Deploy Linewize Connect for managed macOS Sequoia devices

This article is for IT Support. 

You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect silently on managed devices without any end-user intervention.

Danger

Do not install the Connect for macOS v3 agent on user devices before creating and deploying a Configuration Profile and Mobile Config.

There are five steps to deploying Linewize Connect on macOS Sequoia devices:

  1. Install a Rosetta policy on any M1 or later MacBooks.
  2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
  3. Configure your MDM.
  4. Upload the latest version of Connect for macOS and Authentication agent pkg files to your MDM.
  5. Deploy Connect for macOS to your devices.

Tip

If you’ve previously deployed Connect on your devices before upgrading to Sequoia, follow these steps:

  1. (Classwize only) Add the classroom.plugin PPPC.
  2. Deploy the Linewize Property list file OR if using Jamf Pro version 11.12 only, configure the Bypass screen capture alert.
  3. Upload and deploy Connect for macOS version 3.6.6 or newer.

1. Install a Rosetta policy on M1 or later MacBooks

For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading Linewize Connect for macOS.

If you don’t install the Rosetta policy first, you will see:


Image 1: Rosetta policy not installed message.

2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC)

Important

The Connect app installer cannot detect your school's configuration. Standard users must grant permissions for each feature on devices without Privacy Preferences Policy Control (PPPC).

To use Classwize features, you must apply two PPPC MDM configurations to user devices that allow standard users to approve screen recordings of their devices.

fc-system-service_darwin-amd64

Warning

If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.

Setting name Required Configuration
Identifier /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64
Code Requirement identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"
App or Service ScreenCapture
Access Allow Standard Users to Allow Access

classroom.plugin

Setting name Required Configuration
Identifier /Applications/FamilyZone/MobileZoneAgent/bin/classroom.plugin
Code Requirement identifier classroom and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"
App or Service ScreenCapture
Access Allow Standard Users to Allow Access

If the PPPC is deployed successfully, the permissions should show as below:


Image 2: Screen Recording permissions after the PPPC is deployed.

For instructions on how to configure a PPPC profile, check your MDM’s documentation:

For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:

3. Configure MDM

You must configure and deploy:

  1. Linewize generic Configuration Profile.
  2. Linewize Property list file.

Upload Configuration Profile

Before you start, download the Linewize Configuration profile file.

Important

If the Linewize generic configuration profile doesn’t work with your MDM type, you must manually configure the profile.

Using Jamf Pro

  1. In Jamf Pro, select Computers > Configuration Profiles, then select Upload.
  2. In the Upload window, select Choose File then select the Linewize Configuration Profile file then select Upload

    Important

    Jamf will show an error after the file is uploaded, you must follow all the steps to remove this error.

  3. In Options list, go to App-To-Per-App VPN Mapping, in the Display Name field, enter Linewize VPN.
  4. In Options list, go to VPN > VPN Type, select the VPN Type dropdown menu and select Per-app VPN.
  5. Select the Automatically start Per-App VPN connection checkbox.
  6. Go back to App-To-Per-App VPN Mapping, select the Per-App VPN dropdown menu and select Family Zone Proxy.
  7. Go to Restrictions > Preferences, then select Restrict items in System Preferences.
  8. Select Disable selected items.
  9. Select Network.
  10. Select Save.
  11. Deploy the Configuration Profile to your devices.

Using Jamf Pro version 11.12 ONLY

After following the Jamf Pro steps to deploy the Configuration Profile:

  1. In Jamf Pro, go to Configuration Profile > your profile, select EDIT.
  2. Go to Options > Restrictions > Functionality tab.
  3. Turn on Bypass screen capture alert (macOS 15.1 or later).
  4. Select Save.

Manually configure the Configuration Profile

Danger

Only manually configure the Configuration Profile if you can't use the Linewize generic Configuration profile.

You must follow all the steps to configure the Configuration Profile manually.

1. VPN settings

Info

Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.

Field Entry
Identifier: com.familyzone.macappproxy
Server: Family Zone Proxy
Provider Bundle Identifier: com.familyzone.macappproxy
User Authentication: Password
Password: opendoor
Provider Type: App Proxy
Designated Requirement: anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")

2. System Extension settings

Info

You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.

Allowed System Extension Types Allowed System Extensions
Display Name: Network Extension Display Name: Network Extension
Team Identifier: 5S77G864UH Team Identifier: 5S77G864UH
Network Extension: Tick the checkbox Bundle ID:
com.familyzone.macappproxy
com.familyzone.macappproxy.fzmacdnsproxy

3. Family Zone Root CA certificate

Download the Family Zone Root CA certificate and upload it into your MDM.

4. Save and Deploy the Configuration Profile

Follow your MDM’s instructions to save and deploy the Configuration Profile.

Deploy Property list file

Before you start, download the Linewize Property list file.

Jamf Pro - On version 11.1 or earlier

  1. Download the Linewize Property list file.
  2. In Jamf Pro, go to your profile page and select EDIT.
  3. Select Application & Custom Settings > Upload.
  4. In the Preference Domain section, enter “com.apple.TCC.configuration-profile-policy” as the name.
  5. Select Upload, then find the “com.apple.TCC.configuration-profile-policy” plist file you downloaded in Step 1 and select Open.
  6. After the file is uploaded, Select Save.

JamfSchool

You must upload the Linewize Connect pkg file to access the Configuration profile settings.

  1. In School Manager, go to Configuration > Agent Downloads and download the Mac (.pkg) for school IT admins
  2. In JamfSchool, go to Apps > Inventory.
  3. Select + Add App, then in the dropdown menu, select Add In-House macOS Package, the In-House macOS Package window will open.
  4. Browse and select the pkg file you downloaded from School Manager.
  5. Once the pkg file is uploaded, select Show Advanced Options on the right pane.
  6. Download the Linewize Configuration profile plist file, open the file in a text editor and copy all of the text.
  7. Select the Apply Managed Configuration checkbox, and the Managed Configuration section will appear.
  8. In the new XML field, enter Linewize Connect V3 as the name. 
  9. Paste the plist file text into the big text box, then select Add new.

Other MDMs

Contact your vendor for instructions on how to add a plist file to your MDM.

4. Upload the Connect and Authentication agent pkg files to your MDM

  1. Sign in to your MDM.
  2. In School Manager, go to Configuration> Agent Downloads and download the Connect for macOS pkg file.
  3. Download the Linewize Authentication agent pkg file sent to you by your Linewize Deployment Engineer.
  4. Upload both pkg files to your MDM.

5. Deploy the Connect for macOS v3 agent

  1. Deploy the Connect for macOS v3 agent to your MacBook(s).
  2. Deploy the Linewize Authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
  3. Verify that the agent has been correctly installed by going to Settings > Network.
    Ensure the following:
    • FZ DNS Proxy is Running
    • FZ App Proxy is Connected
    • Family Zone Proxy is Not Connected
  4. If the agent did not correctly install, ensure the following:
    • Connect tray app is running
    • A “FamilyZone” folder is on the device, If no folder exists, install Connect again.

Image 3: VPN & Filters page showing the correct proxies if Connect is successfully deployed.

  1. If you have completed the above steps and are still experiencing deployment issues, contact Linewize Support with your findings for further assistance.
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.