You can use this guide to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect for macOS to all your macOS devices. MDM software allows IT administrators to deploy the Connect agent silently on managed devices without any end-user intervention.
There are five steps to deploying Linewize Connect on macOS v3+ devices:
- Install a Rosetta policy on any M1 or later MacBooks.
- (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
- Create and deploy a configuration profile.
- Upload the Connect and Authentication agent pkg files to your MDM.
- Deploy the Connect for macOS v3 agent.
Warning
Do not install the Connect for macOS v3 agent on user devices before creating and deploying a configuration profile and mobile config. If you install Connect before installing the profile, the user will see a System Extension Blocked pop-up. Not allowing this will cause the Connect agent to fail to work.
1. Install a Rosetta policy on M1 or later Macbooks
For M1 or later MacBooks, you must install the Rosetta policy before installing or upgrading the Connect app for macOS.
If you did not install the Rosetta policy first, you will see the following error:
2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users
Note
The Connect app installer cannot detect your school’s configuration. If you have standard devices without Privacy Preferences Policy Control (PPPC) the device will ask for all necessary permissions for each feature.
With macOS 11 Big Sur (2020) and above, Apple introduced changes that stop standard users from approving applications’ requests to access Screen Recording; this includes Classwize Live View. For Live View to work, you must apply a PPPC MDM configuration to user devices that allow standard users to approve screen recordings of their devices.
Configure PPPC Profile
For the Screen Capture PPPC to work correctly, it must be configured with the following settings:
Identifier | /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64 |
Code Requirement | identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH" |
App or Service | ScreenCapture |
Access | Allow Standard Users to Allow Access |
For instructions on how to configure a PPPC profile, check your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control (PPPC) Utility
- Filewave - macOS Privacy Preferences Payload
- Microsoft Intune - macOS device settings in Microsoft Intune
- Mosyle - Contact for vendor documentation
Example
In this example, the system service path, the code requirement for Linewize Connect, and the ScreenCapture service have been configured to allow standard users to allow Screen Capture access requests. Standard users can now approve Screen Capture for the Linewize Connect application.
System Preference Behaviour
Warning
If a Standard user receives a notification to approve the fc-system-service_darwin-amd64 application, you must configure the PPPC MDM configuration correctly.
A Standard user does not need to approve the application once the PPPC configuration is successfully applied to a device.
Example
In the example, the fc-system-service_darwin-amd64 payload was successfully deployed to the device using the PPPC MDM configuration allowing Screen Recording for this application.
For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control
- FileWave - macOS Privacy Preferences Payload
- Microsoft Intune - Assign device profiles in Microsoft Intune
- Mosyle - Contact for vendor documentation
3. Create and deploy a configuration profile
Upload the [generic configuration profile] to your MDM, or manually create your own with the below settings.
Generic Configuration profile
You can upload this generic MDM configuration profile into your MDM:
Note
Most MDMs do not upload system extension settings. If there are issues with uploading the generic profile, you can open the ‘.mobileconfig’ file using a PropertyListEditor and copy the payload information into the profile via your MDM GUI.
Uploading Configuration profile
Info
You can turn off Network settings for each MDM to prevent students from attempting to bypass filtering.
Using Jamf Pro
You will encounter an error when uploading the generic configuration profile in Jamf Pro, as the system extension settings do not load. This issue is a known Jamf issue.
“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support.
- In Jamf Pro, select Computers at the top of the page, and then go to Configuration Profiles > Upload.
- Upload the generic Configuration profile.
- Add the System Extension:
- Display Name: Network Extension
- System Extension Types: Allowed System Extension Types
- Team Identifier: 5S77G864UH
- Network Extension: Tick the checkbox
-
Allowed System Extensions:
- com.familyzone.macappproxy
- com.familyzone.macappproxy.fzmacdnsproxy
- Go to Restrictions and select Restrict items in System Preferences.
- Select Disable selected items.
- Select Network.
- Select Save.
Using Filewave
- In FileWave, go to New Desktop Fileset > Profile.
- Select Load Profile. Select the Generic Configuration profile and select Open.
- Add a Restriction to block access to Wifi Settings.
- Verify the configuration and select Save.
Using Microsoft Intune
- In Microsoft Intune, go to Devices > macOS
- Go to Configuration profiles > Create profile, then select Templates on the Create a profile panel.
- Select Custom, and upload the Generic Configuration profile.
- Configure the "Custom" settings of the macOS Profile:
- Provide the name and description of the macOS Profile
- Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file
- Set the Included groups or Excluded groups according to your needs.
- Set the Wi-Fi to Block.
- Once finished, the Deployment Status will show "Deploy succeeded".
- Check the Macbook device, and verify that the profile has been installed.
Using Mosyle
Contact for vendor documentation.
Warning
You will encounter an error when uploading the generic configuration profile in Jamf Pro, as the system extension settings do not load. This issue is a known Jamf issue.
“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support
- Save the configuration profile in your MDM.
- Deploy the configuration profile to your MacBook(s).
Manual Configuration profile settings:
Warning
Use only if the generic mobile configuration does not function properly. Do not deploy the generic mobile configuration along with the manual mobile configuration. After uploading, go to step 5. Deploy the Connect for macOS v3 agent.
1. VPN
Note
Some MDM providers (e.g. Jamf Pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.
Field | Entry |
---|---|
Identifier: | com.familyzone.macappproxy |
Server: | Family Zone Proxy |
Provider Bundle Identifier: | com.familyzone.macappproxy |
User Authentication: | Password |
Password: | opendoor |
Provider Type: | App Proxy |
Designated Requirement: | anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH") |
Connection Name: | Family Zone Proxy |
VPN Type: | Per-App VPN |
Connection Type: | Custom SSL |
2. System Extension
Note
You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.
Allowed System Extension Types | Allowed System Extensions |
---|---|
Display Name: Network Extension | Display Name: Network Extension |
Team Identifier: 5S77G864UH | Team Identifier: 5S77G864UH |
Network Extension: Tick the checkbox |
Bundle ID:
|
3. Family Zone Root CA
Download the latest certificate and upload Family Zone Root CA.
4. Save and Deploy the Configuration profile
Save the configuration profile in your MDM.
Deploy the configuration profile to your MacBook(s).
4. Upload the Connect and Authentication agent pkg files to your MDM
- Sign in to your MDM.
- Download the current Connect for macOS pkg file from School Manager > Configuration> Agent Downloads.
- Download the Linewize Authentication agent pkg file supplied by your Linewize Deployment Engineer.
- Upload the pkg files to your MDM.
5. Deploy the Connect for macOS v3 agent
- Deploy the Connect for macOS v3 agent to your MacBook(s).
- Deploy the Linewize Authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
- Verify that the agent has been correctly installed by going to Settings > Network.
Ensure the following:- FZ DNS Proxy is Running
- FZ App Proxy is Connected
- Family Zone Proxy is Not Connected
- If the agent did not correctly install, ensure the following:
- Connect tray app is running
- A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
-
If you have completed the above steps and are still experiencing deployment issues, contact Linewize Support with your findings for further assistance.
Comments
0 commentsPlease sign in to leave a comment.