Deploy Linewize Connect for managed macOS v3+ devices

This article is for IT Support. 

Important

For macOS Sequoia devices, follow the Deploy Linewize Connect for managed macOS Sequoia devices guide.

You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect silently on managed macOS v3+ (non-macOS Sequoia) devices  without any end-user intervention.

Danger

Do not install the Connect for macOS v3 agent on user devices before creating and deploying a Configuration Profile and Mobile Config.

There are five steps to deploying Linewize Connect on macOS v3+ devices:

  1. Install a Rosetta policy on any M1 or later MacBooks.
  2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
  3. Configure your MDM.
  4. Upload the latest version of Connect for macOS and Authentication agent pkg files to your MDM.
  5. Deploy Connect for macOS to your devices.

1. Install a Rosetta policy on M1 or later Macbooks

For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading Linewize Connect for macOS.

If you don’t install the Rosetta policy first, you will see:


Image 1: Rosetta policy not installed message.

2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users

Important

The Connect app installer cannot detect your school's configuration. Standard users must grant permissions for each feature on devices without Privacy Preferences Policy Control (PPPC).

To use Classwize features, you must apply the PPPC MDM configurations to user devices that allow standard users to approve screen recordings of their devices.

Configure PPPC Profile

Fc-system-service_darwin-amd64

Warning

If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.

Identifier /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64
Code Requirement

identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5S77G864UH"

App or Service ScreenCapture
Access Allow Standard Users to Allow Access

If the PPPC is deployed successfully, the permissions should show as below:

macOS-SecurityPrivacy-ScreenRecording.png
Image 2: Screen Recording permissions after the PPPC is deployed

For instructions on how to configure a PPPC profile, check your MDM’s documentation:

Apply PPPC Profile

For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:

3. Configure MDM

Before you start

Download the Linewize Configuration profile file.

Important

If the Linewize generic configuration profile doesn’t work with your MDM type, you must manually configure the profile.

Using Jamf Pro

  1. In Jamf Pro, select Computers > Configuration Profiles, then select Upload.
  2. In the Upload window, select Choose File then select the Linewize Configuration Profile file then select Upload.

    Important

    Jamf will show an error after the file is uploaded, you must follow all the steps to remove this error.

  3. In Options list, go to App-To-Per-App VPN Mapping, in the Display Name field, enter Linewize VPN.
  4. In Options list, go to VPN > VPN Type, select the VPN Type dropdown menu and select Per-app VPN.
  5. Select the Automatically start Per-App VPN connection checkbox.
  6. Return to App-To-Per-App VPN Mapping, select the Per-App VPN dropdown menu and select Family Zone Proxy.
  7. Go to Restrictions > Preferences, then select Restrict items in System Preferences.
  8. Select Disable selected items.
  9. Select Network.
  10. Select Save.
  11. Deploy the Configuration Profile to your devices.

Manual Configuration profile settings:

Danger

Only manually configure the Configuration Profile if you can’t use the Linewize generic Configuration profile.

You must follow all the steps to manually configure the Configuration Profile.

1. VPN

Info

Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.

Field Entry
Identifier: com.familyzone.macappproxy
Server: Family Zone Proxy
Provider Bundle Identifier: com.familyzone.macappproxy
User Authentication: Password
Password: opendoor
Provider Type: App Proxy
Designated Requirement: anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")
Connection Name: Family Zone Proxy
VPN Type: Per-App VPN
Connection Type: Custom SSL

2. System Extension

Info

You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.

Allowed System Extension Types Allowed System Extensions
Display Name: Network Extension Display Name: Network Extension
Team Identifier: 5S77G864UH Team Identifier: 5S77G864UH
Network Extension: Tick the checkbox Bundle ID:
  • com.familyzone.macappproxy.fzmacappproxy
  • com.familyzone.macappproxy.fzmacdnsproxy

3. Family Zone Root CA

Download the Family Zone Root CA certificate and upload it into your MDM.

4. Save and Deploy the Configuration profile

Follow your MDM’s instructions to save and deploy the Configuration Profile.

4. Upload the Connect and Authentication agent pkg files to your MDM

  1. Sign in to your MDM.
  2. In School Manager, go to Configuration> Agent Downloads and download the Connect for macOS pkg file.
  3. Download the Linewize Authentication agent pkg file sent to you by your Linewize Deployment Engineer.
  4. Upload both pkg files to your MDM.

 

5. Deploy the Connect for macOS v3 agent

  1. Deploy the Connect for macOS v3 agent to your MacBook(s).
  2. Deploy the Linewize Authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
  3. Verify that the agent has been correctly installed by going to Settings > Network.
    Ensure the following:
    • FZ DNS Proxy is Running
    • FZ App Proxy is Connected
    • Family Zone Proxy is Not Connected
  4. If the agent did not correctly install, ensure the following:
    • Connect tray app is running
    • A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
Was this article helpful?
1 out of 1 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.