Deploying and Upgrading macOS Clients with an MDM

This article discusses how to configure a Mobile Device Management (MDM) to deploy and update macOS Clients for SDP users in your account.

This feature is supported for macOS Client v5.0 and higher.

Overview

Starting with macOS Client v5.0, you can configure the Cato Management Application to use an MDM to manage the deployment and updates for macOS Clients in your organization. All Client updates are controlled using the MDM and end users don't receive notifications of new Client versions.

High Level Workflow of Managed Deployments and Upgrades for macOS Clients

This is an overview of the workflow to implement an MDM solution for macOS Clients in your account.

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Upgrade Policy tab.

  3. For the macOS Client, choose Managed by Admin.

  4. Import the macOS package.

  5. Configure the MDM to create a policy that allows the DMG extension and VPN profiles for end users.

    Otherwise, end users need to manually approve and allow the above items in the macOS.

  6. In the MDM, distribute the new macOS Client version to the end users in your account.

Importing the macOS Package

To use the Managed Upgrade for the macOS Client in your account, first you need to import the package to the MDM.

Sample JAMF Procedure to Import the macOS Package

  1. From the navigation menu, select Settings > Computer Management.

  2. Select Packages and click New.

  3. Enter the Display Name.

  4. Click Choose File and select the macOS Client package.

  5. Click Save.

    The macOS Client package is imported to JAMF.

Automatically Allowing macOS Permissions for the Client with the MDM

Starting with the macOS Client v5.0, the following permissions are required to install the Client on a macOS host:

  • Allow the Cato Client to create a VPN profile

  • Allow system extensions for the Cato Client

You can configure the MDM to automatically allow these permissions for end user as part of the installation process for the new Client version. Otherwise, the end user must manually configure the macOS settings as part of the installation process.

Allowing Permissions for the VPN Profile

In the MDM, create a VPN Payload that contains the settings to automatically set the macOS to allow permissions for the Cato Client VPN profile. When the Client is installed, the VPN Profile permissions are set correctly and the macOS doesn't request the end user to manually configure them.

Setting

Value

Connection Name

Cato Networks VPN

Connection Type

Custom SSL (from the drop-down menu)

Identifier

com.catonetworks.mac.CatoClient

Server

vpn.catonetworks.net

Account

CatoClientVPN

Provider Bundle Identifier

com.catonetworks.mac.CatoClient.CatoClientSysExtension

User Authentication

  1. Choose the Password option.

  2. Clear the Send all traffic through VPN option.

Provider Type

Packet Tunnel

Provider Designated Requirement

anchor apple generic and identifier "com.catonetworks.mac.CatoClient" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CKGSB8CH43)

Sample JAMF Procedure to Set Permissions for the VPN Settings

Create the new profile and then configure the VPN settings for that profile.

  1. Create the profile for the macOS Client:

    1. From the navigation pane, select Computers > Configuration Profiles.

    2. Click New and create a new profile for the Cato Client.

      General.png

  2. Edit the VPN settings to allow the VPN permissions for the profile (based on the data in the table above):

    1. In Configuration Profiles, edit the profile you created in the previous step and select VPN.

    2. Enter the settings for the VPN Type, Connection Type, Identifier, Server, Account, and Provider Bundle Identifier.

      VPN_provider_Bundle_Identifier.png

    3. Configure the settings for the User Authentication, Provider Type, and Provider Designated Requirement.

      VPN_Provider_Designated_Requirement.png

Allowing System Extensions

In the MDM, configure the policy to allow the system extensions that are used by the macOS Client. When the Client is installed, the system extension permissions are set correctly and the macOS doesn't request the end user to manually configure them.

Setting

Value

Display Name

CatoClient System Extension

System Extension Types

Allowed System Extensions

Team Identifier

CKGSB8CH43

Allowed System Extensions

  • com.catonetworks.mac.CatoClient

  • com.catonetworks.mac.CatoClient.CatoClientSysExtension

Sample JAMF Procedure to Set Permissions for the System Extensions

Edit the System Extensions settings to allow the system permissions for the profile (based on the data in the table above).

  1. Select Allow users to approve system extensions.

  2. Enter the Display Name.

  3. Select the System Extension Types.

  4. Enter the Team Identifier.

  5. Make sure that the values for the Approved System Extensions are correct.

  6. Save the changes to the macOS Client profile.

Distributing the macOS Client

In the MDM, select the users and groups that are receiving the Cato VPN profile. Then create a new policy with the macOS package and push the policy to the users.

Suppressing the EULA Screen during Deployment

Starting with macOS v5.10.6, you can deploy a silent installation that suppresses the EULA screen.

To suppress the EULA screen during deployment:

  1. Open the profile file in a text editor.

  2. In the PayloadContent section of the file, under mcx_preference_settings, include the following:

    <dict>
      <key>suppressEULAScreen</key>
      <integer>1</integer>
</dict>

  3. Save the file.

A sample profile for JAMF is attached to this document.

Sample JAMF Procedure to Distribute the macOS Client

  1. In Computers > Configuration Profiles, select the group or specific users that are receiving the Cato VPN profile.

  2. Create a new policy and add the macOS package to it.

    1. In Computers > Policy, create a new policy.

    2. From the General section, configure these settings:

      1. Enter the Display Name.

      2. Configure the other policy settings based on the requirements for your organization.

    3. In the Packages section, add the macOS Client package.

  3. Click Save. The profile is ready to distribute the Client to the macOS devices.

Known Limitations

  • If you upgrade the Client with an MDM, pop ups are sometimes displayed requesting permission to allow the installation of system extensions and the VPN configuration.

    To prevent this issue, you can first distribute the permissions for DMG extension and the VPN payload, then distribute the Clients to the macOS hosts.

Was this article helpful?

2 out of 4 found this helpful

20 comments

Date Votes
  • Comment author
    Yaakov Simon

    Updated article and added examples for configuring JAMF to distribute the macOS Client

  • Comment author
    Orlando Rodriguez

    The Team ID shows as Ch33 but the Kernel screenshot shows CH43. Which one is it?

  • Comment author
    Ed Tan

    Team ID  on the documentations says CKGSB8Ch33, but screenshot says CKGSB8ch34.

  • Comment author
    Yaakov Simon
    • Edited

    Orlando and Ed,

    Sorry for the confusion! Indeed CH43 is correct, and I updated the article to show the Team ID as CKGSB8CH43

    Yaakov

  • Comment author
    Peschä

    Are there plans to support other MDMs in the future?

  • Comment author
    Yaakov Simon

    Peter,

    Many MDMs are supported for the macOS Client. This article includes examples for JAMF.

    If you have a question about a specific vendor, please contact Support.

    Thanks!

    Yaakov

  • Comment author
    Christopher Moynier

    Can we get an example with Microsoft Intune?

  • Comment author
    David Panodishvili

    Hi, Do we need to adjust the JamF policy for computers with an Apple processor and a MacOS Monterey operating system?
    Because the new operating systems are not supporting "Approved Kernel Extensions ".

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello David!

    My apologies that your comment has gone unnoticed for so long!  I believe you are correct.  I will ask the author of the document to update it appropriately.

    Kind Regards,

    Dermot Doran

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager
    • Edited

    Hello David!

    The article has been updated to reflect the changes to macOS that resulted in "Approved Kernel Extensions" going out of support.  Thank you again from bringing this to our attention.

    Kind Regards,

    Dermot Doran

  • Comment author
    Kohji Tomita

    At the initial launch of the Cato Client, permissions for downloading, accessing the desktop and documents folders, accessing reminders, and obtaining full disk access are required. If using Jamf Pro, you should be able to distribute access permissions for these through the Privacy Preferences Policy Control settings. Please consider adding this information to the article.

  • Comment author
    dgornakov

    When deploying Cato Client PKG on MacOS with Microsoft Intune, or any other possible MDM solution, or installing it manually from PKG file, there is a pop-up window to accept terms of services.

    Is there any possible way to hide this pop-up for Cato Client users while deploying the package? 

  • Comment author
    Kohji Tomita

    It would be difficult to skip the consent of the users themselves, given the privacy laws, since the content of their communications can be monitored.

  • Comment author
    dgornakov

    It is a corporate devices and corporate data, we accepted terms of service as a customers.

  • Comment author
    Thomas Capacci

    Hi, version 5.10.6 introduces support for silent install to skip EULA. What do we need to do/change in our deployment to not see the EULA? Thanks

  • Comment author
    Yaron Libman

    Hi Thomas,

    The KB has been updated to include instructions for the silent install, and I've also attached a sample profile file, too.

    Regards

    Yaron

  • Comment author
    Loic Yannou

    Hello Yaron Libman 

    Regarding the suppression of the EULA screen, I can't see mcx_preference_settings in the sample_profile.mobileconfig
    Could you please let us know where we're supposed to add the following lines?

    <dict>
      <key>suppressEULAScreen</key>
      <integer>1</integer>
</dict>

    Best

  • Comment author
    Yaron Libman

    Hi Loic,

    There are 2 separate sample profiles - please see the one for the EULA suppression 

    Regards,

    Yaron

  • Comment author
    Ed Tan

    Supressing the EULA and App after initial install would be best. When using Jamf's Setup Manager during zero touch onboarding process, EULA is supressed but CatoClient still launches over the Setup Manager window. 

  • Comment author
    Michael Yorke

    The provided sample profiles are working as expected in my environment. But is there a way to automatically allow system notifications via mobileconfig profiles? When deploying Cato and these profiles, this is the last step to fully automate the experience for end users. At the moment, they see an exclamation triangle in the Cato app (next to Settings) and shown a prompt to allow notifications via Notification Centre. They need to click through this, click into CatoClient app, and toggle ‘Allow Notifications’. It would be great to be able to roll this into the existing mobileconfig policy.