Our normal method for deployment will be by an MDM solution, for which we have created a profile intended to pre-approve the system extension and content filter.
This works correctly for the system extension but we are unable to get the content filter pre-approval to work. We have scoured this and other forums and docs but there is no clear reason why our web content filter profile doesn't work.
Our payload for the web content filter looks like this:
Code Block <dict> <key>FilterDataProviderBundleIdentifier</key> <string>com.example.ourapp.net</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX</string> <key>FilterPacketProviderBundleIdentifier</key> <string>com.example.ourapp.net</string> <key>FilterPacketProviderDesignatedRequirement</key> <string>identifier "com.example.ourapp.net" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX</string> <key>FilterPackets</key> <true/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>FilterGrade</key> <string>firewall</string> <key>PayloadDescription</key> <string>Web Content Filter Payload</string> <key>PayloadDisplayName</key> <string>Web Content Filters</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>8237701A-4ED8-473A-AC86-4BEFF6662A62</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.example.ourapp</string> <key>UserDefinedName</key> <string>Example OurApp</string> </dict>
For the filter Filter[Data|Packet]ProviderBundleIdentifier and the Filter[Data|PacketProvider]DesignatedRequirement fields, the values are derived from using codesign -dr- <path to system extension bundle>.
For the PluginBundleID the value is the identifier of the enclosing app. This requirement is mention in this post.
The rest of the fields are derived from the various examples online.
Beyond this, I can't see any reason this should not work. There are reports from some users saying they have got their profiles to work but can't confirm that.
Is there something wrong in the payload above?
Are we missing some fields?
Are there any specific requirements for some of these fields I have missed?
I can't find detailed documentation for this payload for content filters.
We're testing on mainly on Catalina, is pre-approval of content filter actually working for Catalina? Big Sur?
Any pointers would be appreciated. Thanks.