Contact UsContact Us

Deploying Linewize Connect for macOS v3+

This guide explains how to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect to all your macOS devices. MDM software allows IT administrators to give the Connect agent the necessary permissions to install silently on managed devices without any end-user intervention.

There are five steps to deploying Linewize Connect on macOS v3+ devices:

  1. Install a Rosetta policy on any M1 or later MacBooks.
  2. (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
  3. Upload the Connect pkg to your MDM.
  4. Create and deploy a configuration profile.
  5. Deploy the agent.

Warning: Do not install the Connect for macOS v3 agent on user devices before you have completed step 4 by uploading or creating a configuration profile. If you install Connect before installing the Profile, the user will see a System Extension Blocked pop-up.

1. Install a Rosetta policy on M1 or later Macbooks

For M1 or later MacBooks, you must install a Rosetta policy before installing or upgrading Connect for macOS. 

The installation may fail if the Rosetta policy is not installed first. You will also see the following error:


2. Apply Privacy Preferences Policy Control (PPPC) for Standard Users

With macOS 11 Big Sur (2020), Apple introduced changes that stop standard users from approving applications’ requests for Screen Recording access, including Classwize Live View.  For Live View to work, you must apply a PPPC MDM configuration to user devices that allow standard users to approve screen recording of their devices.

Configure PPPC Profile

For the ScreenCapture PPPC to work correctly, it must be configured with the following settings:

Identifier/Applications/FamilyZone/MobileZoneAgent/bin/fc-system-service_darwin-amd64
Code Requirementidentifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"
App or ServiceScreenCapture
AccessAllow Standard Users to Allow Access

For instructions on how to configure a PPPC profile, see your MDM’s documentation:

Example
In this example, the system service path, the code requirement for Linewize Connect, and the ScreenCapture service have been configured to allow standard users to allow requests for access to Screen Capture. This access allows the user to approve Screen Capture for the Linewize Connect application.

System Preference Behaviour

Once the PPPC configuration is successfully applied to a device, a Standard user does not need to approve the application. 

Note: If a Standard user receives a notification to approve an application, the PPPC MDM configuration has not been configured correctly.

Example 

In the example, the fc-system-service_darwin-amd64 payload was deployed to the device allowing the user to approve Screen Recording for this application.

For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:

3. Upload the Connect pkg to your MDM

  1. Sign in to your MDM.
  2. Download the new Connect for macOS pkg file
  3. Upload the pkg to your MDM.


4. Create and deploy a configuration profile

  1. Upload the [generic configuration profile] to your MDM, or manually create your own with the below settings.
    Note: You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.
    “There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support
  2. Save the configuration profile in your MDM. 
  3. Deploy the configuration profile to your MacBook(s).

Manual Configuration profile settings:

1. VPN

Note: Some MDM providers (e.g. Jamf pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.

Connection Name:Family Zone Proxy
VPN Type:Per-App VPN
Connection Type:Custom SSL
Identifier:com.familyzone.macappproxy
Server:Family Zone Proxy
Provider Bundle Identifier:com.familyzone.macappproxy.fzmacappproxy
User Authentication:Password
Password:opendoor
Provider Type:App Proxy
Designated Requirement:anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")

2. System Extension

Note: You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.

Allowed System Extension TypesAllowed System Extensions
Display Name: Network ExtensionDisplay Name: Network Extension
Team Identifier: 5S77G864UHTeam Identifier: 5S77G864UH
Network Extension: Tick the checkboxBundle ID:
  • com.familyzone.macappproxy.fzmacappproxy
  • com.familyzone.macappproxy.fzmacdnsproxy

3. Family Zone Root CA

Download the latest certificate and upload Family Zone Root CA.

4. Save and Deploy the Configuration profile

Save the configuration profile in your MDM. 

Deploy the configuration profile to your MacBook(s).


5. Deploy the Connect for macOS v3 agent

  1. Deploy the Connect for macOS v3 agent to your MacBook(s).
  2. Deploy the Linewize authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
  3. Verify that the agent has been correctly installed by going to Settings > Network.
    Ensure the following:
    • FZ DNS Proxy is Running
    • FZ App Proxy is Connected
    • Family Zone Proxy is Not Connected
  4. If the agent did not correctly install, ensure the following:
    • Connect tray app is running
    • A “FamilyZone” folder is on the device, If no folder exists, install Connect again.


Generic Configuration profile

Below is a generic MDM configuration profile that can be uploaded into your MDM:

Note: Most MDMs do not upload system extension settings. If there are issues with uploading the generic profile, you can open the .mobileconfig file using a PropertyListEditor and copy the payload information into the profile via your MDM GUI.

See: Linewize Connect by Family Zone Proxy v3.mobileconfig


Uploading Configuration profile

Using Jamf Pro

You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.

There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support

  1. In Jamf Pro, select Computers at the top of the page, and then go to Configuration Profiles > Upload.
  2. Upload the generic Configuration profile
  3. Add the System Extension:
    • Display Name: Network Extension
    • System Extension Types: Allowed System Extension Types
    • Team Identifier: 5S77G864UH
    • Network Extension: Tick the checkbox
    • Allowed System Extensions:
      • com.familyzone.macappproxy.fzmacappproxy
      • com.familyzone.macappproxy.fzmacdnsproxy
  4. Select Save


Using Filewave

  1. In FileWave, go to New Desktop Fileset > Profile
  2. Select Load Profile. Select the Generic Configuration profile and select Open
  3. Verify the configuration and select Save


Using Microsoft Intune

  1. In Microsoft Intune, go to Devices > macOS
  2.  Go to Configuration profiles > Create profile, then select Templates on the Create a profile panel.
  3. Select Custom, and upload the Generic Configuration profile.
  4. Configure the "Custom" settings of the macOS Profile:
    • Provide the name and description of the macOS Profile
    • Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file
    • Set the Included groups or Excluded groups according to your needs.
    • Once finished, the Deployment Status will show "Deploy succeeded".
    • Check the Macbook, and verify that the profile has been installed.