Configuring an MDM Profile on MacOS

Setting the Permissions

Required

In creating MDM profiles for Apex One (Mac), the following items are required to ensure no pop-ups will show on the macOS endpoint after initial installation of Apex One (Mac) agents:

From macOS10.13 to macOS10.15, they require user approval before loading new, third-party kernel extensions. Apex One (Mac) uses kernel extensions for the Core Shields real-time protection features. To ensure that your product can fully protect your system, you need to manually allow the extensions.

Required fields for Kernel Extension MDM Profile creation are as follows:

Kernel Extension Required fields

   
<key>AllowedKernelExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.kext.KERedirect</string>
		<string>com.trendmicro.kext.filehook</string>
		</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
	<string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>

"AllowedKernelExtensions" and "AllowedTeamIdentifiers" are all required.

Kernel Extension

> System Extensions

Starting from macOS Big Sur 11.0, Kernel Extension will not be loaded by the system to comply with changes to the Apple guidelines for software developer. With that, Apex One (Mac) has been updated with our Endpoint Security and Network Extension frameworks.

com.trendmicro.icore.es.sa: Endpoint Security is a C API for monitoring system events for potentially malicious activity. These events include process executions, mounting file systems, forking processes, and raising signals.
Reference: https://developer.apple.com/documentation/endpointsecurity
com.trendmicro.icore.netfilter.sa: Customize and extend core networking features.
Reference: https://developer.apple.com/documentation/networkextension

Required fields for System Extension MDM Profile is as follows:

System Extension Required fields

   
<key>AllowedSystemExtensionTypes</key>
<dict>
	<key>E8P47U2H32</key>
		<array>
			<string>EndpointSecurityExtension</string>
			<string>NetworkExtension</string>
		</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.icore.es</string>
		<string>com.trendmicro.icore.netfilter</string>
	</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>

The current version of "iMazing Profile Editor" does not support this type, you can make corresponding changes on the sample file to meet your needs.

^{Click the image to enlarge.}

> Web Content Filter

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, refer to this Apple Article: Content Filter Providers.

Required fields for Web Content Filter MDM profile creation is as follows:

Web Content Filter Required fields

   
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

> Full Disk Access

Full Disk Access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data, such as Mail, Messages, TimeMachine, and Safari files. This means you need to manually grant permission for certain applications to access these protected areas of your macOS endpoint. In earlier versions of macOS (10.13 and lower), this permission is automatically granted during installation of your product.

If Full Disk Access is not enabled, your product is unable to scan all areas of your macOS endpoint. This means Apex one (Mac) cannot fully protect your macOS endpoint against malware and other network security threats, and product can only scan a limited portion of your system folders and hard drive, potentially resulting in unnecessary clutter remaining on your macOS endpoint.

In creating the MDM profile for Full Disk Access, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /Applications/TrendMicroSecurity.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.es.systemextension
- /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/Library/SystemExtensions/com.trendmicro.icore.netfilter.systemextension
Required:
- Properties:Accessibility → Allow
- Properties:Admin Files → Allow
- Properties:All Files → Allow
- Apple Events:Finder → Allow
- Apple Events:SystemUIServer → Allow
- Apple Events:System Events → Allow
^{Click the image(s) to enlarge.}

Optional

> Installation

Apex One (Mac) installation will copy server info files to install path. In other words, Apex One (Mac) installer will access user's "Desktop/Downloads/Documents" folder, if "tmsminstall.pkg" is in "Desktop/Downloads/Documents".

From macOS10.13, system will display an alert if installers access "Desktop/Downloads/Documents folder". "installation.mobileconfig" profile is just for giving the installer permission to access these folders, so that an alert will not appear.

^{Click the image to enlarge.}

In creating the MDM profile for Installation permission, it is recommended to use the Privacy Preferences Policy Control Utility (PPPC Utility) app.

Below are the required paths and permissions:

Installer path:
- /System/Library/CoreServices/Installer.app
Required Permissions:
- Properties:Desktop Folder → Allow
- Properties:Documents Folder → Allow
- Properties:Downloads Folder → Allow
^{Click the image to enlarge.}

> Browser Plug-in Extension

By adding below profile settings into MDM and deploy to the Managed Mac computer, the Chrome / Firefox extensions will be enabled automatically and a pop-up message for Chrome and FireFox will no longer appear:

For Safari, it is not possible make an automated browser extension deployment via MDM due to Apple's restriction.
For Chrome, after installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if Apex One (Mac) has not been installed. The function of "Trend Micro Toolbar for Mac" is still in-preview and it cannot be uninstalled by the uninstaller yet.
For FireFox, It may appear that MDM has been configured but there is still a pop-up prompting to install FireFox Extension. This is a timing issue and FireFox Extension should have been installed successfully and you can ignore the pop-up.

Additional Information and Sample MDM Profiles

OS Version	System Extension	Web Content Filter	Full Disk Access	Kernel Extension	Installation
macOS Monterey (12.x.x)	✔	✔	✔	✘	✔
macOS Big Sur (11.x.x)	✔	✔	✔	✘	✔
macOS Catalina (10.15.x)	✘	✘	✔	✔	✔
macOS Mojave (10.14.x)	✘	✘	✔	✔	✔
macOS High Sierra (10.13.x)	✘	✘	✘	✔	✘
macOS Sierra (10.12.x)	✘	✘	✘	✘	✘
macOS El Capitan (10.11.x)	✘	✘	✘	✘	✘

✔ means this type of configuration file needs to be added, otherwise there will be a system or product dialog box pop-up.
✘ means such configuration files are not required, and there may be errors when adding these files. It is recommended that the same systems be grouped together and be distributed with the same configuration.

Different products have different bundle identifiers, so different ".mobileconfig" files need to be generated for different IDs. Below are some examples:

	Apex One (Mac)	XES(Vision One EDR)
Full Disk Access	FullDiskAccess.mobileconfig	FullDiskAccess_XES.mobileconfig
Kernel Extension	KernelExtension.mobileconfig	KernelExtension_XES.mobileconfig
System Extension	SystemExtension.mobileconfig	SystemExtension_XES.mobileconfig
Web Content Filter	WebContentFilter.mobileconfig	WebContentFilter_XES.mobileconfig
Installation	installation.mobileconfig
Browser Plugin Extension	Google Chrome Extension Mozilla Firefox Extension	✘

"iMazing Profile Editor" or "Apple Configurator 2" or other third-party tools, none of them can complete each setting perfectly. After using them to generate the ".mobileconfig" file, it needs to be compared with the example file given to prevent missing settings and wrong settings.

MDM Deployment steps for Apex Mac

For Airwatch and Workspace One

This section is mainly used by people who have already understood the basics of Workspace One UEM (Vmware Airwatch) and want to use "Custom Profiles" to enable Apex One for Mac to obtain the necessary permissions for normal operation without being on duty.

Step 1: Agent Enrollment

Log in to Airwatch/Workspace One, and go to Devices page, add a device, push mail notification to Mac Agent, Install and enroll this agent.

For detailed steps, please refer to Workspace One guide.

Step 2. Create Profile

Add a profile. Do the following:

Click the Add button in the top bar, then choose Profile.
Select macOS.
Click Device Profile.
Set the profile as General Information.

Step 3. Create Kernel Extension Profile

As Mac OS release 11.x Big Sur edition, its settings are different with 10.15.x Catalina, we need to generate 2 profiles:

Profile	Contained Setting	Target OS
Mac_MDM_Profile1	Kernel Extension Policy Privacy Preferences This privacy contains at least 2 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore	10.15.x Catalina
Mac_MDM_Profile2	System Extension Policy Privacy Preferences This privacy contains all 4 apps: com.trendmicro.tmsm.MainUI com.trendmicro.icore com.trendmicro.icore.es com.trendmicro.icore.netfilter Content Filter	11.x Big Sur

Create Profile1 (For 10.15.x Catalina)

Generate "Kernel Extension" profile.

Allowed Team Identifiers	Allowed Kernel Extensions
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.KERedirect
E8P47U2H32	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.kext.filehook

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge	Click to enlarge

Step 4. Create System Extension Profile

Create Profile2 (For 11.x Big Sur)

Generate "System Extension" profile.

Allowed System Extension Types	Allowed System Extensions
Team Identifier* E8P47U2H32 Endpoint Security:checkmark Network: checkmark	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.es
	Team Identifier: E8P47U2H32 Bundle ID: com.trendmicro.icore.netfilter

Generate “Privacy Preferences“ for ”Full Disk Access”, "Apple Events", etc. profile.

For the configuration details, please refer to the following table:

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Generate "Web Content Filter" profile.

**The 2 Key/Value pairs are:

Key	Value
FilterDataProviderBundleIdentifier	com.trendmicro.icore.netfilter
FilterDataProviderDesignatedRequirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Others

Generate installation profile

^{Click the image(s) to enlarge.}
- Identifier Type: /System/Library/CoreServices/Installer.app
- Code Requirement: identifier "com.apple/installer" and anchor apple
Install the browser extensions. Refer to the following links:
- Google Chrome Extension
- Mozilla Firefox Extension

For Jamf Now

Log in to the Jamf Now console, and go to Devices page to see the enrolled or active Mac devices.

^{Click the image to enlarge.}
If there's no device in your device list, you have two ways to enroll your device
- Auto: Use ADE to enroll device automatically
- Manual: Click "Enroll This Device", then download the configuration profile to start the enrollment.
Click Blueprints and select your target blueprint.

^{Click the image to enlarge.}
Select Custom Profiles tab, then add or upload your profiles.

^{Click the image to enlarge.}
Upload all ".mobileconfig" files.

^{Click the image to enlarge.}
Verify if all profiles have been configured.

^{Click the image to enlarge.}

Troubleshooting Common Issues

Error Message/Code	Solution
Error Code: ConfigProfilePluginDomain:-319 ^{Click the image to enlarge.}	Upgrade the system to macOS10.13 or later.
Error Code: SPErrorDomain:10 ^{Click the image to enlarge.}	Change the level of security used on your startup disk. For details refer to Change startup disk security settings on a Mac with Apple silicon. This error message on Jamf Now can be ignored as kernel extension on M1 is not needed.

For Jamf Pro

Log in to Jamf Pro, click Computers at the top of the page, and then go to Configuration Profiles > New.

^{Click the image to enlarge.}
Use the General payload to configure basic settings and look for Privacy Preferences Policy Control > App Access.

^{Click the image to enlarge.}

Add the following configurations:

App Access

Identifier: com.trendmicro.tmsm.MainU	Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service*: SystemPolicyAllFiles Allow ^{Click the image to enlarge.}
Identifier: com.trendmicro.icore	Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service*: SystemPolicyAllFiles Allow ^{Click the image to enlarge.}
Identifier: com.trendmicro.icore.es	Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service*: SystemPolicyAllFiles Allow ^{Click the image to enlarge.}
Identifier: /Applications/TrendMicroSecurity.app/Contents/Resources/iCoreService.app/Contents/MacOS/iCoreService	Identifier Type: PATH Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service: SystemPolicyAllFiles Allow Identifier*: /Applications/TrendMicroSecurity.app ^{Click the image to enlarge.}

Extensions

Kernel Extensions	Display Name: Trend Micro Team ID: E8P47U2H32 Kernel Extension Bundles: E8P47U2H32,com.trendmicro.kext.filehook,1,"Trend Micro, Inc.",8 E8P47U2H32,com.trendmicro.kext.KERedirect,1,"Trend Micro, Inc.",8 E8P47U2H32,com.trendmicro.kext.iTMKernAPI,1,"Trend Micro, Inc.",8 ^{Click the image to enlarge.}
System Extensions	Display Name: Trend Micro Sytem Extension Types: Allowed System Extension Types Team Identifier: E8P47U2H32 Allowed System Extensions: com.trendmicro.icore.es com.trendmicro.icore.netfilter ^{Click the image to enlarge.}

For Microsoft InTune

Login in to Microsoft Intune.
Click Devices > macOS to enter macOS devices setting page.

^{Click the image to enlarge.}
Select Configuration profiles > Create profile, then select Templates on the "Create a profile" pane.

^{Click the image to enlarge.}

Below are the two ways to create a profile:
- Select Custom, and upload the self-created ".mobileconfig" file. In this way, all types of profiles can be deployed.
- Select Extensions. In this way, only "Kernel Extension" and "System Extension" can be deployed.
Configure the "Custom" settings of the macOS Profile:
Below is an example for System Extensions:
1. Provide the name and description of the macOS Profile.
  
  ^{Click the image to enlarge.}
2. Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file.
  
  ^{Click the image to enlarge.}
3. Set the Included groups or Excluded groups according to your needs.
  
  ^{Click the image to enlarge.}
4. You can view the progress of deployment, if there is no update for a long time, you can click the Assignments button below to execute again.
  
  ^{Click the image to enlarge.}
5. Once finished, the Deployment Status will show "Deploy succeeded".
  
  ^{Click the image to enlarge.}
6. Repeat the above operation to deploy all ".mobileconfig" profiles.
  
  ^{Click the image to enlarge.}
7. Check status on the mac machine, and verify if the Full Disk Access is already present on the Profiles.
  
  ^{Click the image to enlarge.}

For FileWave

To create an Apex One (Mac) profile using FileWave MDM:

Go to the FileWave Console to get started.
On the dashboard console, create a new desktop fileset:

^{Click the image to enlarge.}
Under System Extensions, provide the Apex One (Mac) agent identifiers to allow access to the Mac machines:

Team Identifier E8P47U2H32
BundleID com.trendmicro.icore.es,com.trendmicro.icore.netfilter

^{Click the image to enlarge.}

Team Identifier	E8P47U2H32
BundleID	com.trendmicro.icore.es,com.trendmicro.icore.netfilter

Add the allowed Security and Privacy settings as follows:

Full Disk Access:

IDENTIFIER	com.trendmicro.icore
CODE REQUIREMENT	identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) agent UI:

IDENTIFIER	com.trendmicro.tmsm.MainUI
CODE REQUIREMENT	identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Receiver Identifier	com.apple.systemevents
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

Apex One (Mac) Endpoint Sensor:

Receiver Identifier	com.trendmicro.icore.es
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apex One (Mac) Network Filter:

Receiver Identifier	com.trendmicro.icore.netfilter
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Apple System Events:

Receiver Identifier com.apple.systemevents
Receiver Identifier Type Bundle ID
Receiver Code Requirement identifier "com.apple.systemevents" and anchor apple

Receiver Identifier	com.apple.systemevents
Receiver Identifier Type	Bundle ID
Receiver Code Requirement	identifier "com.apple.systemevents" and anchor apple

^{Click the image to enlarge.}

Deploy the FileWave profile to the Mac machine and then deploy the Apex One (Mac) agents after. A restart is needed for the profile to take effect on the machines.

Identifier	Allowed Content	Apple Events-1	Apple Events-2	Apple Events-3
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.es Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32
Identifier: com.trendmicro.icore.netfilter Identifier Type: BUNDLEID Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Accessibility: Allow System Policy All Files: Allow System Policy Sys Admin Files: Allow	Apple Events Allow Receiver Identifier: com.apple.finder Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemuiserver Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32	Apple Events Allow Receiver Identifier: com.apple.systemevents Receiver Identifier Type: BUNDLEID Receiver Code Requirement: identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E8P47U2H32

Need More Help?

Creating and Configuring MDM Profile for Apex One (Mac) and Worry-Free Business Security (WFBS) Agent for Mac

Setting the Permissions

Required

> Kernel Extensions

> System Extensions

> Web Content Filter

> Full Disk Access

Optional

> Installation

> Browser Plug-in Extension

Additional Information and Sample MDM Profiles

MDM Deployment steps for Apex Mac

For Airwatch and Workspace One

Step 1: Agent Enrollment

Step 2. Create Profile

Step 3. Create Kernel Extension Profile

Step 4. Create System Extension Profile

Others

For Jamf Now

For Jamf Pro

For Microsoft InTune

For FileWave