Deploying Linewize Connect for macOS v3+

This article is for IT Support. 

You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect for macOS to all your macOS devices. MDM software allows IT administrators to deploy the Connect agent silently on managed devices without any end-user intervention.

There are five steps to deploying Linewize Connect on macOS v3+ devices:

  1. Install a Rosetta policy on any M1 or later MacBooks.
  2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
  3. Create and deploy a configuration profile.
  4. Upload the Connect pkg to your MDM.
  5. Deploy the Connect for macOS v3 agent.

Warning

Do not install the Connect for macOS v3 agent on user devices before creating and deploying a configuration profile and mobile config. If you install Connect before installing the profile, the user will see a System Extension Blocked pop-up. Not allowing this will cause the Connect agent to fail to work.

 

1. Install a Rosetta policy on M1 or later Macbooks

For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading the Connect app for macOS.

If you did not install the Rosetta policy first, you will see the following error:



2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users

Note

The Connect app installer cannot detect your school’s configuration. If you have standard devices without Privacy Preferences Policy Control (PPPC) the device will ask for all necessary permissions for each feature.

With macOS 11 Big Sur (2020) and above, Apple introduced changes that stop standard users from approving applications’ requests to access Screen Recording; this includes Classwize Live View. For Live View to work, you must apply a PPPC MDM configuration to user devices that allow standard users to approve screen recordings of their devices.

Configure PPPC Profile

For the Screen Capture PPPC to work correctly, it must be configured with the following settings:

Identifier /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64
Code Requirement identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"
App or Service ScreenCapture
Access Allow Standard Users to Allow Access

 

For instructions on how to configure a PPPC profile, check your MDM’s documentation:

Example

In this example, the system service path, the code requirement for Linewize Connect, and the ScreenCapture service have been configured to allow standard users to allow Screen Capture access requests. Standard users can now approve Screen Capture for the Linewize Connect application.

Jamf-Pro-PPPC-Configuration-Screen.png

 

System Preference Behaviour

Warning

If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.

A Standard user does not need to approve the application once the PPPC configuration is successfully applied to a device.

Example

In the example, the fc-system-service_darwin-amd64 payload was successfully deployed to the device using the PPPC MDM configuration allowing Screen Recording for this application.

macOS-SecurityPrivacy-ScreenRecording.png

 

For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:

 

3. Create and deploy a configuration profile

Upload the [generic configuration profile] to your MDM, or manually create your own with the below settings.

Generic Configuration profile

You can upload this generic MDM configuration profile into your MDM:

Note

Most MDMs do not upload system extension settings. If there are issues with uploading the generic profile, you can open the ‘.mobileconfig’ file using a PropertyListEditor and copy the payload information into the profile via your MDM GUI.

See: Linewize Connect by Family Zone Proxy v3.mobileconfig

Uploading Configuration profile

Info

You can turn off Network settings for each MDM to prevent students from attempting to bypass filtering.

Using Jamf Pro

You will encounter an error when uploading the generic configuration profile in Jamf Pro, as the system extension settings do not load. This issue is a known Jamf issue.

“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support.

  1. In Jamf Pro, select Computers at the top of the page, and then go to Configuration Profiles > Upload.
  2. Upload the generic Configuration profile.
  3. Add the System Extension:
    1. Display Name: Network Extension
    2. System Extension Types: Allowed System Extension Types
    3. Team Identifier: 5S77G864UH
    4. Network Extension: Tick the checkbox
    5. Allowed System Extensions:
      1. com.familyzone.macappproxy.fzmacappproxy
      2. com.familyzone.macappproxy.fzmacdnsproxy
    6. Go to Restrictions and select Restrict items in System Preferences.
    7. Select Disable selected items.
    8. Select Network.
    9. Select Save.

 

Using Filewave

  1. In FileWave, go to New Desktop Fileset > Profile.
  2. Select Load Profile. Select the Generic Configuration profile and select Open.
  3. Add a Restriction to block access to Wifi Settings.
  4. Verify the configuration and select Save.

 

Using Microsoft Intune

  1. In Microsoft Intune, go to Devices > macOS
  2. Go to Configuration profiles > Create profile, then select Templates on the Create a profile panel.
  3. Select Custom, and upload the Generic Configuration profile.
  4. Configure the "Custom" settings of the macOS Profile:
    • Provide the name and description of the macOS Profile
    • Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file
    • Set the Included groups or Excluded groups according to your needs.
    • Set the Wi-Fi to Block.
  5.  Once finished, the Deployment Status will show "Deploy succeeded".
  6. Check the Macbook device, and verify that the profile has been installed.

Warning

You will encounter an error when uploading the generic configuration profile in Jamf Pro, as the system extension settings do not load. This issue is a known Jamf issue.

“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support

  1. Save the configuration profile in your MDM.
  2. Deploy the configuration profile to your MacBook(s).

Manual Configuration profile settings:

Warning

Use only if the generic mobile configuration does not function properly. Do not deploy the generic mobile configuration along with the manual mobile configuration. After uploading, go to step 5. Deploy the Connect for macOS v3 agent.

1. VPN

Note

Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.

Field Entry
Identifier: com.familyzone.macappproxy
Server: Family Zone Proxy
Provider Bundle Identifier: com.familyzone.macappproxy.fzmacappproxy
User Authentication: Password
Password: opendoor
Provider Type: App Proxy
Designated Requirement: anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")
Connection Name: Family Zone Proxy
VPN Type: Per-App VPN
Connection Type: Custom SSL

2. System Extension

Note

You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.

Allowed System Extension Types Allowed System Extensions
Display Name: Network Extension Display Name: Network Extension
Team Identifier: 5S77G864UH Team Identifier: 5S77G864UH
Network Extension: Tick the checkbox Bundle ID:
  • com.familyzone.macappproxy.fzmacappproxy
  • com.familyzone.macappproxy.fzmacdnsproxy

3. Family Zone Root CA

Download the latest certificate and upload Family Zone Root CA.

4. Save and Deploy the Configuration profile

Save the configuration profile in your MDM.

Deploy the configuration profile to your MacBook(s).

4. Upload the Connect pkg to your MDM

  1. Sign in to your MDM.
  2. Download the current Connect for macOS pkg file from here or go to School Manager > Configuration> Agent Downloads.
  3. Upload the pkg to your MDM.

 

5. Deploy the Connect for macOS v3 agent

  1. Deploy the Connect for macOS v3 agent to your MacBook(s).
  2. Deploy the Linewize authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
  3. Verify that the agent has been correctly installed by going to Settings > Network.
    Ensure the following:
    • FZ DNS Proxy is Running
    • FZ App Proxy is Connected
    • Family Zone Proxy is Not Connected
  4. If the agent did not correctly install, ensure the following:
    • Connect tray app is running
    • A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
  5. If you have completed the above steps and are still experiencing deployment issues, contact Linewize Support with your findings for further assistance.

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.