You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect silently on managed devices without any end-user intervention.
Danger
Do not install the Connect for macOS v3 agent on user devices before creating and deploying a Configuration Profile and Mobile Config.
There are five steps to deploying Linewize Connect on macOS Sequoia devices:
- Install a Rosetta policy on any M1 or later MacBooks.
- (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
- Configure your MDM.
- Upload the latest version of Connect for macOS and Authentication agent pkg files to your MDM.
- Deploy Connect for macOS to your devices.
Tip
If you’ve previously deployed Connect on your devices before upgrading to Sequoia, follow these steps:
1. Install a Rosetta policy on M1 or later MacBooks
For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading Linewize Connect for macOS.
If you don’t install the Rosetta policy first, you will see:
Image 1: Rosetta policy not installed message.
2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC)
Important
The Connect app installer cannot detect your school's configuration. Standard users must grant permissions for each feature on devices without Privacy Preferences Policy Control (PPPC).
To use Classwize features, you must apply two PPPC MDM configurations to user devices that allow standard users to approve screen recordings of their devices.
fc-system-service_darwin-amd64
Warning
If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.
Setting name | Required Configuration |
---|---|
Identifier | /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64 |
Code Requirement | identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH" |
App or Service | ScreenCapture |
Access | Allow Standard Users to Allow Access |
classroom.plugin
Setting name | Required Configuration |
---|---|
Identifier | /Applications/FamilyZone/MobileZoneAgent/bin/classroom.plugin |
Code Requirement | identifier classroom and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH" |
App or Service | ScreenCapture |
Access | Allow Standard Users to Allow Access |
If the PPPC is deployed successfully, the permissions should show as below:
Image 2: Screen Recording permissions after the PPPC is deployed.
For instructions on how to configure a PPPC profile, check your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control (PPPC) Utility
- Filewave - macOS Privacy Preferences Payload
- Microsoft Intune - macOS device settings in Microsoft Intune
- Mosyle - Contact for vendor documentation
For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control
- FileWave - macOS Privacy Preferences Payload
- Microsoft Intune - Assign device profiles in Microsoft Intune
- Mosyle - Contact for vendor documentation
3. Configure MDM
You must configure and deploy:
Upload Configuration Profile
Before you start, download the Linewize Configuration profile file.
Important
If the Linewize generic configuration profile doesn’t work with your MDM type, you must manually configure the profile.
Using Jamf Pro
- In Jamf Pro, select Computers > Configuration Profiles, then select Upload.
- In the Upload window, select Choose File then select the Linewize Configuration Profile file then select Upload.
Important
Jamf will show an error after the file is uploaded, you must follow all the steps to remove this error.
- In Options list, go to App-To-Per-App VPN Mapping, in the Display Name field, enter Linewize VPN.
- In Options list, go to VPN > VPN Type, select the VPN Type dropdown menu and select Per-app VPN.
- Select the Automatically start Per-App VPN connection checkbox.
- Go back to App-To-Per-App VPN Mapping, select the Per-App VPN dropdown menu and select Family Zone Proxy.
- Go to Restrictions > Preferences, then select Restrict items in System Preferences.
- Select Disable selected items.
- Select Network.
- Select Save.
- Deploy the Configuration Profile to your devices.
Using Jamf Pro version 11.12 ONLY
After following the Jamf Pro steps to deploy the Configuration Profile:
- In Jamf Pro, go to Configuration Profile > your profile, select EDIT.
- Go to Options > Restrictions > Functionality tab.
- Turn on Bypass screen capture alert (macOS 15.1 or later).
- Select Save.
Manually configure the Configuration Profile
Danger
Only manually configure the Configuration Profile if you can't use the Linewize generic Configuration profile.
You must follow all the steps to configure the Configuration Profile manually.
1. VPN settings
Info
Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.
Field | Entry |
---|---|
Identifier: | com.familyzone.macappproxy |
Server: | Family Zone Proxy |
Provider Bundle Identifier: | com.familyzone.macappproxy |
User Authentication: | Password |
Password: | opendoor |
Provider Type: | App Proxy |
Designated Requirement: | anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH") |
2. System Extension settings
Info
You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.
Allowed System Extension Types | Allowed System Extensions |
---|---|
Display Name: Network Extension | Display Name: Network Extension |
Team Identifier: 5S77G864UH | Team Identifier: 5S77G864UH |
Network Extension: Tick the checkbox | Bundle ID: com.familyzone.macappproxy com.familyzone.macappproxy.fzmacdnsproxy |
3. Family Zone Root CA certificate
Download the Family Zone Root CA certificate and upload it into your MDM.
4. Save and Deploy the Configuration Profile
Follow your MDM’s instructions to save and deploy the Configuration Profile.
Deploy Property list file
Before you start, download the Linewize Property list file.
Jamf Pro - On version 11.1 or earlier
- Download the Linewize Property list file.
- In Jamf Pro, go to your profile page and select EDIT.
- Select Application & Custom Settings > Upload.
- In the Preference Domain section, enter “com.apple.TCC.configuration-profile-policy” as the name.
- Select Upload, then find the “com.apple.TCC.configuration-profile-policy” plist file you downloaded in Step 1 and select Open.
- After the file is uploaded, Select Save.
JamfSchool
You must upload the Linewize Connect pkg file to access the Configuration profile settings.
- In School Manager, go to Configuration > Agent Downloads and download the Mac (.pkg) for school IT admins.
- In JamfSchool, go to Apps > Inventory.
- Select + Add App, then in the dropdown menu, select Add In-House macOS Package, the In-House macOS Package window will open.
- Browse and select the pkg file you downloaded from School Manager.
- Once the pkg file is uploaded, select Show Advanced Options on the right pane.
- Download the Linewize Configuration profile plist file, open the file in a text editor and copy all of the text.
- Select the Apply Managed Configuration checkbox, and the Managed Configuration section will appear.
- In the new XML field, enter Linewize Connect V3 as the name.
- Paste the plist file text into the big text box, then select Add new.
Other MDMs
Contact your vendor for instructions on how to add a plist file to your MDM.
4. Upload the Connect and Authentication agent pkg files to your MDM
- Sign in to your MDM.
- In School Manager, go to Configuration> Agent Downloads and download the Connect for macOS pkg file.
- Download the Linewize Authentication agent pkg file sent to you by your Linewize Deployment Engineer.
- Upload both pkg files to your MDM.
5. Deploy the Connect for macOS v3 agent
- Deploy the Connect for macOS v3 agent to your MacBook(s).
- Deploy the Linewize Authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
- Verify that the agent has been correctly installed by going to Settings > Network.
Ensure the following:- FZ DNS Proxy is Running
- FZ App Proxy is Connected
- Family Zone Proxy is Not Connected
- If the agent did not correctly install, ensure the following:
- Connect tray app is running
- A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
Image 3: VPN & Filters page showing the correct proxies if Connect is successfully deployed.
- If you have completed the above steps and are still experiencing deployment issues, contact Linewize Support with your findings for further assistance.
Comments
0 commentsPlease sign in to leave a comment.