Important
For macOS Sequoia devices, follow the Deploy Linewize Connect for managed macOS Sequoia devices guide.
You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect silently on managed macOS v3+ (non-macOS Sequoia) devices without any end-user intervention.
Danger
Do not install the Connect for macOS v3 agent on user devices before creating and deploying a Configuration Profile and Mobile Config.
There are five steps to deploying Linewize Connect on macOS v3+ devices:
- Install a Rosetta policy on any M1 or later MacBooks.
- (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
- Configure your MDM.
- Upload the latest version of Connect for macOS and Authentication agent pkg files to your MDM.
- Deploy Connect for macOS to your devices.
1. Install a Rosetta policy on M1 or later Macbooks
For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading Linewize Connect for macOS.
If you don’t install the Rosetta policy first, you will see:
Image 1: Rosetta policy not installed message.
2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users
Important
The Connect app installer cannot detect your school's configuration. Standard users must grant permissions for each feature on devices without Privacy Preferences Policy Control (PPPC).
To use Classwize features, you must apply the PPPC MDM configurations to user devices that allow standard users to approve screen recordings of their devices.
Configure PPPC Profile
Fc-system-service_darwin-amd64
Warning
If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.
Identifier | /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64 |
Code Requirement |
identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5S77G864UH" |
App or Service | ScreenCapture |
Access | Allow Standard Users to Allow Access |
If the PPPC is deployed successfully, the permissions should show as below:
Image 2: Screen Recording permissions after the PPPC is deployed
For instructions on how to configure a PPPC profile, check your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control
- FileWave - macOS Privacy Preferences Payload
- Microsoft Intune - macOS device settings in Microsoft Intune
- Mosyle - Contact for vendor documentation
Apply PPPC Profile
For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control
- FileWave - macOS Privacy Preferences Payload
- Microsoft Intune - Assign device profiles in Microsoft Intune
- Mosyle - Contact for vendor documentation
3. Configure MDM
Before you start
Download the Linewize Configuration profile file.
Important
If the Linewize generic configuration profile doesn’t work with your MDM type, you must manually configure the profile.
Using Jamf Pro
- In Jamf Pro, select Computers > Configuration Profiles, then select Upload.
- In the Upload window, select Choose File then select the Linewize Configuration Profile file then select Upload.
Important
Jamf will show an error after the file is uploaded, you must follow all the steps to remove this error.
- In Options list, go to App-To-Per-App VPN Mapping, in the Display Name field, enter Linewize VPN.
- In Options list, go to VPN > VPN Type, select the VPN Type dropdown menu and select Per-app VPN.
- Select the Automatically start Per-App VPN connection checkbox.
- Return to App-To-Per-App VPN Mapping, select the Per-App VPN dropdown menu and select Family Zone Proxy.
- Go to Restrictions > Preferences, then select Restrict items in System Preferences.
- Select Disable selected items.
- Select Network.
- Select Save.
- Deploy the Configuration Profile to your devices.
Manual Configuration profile settings:
Danger
Only manually configure the Configuration Profile if you can’t use the Linewize generic Configuration profile.
You must follow all the steps to manually configure the Configuration Profile.
1. VPN
Info
Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.
Field | Entry |
---|---|
Identifier: | com.familyzone.macappproxy |
Server: | Family Zone Proxy |
Provider Bundle Identifier: | com.familyzone.macappproxy |
User Authentication: | Password |
Password: | opendoor |
Provider Type: | App Proxy |
Designated Requirement: | anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH") |
Connection Name: | Family Zone Proxy |
VPN Type: | Per-App VPN |
Connection Type: | Custom SSL |
2. System Extension
Info
You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.
Allowed System Extension Types | Allowed System Extensions |
---|---|
Display Name: Network Extension | Display Name: Network Extension |
Team Identifier: 5S77G864UH | Team Identifier: 5S77G864UH |
Network Extension: Tick the checkbox |
Bundle ID:
|
3. Family Zone Root CA
Download the Family Zone Root CA certificate and upload it into your MDM.
4. Save and Deploy the Configuration profile
Follow your MDM’s instructions to save and deploy the Configuration Profile.
4. Upload the Connect and Authentication agent pkg files to your MDM
- Sign in to your MDM.
- In School Manager, go to Configuration> Agent Downloads and download the Connect for macOS pkg file.
- Download the Linewize Authentication agent pkg file sent to you by your Linewize Deployment Engineer.
- Upload both pkg files to your MDM.
5. Deploy the Connect for macOS v3 agent
- Deploy the Connect for macOS v3 agent to your MacBook(s).
- Deploy the Linewize Authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
- Verify that the agent has been correctly installed by going to Settings > Network.
Ensure the following:- FZ DNS Proxy is Running
- FZ App Proxy is Connected
- Family Zone Proxy is Not Connected
- If the agent did not correctly install, ensure the following:
- Connect tray app is running
- A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
Comments
0 commentsPlease sign in to leave a comment.