Deploying Linewize Connect for macOS v3+

Have more questions? Submit a request
This article is for IT support. 

This guide explains how to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect for macOS to all your macOS devices. MDM software allows IT administrators to give the Connect agent the necessary permissions to install silently on managed devices without any end-user intervention.

There are five steps to deploying Linewize Connect on macOS v3+ devices:

  1. Install a Rosetta policy on any M1 or later MacBooks.
  2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
  3. Upload the Connect pkg to your MDM.
  4. Create and deploy a configuration profile.
  5. Deploy the Connect for macOS v3 agent.

Warning

Do not install the Connect for macOS v3 agent on user devices before you have completed step 4 by uploading or creating a configuration profile. If you install Connect before installing the Profile, the user will see a System Extension Blocked pop-up.

 

1. Install a Rosetta policy on M1 or later Macbooks

For M1 or later MacBooks, you must install a Rosetta policy before installing or upgrading Connect for macOS.

The installation may fail if the Rosetta policy is not installed first. You will also see the following error:



2. Apply Privacy Preferences Policy Control (PPPC) for Standard Users

With macOS 11 Big Sur (2020) and above, Apple introduced changes that stop standard users from approving applications’ requests to access Screen Recording; this includes Classwize Live View.  For Live View to work, you must apply a PPPC MDM configuration to user devices that allow standard users to approve screen recordings of their devices.

Configure PPPC Profile

For the ScreenCapture PPPC to work correctly, it must be configured with the following settings:

Identifier /Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64
Code Requirement identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"
App or Service ScreenCapture
Access Allow Standard Users to Allow Access

 

For instructions on how to configure a PPPC profile, see your MDM’s documentation:

Example

In this example, the system service path, the code requirement for Linewize Connect, and the ScreenCapture service have been configured to enable standard users to allow requests for access to Screen Capture. This access allows users to approve Screen Capture for the Linewize Connect application.

Jamf-Pro-PPPC-Configuration-Screen.png

 

System Preference Behaviour

Once the PPPC configuration is successfully applied to a device, a Standard user does not need to approve the application.

Note

If a Standard user receives a notification to approve an application, the PPPC MDM configuration has not been configured correctly.

Example

In the example, the fc-system-service_darwin-amd64 payload was successfully deployed to the device using the PPPC MDM configuration allowing Screen Recording for this application.

macOS-SecurityPrivacy-ScreenRecording.png

For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:

 

3. Upload the Connect pkg to your MDM

  1. Sign in to your MDM.
  2. Download the new Connect for macOS pkg file.
  3. Upload the pkg to your MDM.

 

4. Create and deploy a configuration profile

  1. Upload the [generic configuration profile] to your MDM, or manually create your own with the below settings.

Note

You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.

“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support

  1. Save the configuration profile in your MDM.
  2. Deploy the configuration profile to your MacBook(s).

 

Manual Configuration profile settings:

1. VPN

Note

Some MDM providers (e.g. Jamf pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.

Field Entry
Identifier: com.familyzone.macappproxy
Server: Family Zone Proxy
Provider Bundle Identifier: com.familyzone.macappproxy.fzmacappproxy
User Authentication: Password
Password: opendoor
Provider Type: App Proxy
Designated Requirement: anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")
Connection Name: Family Zone Proxy
VPN Type: Per-App VPN
Connection Type: Custom SSL

 

2. System Extension

Note

You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.

Allowed System Extension Types Allowed System Extensions
Display Name: Network Extension Display Name: Network Extension
Team Identifier: 5S77G864UH Team Identifier: 5S77G864UH
Network Extension: Tick the checkbox Bundle ID:
  • com.familyzone.macappproxy.fzmacappproxy
  • com.familyzone.macappproxy.fzmacdnsproxy

 

3. Family Zone Root CA

Download the latest certificate and upload Family Zone Root CA.

 

4. Save and Deploy the Configuration profile

Save the configuration profile in your MDM.

Deploy the configuration profile to your MacBook(s).

 

5. Deploy the Connect for macOS v3 agent

  1. Deploy the Connect for macOS v3 agent to your MacBook(s).
  2. Deploy the Linewize authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
  3. Verify that the agent has been correctly installed by going to Settings > Network.
    Ensure the following:
    • FZ DNS Proxy is Running
    • FZ App Proxy is Connected
    • Family Zone Proxy is Not Connected
  4. If the agent did not correctly install, ensure the following:
    • Connect tray app is running
    • A “FamilyZone” folder is on the device, If no folder exists, install Connect again.

 

Generic Configuration profile

Below is a generic MDM configuration profile that can be uploaded into your MDM:

Note

Most MDMs do not upload system extension settings. If there are issues with uploading the generic profile, you can open the .mobileconfig file using a PropertyListEditor and copy the payload information into the profile via your MDM GUI.

See: Linewize Connect by Family Zone Proxy v3.mobileconfig

Uploading Configuration profile

Info

There is a step to disable Network settings for each MDM. This will prevent students from attempting to bypass filtering.

Using Jamf Pro

You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.

“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support

  1. In Jamf Pro, select Computers at the top of the page, and then go to Configuration Profiles > Upload.
  2. Upload the generic Configuration profile.
  3. Add the System Extension:
    • Display Name: Network Extension
    • System Extension Types: Allowed System Extension Types
    • Team Identifier: 5S77G864UH
    • Network Extension: Tick the checkbox
    • Allowed System Extensions:
      • com.familyzone.macappproxy.fzmacappproxy
      • com.familyzone.macappproxy.fzmacdnsproxy
  4. Go to Restrictions and select Restrict items in System Preferences.
  5. Select Disable selected items.
  6. Select Network.
  7. Select Save.

 

Using Filewave

  1. In FileWave, go to New Desktop Fileset > Profile.
  2. Select Load Profile. Select the Generic Configuration profile and select Open.
  3. Add a Restriction to block access to Wifi Settings.
  4. Verify the configuration and select Save.

 

Using Microsoft Intune

  1. In Microsoft Intune, go to Devices > macOS
  2. Go to Configuration profiles > Create profile, then select Templates on the Create a profile panel.
  3. Select Custom, and upload the Generic Configuration profile.
  4. Configure the "Custom" settings of the macOS Profile:
    • Provide the name and description of the macOS Profile
    • Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file

  • Set the Included groups or Excluded groups according to your needs.
  • Set the Wi-Fi to Block.
  • Once finished, the Deployment Status will show "Deploy succeeded".
  • Check the Macbook device, and verify that the profile has been installed.

 

  1.  
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.