Using MDM Profiles for your Agent
If you utilize an MDM solution, you can create configuration profiles to make management of the agent silent on macOS deployments. We recommend deploying the relevant SYSEX or KEXT profiles prior to the agent deployment.
It is recommended to use the System Extension version, as Apple has deprecated the use of Kernel Extensions. Refer to Software Downloads
Best practice is to have one payload per configuration profile.
System Extension (SYSEX)
System Extension Allow Payload
Inside your MDM, create a System Extension Allow profile based on the below information:
- Team Identifier: UJDHBB2D6Q
- Allowed System Extensions: com.thycotic.acsd
SYSEX Privacy Preferences Policy Control (PPPC) Full Disk Access Payload
Inside your MDM, create a PPPC profile based on below:
- Identifier: com.thycotic.acsd
- Identifier Type: Bundle ID
- Code Requirement:
anchor apple generic and identifier "com.thycotic.acsd" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UJDHBB2D6Q)
- Service and Key Value: SystemPolicyAllFiles: Allow
(PPPC) Allow Notifications Payload
Refer to: Manage Verify Privilege Manager Notifications on macOS
(PPPC) Allow AppleEvents and Accessibility Payload
Refer to the bottom of the page: macOS Approval Process.
Kernel Extension (KEXT)
Apple has deprecated the use of Kernel Extensions. The KEXT version is still available but macOS version dependent. Refer to Software Downloads: macOS Endpoints
Kernel Extension Allow Payload
Inside your MDM, create a Kernel Extension Allow profile based on the below information:
- Team ID: UJDHBB2D6Q
- Kernel Extension Bundle ID: com.thycotic.ThycoticACS
KEXT Privacy Preferences Policy Control (PPPC) Full Disk Access Payload
Inside your MDM, create a PPPC profile based on below:
- Identifier: com.thycotic.ThycoticACS
- Identifier Type: Bundle ID
- Code Requirement:
anchor apple generic and identifier "com.thycotic.ThycoticACS" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UJDHBB2D6Q)
- Service and Key Value: SystemPolicyAllFiles: Allow