Micosoft Intune MDM macOS Deployment

Install Filtering Profile on your macOS using Microsoft Intune

Approach

To effectively deploy Zorus Filtering on macOS devices, we employ various functionalities within Intune. 

All the necessary Configuration files are located in the Zorus Public GitHub Repository

Configuration ProfilesShell Scripts

  1. Assigned Membership Group (Zorus Filtering): This group is created to gather all managed devices under a single category for deploying a standard configuration.
  2. Dynamic Membership Groups (Zorus macOS Filtering - Customer Name): These dynamic groups are set up to categorize all managed macOS devices under specific Zorus Customers. They are essential for deploying customized configurations on a per-customer basis.
  3. Configuration Profiles (6-8): These profiles are employed to deploy standardized settings and configurations to all devices categorized under the Zorus macOS Filtering static group.
  4. Shell Scripts (2): These scripts are used to distribute the deployment token and the installer to each endpoint that belongs to the Zorus macOS Filtering static group.

Zorus Filtering (Assigned Membership) Group

This central filtering group is utilized to allocate Zorus Filtering to all computers expressing an interest. It simplifies the management process by enabling us to direct common scripts and configurations to a single static group, sparing the need to incorporate each customer group individually.

Creating the Zorus Filtering Group
  1. Browse to the Groups Tab on the right-hand side of your Intune Portal.

  2. Click New Group on the top of the grid.

  3. Set the Group Type to Security.

  4. Set the Group Name and optionally the Group Description to something descriptive.

    1. Group name: Zorus Filtering

    2. Group description: Contains all devices that will have Zorus Filtering deployed.

  5. Set the Membership type to Assigned.

  6. Click Create to finish creating the group.

Configuration Profiles

MSP Filtering (System Extensions)

Allowed System Extensions are available on macOS 10.15 (Catalina) and higher, but Removable System Extensions are only available on macOS 12.0 (Monterey) and higher.

Creating the MSP Filtering (System Extensions) Configuration Profile

The MSP Filtering (System Extensions) configuration profile enables us to whitelist the Zorus System/Network Extension, allowing automatic installation and removal without necessitating user authorization or interaction.

  1. Browse to the Devices > By platform > macOS > macOS policies > Configuration profiles section on the right-hand sides of your Intune Portal.

  2. Click on the Create profile button on top of the grid.

  3. Select the Settings Catalog Profile type on the right-side pane that will pop up and click Create.

  4. Give the profile a descriptive name and optional description.

    1. Name: MSP Filtering (System Extensions)

    2. Description: Allows all Zorus-Signed system extensions to be added or removed from an endpoint.

  5. Click Next to continue to the configuration settings section.

  6. Click on Add settings

  7. On the Settings picker pane that opens up, type System Extensions into the Search Bar, then click on the System Configuration > System Extensions category. This will enable the setting picker at the bottom of the pane.

  8. Expand and select the Allowed System Extensions > Allowed System Extensions > Allowed System Extensions and Removable System Extensions > Removable System Extensions > Removable System Extensions settings.

  9. Close the Settings picker pane and click on Edit instance on the Removable System Extensions grid. Fill out the required fields below:

    1. Team Identifier: X2G78PSXBN

    2. Removable System Extensions:

      1. com.ZorusTech.Filtering.Redirectors.macOS.Extension

  10. Click on Save at the bottom of the Edit instance pane.

  11. Repeat steps 9-10 above for Allowed System Extensions.

  12. Click Next to continue to the Scope tags section. Fill it out as needed according to your environmental needs.

  13. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  14. Click Next to continue to the Review + Create section. Review the information and click Create to finish the process.

MSP Filtering (Login Items)

Managed Login Items is only available on macOS 13.0 (Ventura) and higher.

Creating the MSP Filtering (Login Items) Configuration Profile

The MSP Filtering (Login Items) configuration profile allows us to whitelist Zorus-signed applications in order to allow automatic launches at the system level without requiring user authorization or interaction.

  1. Browse to the Devices > By platform > macOS > macOS policies > Configuration profiles section on the right-hand sides of your Intune Portal.

  2. Click on the Create profile button on top of the grid.

  3. Select the Settings Catalog Profile type on the right-side pane that will pop up and click Create.

  4. Give the profile a descriptive name and optional description.

    1. Name: MSP Filtering (Login Items)

    2. Description: Allows all Zorus-Signed applications to be registered as launch daemons.

  5. Click Next to continue to the configuration settings section.

  6. Click on Add settings

  7. On the Settings picker pane that opens up, type Login Items into the Search Bar, then click on the Login > Service Management > Managed Login Items category. This will enable the setting picker at the bottom of the pane.

  8. Select the top-level Rules settings.

  9. Close the Settings picker pane and click on Edit instance on the Rules grid. Fill out the required fields below:

    1. Rule Type: Team Identifier

    2. Rule Value: X2G78PSXBN

    3. Comment (feel free to customize): Allows Zorus Team Identifier Managed Login Items.

  10. Click on the remove icon next to the Team Identifier text entry. This is redundant with the Rule Type and Value and is thus not needed.

  11. Click on Save at the bottom of the Edit instance pane.

  12. Click Next to continue to the Scope tags section. Fill it out as needed according to your environmental needs.

  13. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  14. Click Next to continue to the Review + Create section. Review the information and click Create to finish the process.

MSP Filtering (TP)

Transparent Proxy management is only available on macOS 14.0 (Sonoma) and higher.

 
Creating the MSP Filtering (TP) Configuration Profile

The MSP Filtering (Transparent Proxy) configuration profile allows us to whitelist the Transparent Proxy / Network Filter created by the Zorus System / Network Extension and pre-create it via MDM in order to avoid authorization prompts.

  1. Browse to the Devices > By platform > macOS > macOS policies > Configuration profiles section on the right-hand sides of your Intune Portal.

  2. Click on the Create profile button on top of the grid.

  3. Select the Templates Profile type on the right-side pane that will pop up and select the Custom template name. Click Create to continue.

  4. Give the profile a descriptive name and optional description.

    1. Name: MSP Filtering (Transparent Proxy)

    2. Description: Authorizes and pre-installs a Transparent Proxy used by Zorus to inspect, filter and redirect network traffic on non-DNS ports.

  5. Click Next to continue to the configuration settings section.

  6. Set the following fields to their required values:

    1. Custom configuration profile name (feel free to customize): MSP Filtering (TP)

    2. Deployment channel: Device channel

  7. Add the MSP FIltering (TP).mobileconfig file as the Configuration profile file.

  8. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  9. Click Next to continue to the Review + Create section. Review the information and click Create to finish the process.

MSP Filtering (Chrome Settings)

Chrome Settings are intended to disable DoH/DoT on Chromium-based browsers. Note that DoH/DoT support on the Zorus Filtering agent is being evaluated and this configuration policy may not be required in the future.

Creating the MSP Filtering (Chrome Settings) Configuration Profile

The MSP Filtering (Chrome Settings) configuration profile allows us to disable DoH/DoT on Chromium-based browsers. This is required while DoH/DoT support is still being evaluated for the Zorus Filtering agent.

  1. Browse to the Devices > By platform > macOS > macOS policies > Configuration profiles section on the right-hand sides of your Intune Portal.

  2. Click on the Create profile button on top of the grid.

  3. Select the Templates Profile type on the right-side pane that will pop up and select the Custom template name. Click Create to continue.

  4. Give the profile a descriptive name and optional description.

    1. Name: MSP Filtering (Chrome Settings)

    2. Description: Disables DNS-over-HTTPS and DNS-over-TLS on Chrome browsers.

  5. Click Next to continue to the configuration settings section.

  6. Set the following fields to their required values:

    1. Custom configuration profile name (feel free to customize): MSP Filtering (Chrome Settings)

    2. Deployment channel: Device channel

  7. Add the MSP FIltering (Chrome Settings).mobileconfig file as the Configuration profile file.

  8. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  9. Click Next to continue to the Review + Create section. Review the information and click Create to finish the process.

MSP Filtering (Firefox Settings)

Firefox Settings are intended to disable DoH/DoT and enable the use of enterprise roots on the Firefox browser. Note that DoH/DoT support on the Zorus Filtering agent is being evaluated and disabling DoH/DoT may not always be a requirement. However enterprise roots are required to avoid errors when serving the block page, and thus this profile may always be required.

Creating the MSP Filtering (Firefox Settings) Configuration Profile

The MSP Filtering (Firefox Settings) configuration profile allows us to disable DoH/DoT on the Firefox browser and additionally enables the use of enterprise roots (aka Local Computer Trusted Certificate Authorities). This is required while DoH/DoT support is still being evaluated for the Zorus Filtering agent.

  1. Browse to the Devices > By platform > macOS > macOS policies > Configuration profiles section on the right-hand sides of your Intune Portal.

  2. Click on the Create profile button on top of the grid.

  3. Select the Templates Profile type on the right-side pane that will pop up and select the Custom template name. Click Create to continue.

  4. Give the profile a descriptive name and optional description.

    1. Name: MSP Filtering (Firefox Settings)

    2. Description: Disables DNS-over-HTTPS and DNS-over-TLS and enables the use of enterprise roots on Firefox browsers.

  5. Click Next to continue to the configuration settings section.

  6. Set the following fields to their required values:

    1. Custom configuration profile name (feel free to customize): MSP Filtering (Firefox Settings)

    2. Deployment channel: Device channel

  7. Add the MSP Filtering (Firefox Settings).mobileconfig file as the Configuration profile file.

  8. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  9. Click Next to continue to the Review + Create section. Review the information and click Create to finish the process.

Installer Shell Script

In order to download a Zorus Filtering installer, a Deployment Token from the Partner Portal is required. You can either hardcode a Deployment Token in an installer script, or you can read the Deployment Token from the User Defaults system assuming another mechanism is used to deploy the script. We strongly recommend using the Customer Groups section below to deploy unique Deployment Tokens per Customer, but this script can be customized to avoid Customer-level groups.

This script will wait until a deployment token is available prior to actually installing. This is on purpose, as it prevents Intune from installing an application when there may be missing Configuration Profiles. The Configuration Profiles specified above will prevent the end-user from receiving prompts and requiring administrator oversight. It’s recommended that you leave this protection in.

Creating the MSP Filtering Installer Shell Script

The MSP Filtering Installer Shell Script allows Intune to deploy both the MSP Filtering and MSP Maintenance applications to a remote managed endpoint.

  1. Browse to the Devices > By platform > macOS > macOS policies > Shell scripts section on the right-hand sides of your Intune Portal.

  2. Click on the Add button on top of the grid.

  3. Give the script a descriptive name and optional description.

    1. Name: MSP Filtering Installer

    2. Description: Deploys the Zorus MSP Filtering application and updater on a macOS endpoint.

  4. Click Next to continue to the Script settings section.

  5. Add the GenericMacOSScriptedInstall_NSUserDefaults.zsh file under the Upload script field.

  6. Set the following fields to their required values:

    1. Run script as signed-in user: No

    2. Hide script notifications on devices: Yes

    3. Script frequency: 15 minutes

    4. Max number of times to retry if script fails: 3

  7. Click Next to continue to the Assignments section. Add the Zorus Filtering group as an included group.

  8. Click Next to continue to the Review + add section. Review the information and click Add to finish the process.

Per-Customer Deployment Tokens

This is an approach that Zorus tested and worked in order to deploy unique deployment tokens per-customer in the Zorus portal. Note that this is only one approach, and may not work for your specific use-cases or environments. Zorus is also not an Intune-using organization, therefore there may be approaches which work better. We gladly welcome recommendations and suggestions for the benefit of all of our partners.

Customer Enrollment Profile

We used manual enrollment profiles, but feel free to customize this with Apple Configurator or Automated Enrollment as needed. As this is just one example, it’s important to note that your environment may change the implementation of this section. Our examples just leverage a manual profile to be able to create a dynamic group tied to the enrollment profile name. Feel free to play with manual assignments, or other dynamic approaches as desired.

Creating the K. O. Kangaroo Factory Enrollment Profile

We use a per-customer Enrollment Profile in order to be able to have an association of devices to associate devices from a specific Customer together.

  1. Browse to the Devices > By platform > macOS > macOS enrollment section on the right-hand sides of your Intune Portal.

  2. Click on the Apple Configurator button.

  3. Click on Manage > Profiles.

  4. Click on Create on top of the profiles grid.

  5. Give the profile a descriptive name and optional description.

    1. Name (customize as desired): <<Customer Name>>

    2. Description (customize as desired): Enrollment Profile for all <<Customer Name>> devices.

  6. Click Next to continue to the Settings section.

  7. Select Enroll without user affinity under the User affinity field and click Next to continue to the Review + create section.

  8. Review the information for the profile and click Create to complete the process.

Customer Group

Creating the Zorus Filtering - K. O. Kangaroo Factory Group

We use a per-customer Dynamic Group in order to be able to dynamically add devices that are associate with the Enrollment Profile created above and add the devices to the group. This group is also a member of the common Zorus Filtering group, which means it will receive all of the common configuration and have the ability to do per-customer settings.

  1. Browse to the Groups Tab on the right-hand side of your Intune Portal.

  2. Click New Group on the top of the grid.

  3. Set the Group Type to Security.

  4. Set the Group Name and optionally the Group Description to something descriptive.

    1. Group name: Zorus Filtering - <<Customer Name>>

    2. Group description: Contains all <<Customer Name>> devices that will have Zorus Filtering deployed.

  5. Set the Membership type to Dynamic Device.

  6. Click the Add dynamic query button

  7. Under the first row, set the following fields:

    1. Property: enrollmentProfileName

    2. Operator: Equals

    3. Value: <<Customer Name Enrollment Profile>>

  8. Click Save to save the dynamic query changes to the group.

  9. Click Create to finish creating the group.

  10. Wait a few moments for the group to be created and available.

  11. Click on the Zorus Filtering - <<Customer Name>> group in order to open it.

  12. Click on the Manage > Group memberships tab.

  13. Click on Add membership at the top of the Group membership grid.

  14. Select the Zorus Filtering group to associate the Zorus Filtering - <<Customer Name>> group as a sub-group of Zorus Filtering.

  15. Click the Select button to add the membership and complete the process.

Customer Deployment Token Shell Script

Creating the MSP Filtering - K. O. Kangaroo Factory Deployment Token Shell Script
  1. Write a description of what this does

  2. Write the instructions

  3. Write any extra information or warnings as an info panel