This guide explains how to configure your Mobile Device Management (MDM) tool to deploy Linewize Connect to all your macOS devices. MDM software allows IT administrators to give the Connect agent the necessary permissions to install silently on managed devices without any end-user intervention.
There are five steps to deploying Linewize Connect on macOS v3+ devices:
- Install a Rosetta policy on any M1 or later MacBooks.
- (Classwize only) Apply Privacy Preferences Policy Control (PPPC) for Standard Users.
- Upload the Connect pkg to your MDM.
- Create and deploy a configuration profile.
- Deploy the agent.
Warning: Do not install the Connect for macOS v3 agent on user devices before you have completed step 4 by uploading or creating a configuration profile. If you install Connect before installing the Profile, the user will see a System Extension Blocked pop-up.
1. Install a Rosetta policy on M1 or later Macbooks
For M1 or later MacBooks, you must install a Rosetta policy before installing or upgrading Connect for macOS.
The installation may fail if the Rosetta policy is not installed first. You will also see the following error:
2. Apply Privacy Preferences Policy Control (PPPC) for Standard Users
With macOS 11 Big Sur (2020), Apple introduced changes that stop standard users from approving applications’ requests for Screen Recording access, including Classwize Live View. For Live View to work, you must apply a PPPC MDM configuration to user devices that allow standard users to approve screen recording of their devices.
Configure PPPC Profile
For the ScreenCapture PPPC to work correctly, it must be configured with the following settings:
|Code Requirement||identifier "fc-system-service_darwin-amd64" and anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] /* exists / and certificate leaf[field.1.2.840.113622.214.171.124.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH"|
|App or Service||ScreenCapture|
|Access||Allow Standard Users to Allow Access|
For instructions on how to configure a PPPC profile, see your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control (PPPC) Utility
- Filewave - macOS Privacy Preferences Payload
- Microsoft Intune - macOS device settings in Microsoft Intune
In this example, the system service path, the code requirement for Linewize Connect, and the ScreenCapture service have been configured to allow standard users to allow requests for access to Screen Capture. This access allows the user to approve Screen Capture for the Linewize Connect application.
System Preference Behaviour
Once the PPPC configuration is successfully applied to a device, a Standard user does not need to approve the application.
Note: If a Standard user receives a notification to approve an application, the PPPC MDM configuration has not been configured correctly.
In the example, the fc-system-service_darwin-amd64 payload was deployed to the device allowing the user to approve Screen Recording for this application.
For instructions on how to apply PPPC MDM configuration, see your MDM’s documentation:
- Jamf Pro - Privacy Preferences Policy Control
- FileWave - macOS Privacy Preferences Payload
- Microsoft Intune - Assign device profiles in Microsoft Intune
3. Upload the Connect pkg to your MDM
- Sign in to your MDM.
- Download the new Connect for macOS pkg file
- Upload the pkg to your MDM.
4. Create and deploy a configuration profile
- Upload the [generic configuration profile] to your MDM, or manually create your own with the below settings.Note: You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support
- Save the configuration profile in your MDM.
- Deploy the configuration profile to your MacBook(s).
Manual Configuration profile settings:
Note: Some MDM providers (e.g. Jamf pro) require an additional App-To-Per-App VPN Mapping profile. Use the settings below to fill in the App-To-Per-App VPN Mapping details.
|Connection Name:||Family Zone Proxy|
|VPN Type:||Per-App VPN|
|Connection Type:||Custom SSL|
|Server:||Family Zone Proxy|
|Provider Bundle Identifier:||com.familyzone.macappproxy.fzmacappproxy|
|Provider Type:||App Proxy|
|Designated Requirement:||anchor apple generic and identifier "com.familyzone.macappproxy" and (certificate leaf[field.1.2.840.1136126.96.36.199.9] /* exists / or certificate 1[field.1.2.840.1136188.8.131.52.6] / exists / and certificate leaf[field.1.2.840.1136184.108.40.206.13] / exists */ and certificate leaf[subject.OU] = "5S77G864UH")|
2. System Extension
Note: You must manually create the System Extension profile. Most MDM providers do not support the ability to upload system extension profiles.
|Allowed System Extension Types||Allowed System Extensions|
|Display Name: Network Extension||Display Name: Network Extension|
|Team Identifier: 5S77G864UH||Team Identifier: 5S77G864UH|
|Network Extension: Tick the checkbox||Bundle ID:|
3. Family Zone Root CA
Download the latest certificate and upload Family Zone Root CA.
4. Save and Deploy the Configuration profile
Save the configuration profile in your MDM.
Deploy the configuration profile to your MacBook(s).
5. Deploy the Connect for macOS v3 agent
- Deploy the Connect for macOS v3 agent to your MacBook(s).
- Deploy the Linewize authentication agent to your MacBook(s) (if it hasn’t already been installed on your MacBook(s) previously).
- Verify that the agent has been correctly installed by going to Settings > Network.
Ensure the following:
- FZ DNS Proxy is Running
- FZ App Proxy is Connected
- Family Zone Proxy is Not Connected
- If the agent did not correctly install, ensure the following:
- Connect tray app is running
- A “FamilyZone” folder is on the device, If no folder exists, install Connect again.
Generic Configuration profile
Below is a generic MDM configuration profile that can be uploaded into your MDM:
Note: Most MDMs do not upload system extension settings. If there are issues with uploading the generic profile, you can open the .mobileconfig file using a PropertyListEditor and copy the payload information into the profile via your MDM GUI.
Uploading Configuration profile
Using Jamf Pro
You will encounter an error when uploading the generic configuration profile in Jamf Pro as the system extension settings do not load. This issue is a known Jamf issue.
“There is a known issue with 'System Extensions payload is missing data when uploading a computer Configuration Profile' (PI-008562) our team is aware of and working on this issue.” - Jamf Support
- In Jamf Pro, select Computers at the top of the page, and then go to Configuration Profiles > Upload.
- Upload the generic Configuration profile
- Add the System Extension:
- Display Name: Network Extension
- System Extension Types: Allowed System Extension Types
- Team Identifier: 5S77G864UH
- Network Extension: Tick the checkbox
- Allowed System Extensions:
- Select Save
- In FileWave, go to New Desktop Fileset > Profile
- Select Load Profile. Select the Generic Configuration profile and select Open
- Verify the configuration and select Save
Using Microsoft Intune
- In Microsoft Intune, go to Devices > macOS
- Go to Configuration profiles > Create profile, then select Templates on the Create a profile panel.
- Select Custom, and upload the Generic Configuration profile.
- Configure the "Custom" settings of the macOS Profile:
- Provide the name and description of the macOS Profile
- Add the Configuration profile name and upload the "SystemExtension.mobileconfig" file
- Set the Included groups or Excluded groups according to your needs.
- Once finished, the Deployment Status will show "Deploy succeeded".
- Check the Macbook, and verify that the profile has been installed.