Deploy the Cato Client with Intune (macOS)

This article discusses how to configure Azure Intune to deploy and update macOS Clients for SDP users in your account.

This feature is supported for macOS Client v5.0 and higher.

Overview

Starting with macOS Client v5.0, you can configure the Cato Management Application to use an MDM to manage the deployment and updates for macOS Clients in your organization. All Client updates are controlled using the MDM and end users don't receive notifications of new Client versions.

High Level Workflow of Managed Deployments and Upgrades for macOS Clients

This is an overview of the workflow to implement an MDM solution for macOS Clients in your account.

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Upgrade Policy tab.

  3. For the macOS Client, choose Managed by Admin.

  4. Import the macOS package.

  5. Configure Azure Intune to create a policy that allows the DMG extension and VPN profiles for end users.

    Otherwise, end users need to manually approve and allow the above items in the macOS.

  6. In Azure Intune, distribute the new macOS Client version to the end users in your account.

Importing the macOS Package

Use the Microsoft Intune Admin Center to add the Client package you want to distribute.

Import the macOS package to Intune

  1. From the navigation menu, select Apps > macOS.

  2. Click Add and under App type, select macOS app (PKG).

  3. Click Select and select the Cato Client package you want to upload. You will have to provide the following information:

    • Name

    • Description

    • Publisher Name

  4. Under Category, select the Business and Computer management checkboxes, respectively.

  5. Click Next and in the Program page, click Next again.

  6. In the Requirements page, select the minimum required macOS operating system as required for the Cato Client version you are deploying.

  7. In the Detection rules page, make sure you set Ignore app version to No, and click Next.

  8. On the Assignments page, determine who will receive this package (for example, All Users), and click Next.

  9. Click Create.

    The macOS Client package is imported to Intune and is available in the Apps page for macOS packages.

Automatically Allowing macOS Permissions for the Client with Intune

Starting with the macOS Client v5.0, the following permissions are required to install the Client on a macOS host:

  • Allow the Cato Client to create a VPN profile

  • Allow system extensions for the Cato Client

You can configure Intune to automatically allow these permissions for end user as part of the installation process for the new Client version. Otherwise, the end user must manually configure the macOS settings as part of the installation process.

Deploy a Custom VPN Profile

Create a custom VPN profile.

  1. Download the custom profile attached to this article, or create your own custom profile.

  2. From the Microsoft Intune Admin Center, navigate to Devices > macOS > Configuration to create a policy for the macOS Client

  3. Click Create and select New Policy. (based on the data in the table above):

    1. In Create a profile, under Profile type select Custom.

    2. Click Create.

  4. In the Basics page, enter a Name and optional Description for the profile, and click Next.

  5. In the Configuration settings page, enter the following:

    1. Provide a descriptive name for the custom profile

    2. Under Configuration profile file, upload the custom profile you downloaded above

    3. Click Next

  6. In the Assignments page, click Add all devices and click Next.

  7. Click Create.

Creating a Custom VPN Profile

This article comes with a preconfigured, customized VPN profile that you can upload to Intune. If you want to create a custom VPN profile, you will need to download the Apple Configurator tool, and create a profile using the information in the table, below.

Setting

Value

Connection Name

Cato Networks VPN

Connection Type

Custom SSL (from the drop-down menu)

Identifier

com.catonetworks.mac.CatoClient

Server

vpn.catonetworks.net

Account

CatoClientVPN

Provider Bundle Identifier

com.catonetworks.mac.CatoClient.CatoClientSysExtension

User Authentication

  1. Choose the Password option.

  2. Clear the Send all traffic through VPN option.

Provider Type

Packet Tunnel

Provider Designated Requirement

anchor apple generic and identifier "com.catonetworks.mac.CatoClient" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CKGSB8CH43)

Create a Profile for Deploying the macOS Package

Create the new profile and then configure the VPN settings for that profile.

  1. From the Microsoft Intune Admin Center, navigate to Devices > macOS > Configuration to create a policy for the macOS Client:

  2. Click Create and select New Policy. (based on the data in the table above):

    1. In Create a profile, under Profile type select Settings catalog.

    2. Click Create.

  3. In the Basics page, enter a Name and Description for the profile, and click Next.

  4. In the Configuration settings page, click Add settings.

    1. Using the Search box, enter managed login items and verify that the Rules setting is selected

    2. Using the search box, enter system extensions and verify that Allowed System Extensions is selected

    3. Using the search box, enter notifications and under User Experience > Notifications, verify that Notification Settings is selected

    4. Close the Add settings pane

  5. In the Configuration page, under Rules, click Edit ins.

    1. In the Comment field enter an optional comment describing the instance

    2. In the Rule Value field, enter the following value from the allowed system extensions:

      com.catonetworks.mac.CatoClient

    3. Click Save.

  6. In the Configuration page, under Allowed System Extensions, click Edit instance.

    1. Enter the values listed in the Allowed System Extensions, below:

      • com.catonetworks.mac.CatoClient

      • com.catonetworks.mac.CatoClient.CatoClientSysExtension

    2. Under Team Identifier, enter the value as listed below, CKGSB8CH43

    3. Click Save

  7. In the Configuration page, under Notification Settings, click Edit instance.

    1. Under Bundle Identifier, enter com.catonetworks.mac.CatoClient

    2. Verify that Critical Alert Enabled is set to True

    3. Click Save

  8. Click Next, and on the Scope tags page, click Next again.

  9. In the Assignments page, determine who should receive this package, for example, click Add all devices or select a specific group of users, and click Next.

  10. Click Create.

Was this article helpful?

0 out of 0 found this helpful

0 comments