image to enlarge.

    Identifier: com.trendmicro.icore
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • App or Service:
      • SystemPolicyAllFiles
      • Allow

    com.trendmicro.icore

    Click the image to enlarge.

    Identifier: com.trendmicro.icore.es
    • Identifier Type: Bundle ID
    • Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • App or Service:
      • SystemPolicyAllFiles
      • Allow

    com.trendmicro.icore.es

    Click the image to enlarge.

    Identifier: /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService
    • Identifier Type: PATH
    • Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • App or Service:
      • SystemPolicyAllFiles
      • Allow
    • Identifier: /Applications/TrendMicroSecurity.app

    iCoreService

    Click the image to enlarge.


    Extensions

    Kernel Extensions
    • Display Name: Trend Micro
    • Team ID: E8P47U2H32
    • Kernel Extension Bundles:
      • E8P47U2H32,com.trendmicro.kext.filehook,1,"Trend Micro, Inc.",8
      • E8P47U2H32,com.trendmicro.kext.KERedirect,1,"Trend Micro, Inc.",8
      • E8P47U2H32,com.trendmicro.kext.iTMKernAPI,1,"Trend Micro, Inc.",8

    Kernel Extensions

    Click the image to enlarge.

    System Extensions
    • Display Name: Trend Micro
    • Sytem Extension Types: Allowed System Extension Types
    • Team Identifier: E8P47U2H32
    • Allowed System Extensions:
      • com.trendmicro.icore.es
      • com.trendmicro.icore.netfilter

    System Extensions

    Click the image to enlarge.

  1. Login in to Microsoft Intune.
  2. Click Devices > macOS to enter macOS devices setting page.

    Devices Page

    Click the image to enlarge.

  3. Select Configuration profiles > Create profile, then select Templates on the "Create a profile" pane.

    Configuration Profiles

    Click the image to enlarge.

    Below are the two ways to create a profile:

    • Select Custom, and upload the self-created ".mobileconfig" file. In this way, all types of profiles can be deployed.
    • Select Extensions. In this way, only "Kernel Extension" and "System Extension" can be deployed.
  4. Configure the "Custom" settings of the macOS Profile:

    Below is an example for System Extensions:

    1. Provide the name and description of the macOS Profile.

      Basic Info

      Click the image to enlarge.

    2. Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file.

      Config Profile

      Click the image to enlarge.

    3. Set the Included groups or Excluded groups according to your needs.

      Custom - Assignments

      Click the image to enlarge.

    4. You can view the progress of deployment, if there is no update for a long time, you can click the Assignments button below to execute again.

      System Extensions

      Click the image to enlarge.

    5. Once finished, the Deployment Status will show "Deploy succeeded".

      Deployment Succeeded

      Click the image to enlarge.

    6. Repeat the above operation to deploy all ".mobileconfig" profiles.

      Configuration Profiles

      Click the image to enlarge.

    7. Check status on the mac machine, and verify if the Full Disk Access is already present on the Profiles.

      Full Disk Access Status

      Click the image to enlarge.

To create an Apex One (Mac) profile using FileWave MDM:

  1. Go to the FileWave Console to get started.
  2. On the dashboard console, create a new desktop fileset:

    FileWave Dashboard

    Click the image to enlarge.

  3. Under System Extensions, provide the Apex One (Mac) agent identifiers to allow access to the Mac machines:
    Team IdentifierE8P47U2H32
    BundleIDcom.trendmicro.icore.es,com.trendmicro.icore.netfilter

    System Extensions

    Click the image to enlarge.

  4. Add the allowed Security and Privacy settings as follows:
    • Full Disk Access:
      IDENTIFIERcom.trendmicro.icore
      CODE REQUIREMENTidentifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
      Receiver Identifiercom.apple.systemevents
      Receiver Code Requirementidentifier "com.apple.systemevents" and anchor apple
    • Apex One (Mac) agent UI:
      IDENTIFIERcom.trendmicro.tmsm.MainUI
      CODE REQUIREMENTidentifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
      Receiver Identifiercom.apple.systemevents
      Receiver Code Requirementidentifier "com.apple.systemevents" and anchor apple
    • Apex One (Mac) Endpoint Sensor:
      Receiver Identifiercom.trendmicro.icore.es
      Receiver Identifier TypeBundle ID
      Receiver Code Requirementidentifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • Apex One (Mac) Network Filter:
      Receiver Identifiercom.trendmicro.icore.netfilter
      Receiver Identifier TypeBundle ID
      Receiver Code Requirementidentifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
    • Apple System Events:
      Receiver Identifiercom.apple.systemevents
      Receiver Identifier TypeBundle ID
      Receiver Code Requirementidentifier "com.apple.systemevents" and anchor apple

    App Path or Bundle ID

    Click the image to enlarge.

  5. Deploy the FileWave profile to the Mac machine and then deploy the Apex One (Mac) agents after. A restart is needed for the profile to take effect on the machines.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000277823
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.