Deploying MacOS App with Web Content Filter via MDM without requiring user authorising the Content Filter

Question

Created May ’21

Replies 5

Boosts 0

Views 1.8k

Participants 4

We have a MacOS app that includes a system extension with A content filter using both socket and packet providers.

Our normal method for deployment will be by an MDM solution, for which we have created a profile intended to pre-approve the system extension and content filter.

This works correctly for the system extension but we are unable to get the content filter pre-approval to work. We have scoured this and other forums and docs but there is no clear reason why our web content filter profile doesn't work.

Our payload for the web content filter looks like this:

Code Block     <dict>            <key>FilterDataProviderBundleIdentifier</key>
            <string>com.example.ourapp.net</string>
            <key>FilterDataProviderDesignatedRequirement</key>
            <string>identifier &quot;com.example.ourapp.net&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX</string>
            <key>FilterPacketProviderBundleIdentifier</key>
            <string>com.example.ourapp.net</string>
            <key>FilterPacketProviderDesignatedRequirement</key>
            <string>identifier &quot;com.example.ourapp.net&quot; and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TEAMIDXXXX</string>
            <key>FilterPackets</key>
            <true/>
            <key>FilterSockets</key>
            <true/>
            <key>FilterType</key>
            <string>Plugin</string>
            <key>FilterGrade</key>
            <string>firewall</string>
            <key>PayloadDescription</key>
            <string>Web Content Filter Payload</string>
            <key>PayloadDisplayName</key>
            <string>Web Content Filters</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62</string>
            <key>PayloadType</key>
            <string>com.apple.webcontent-filter</string>
            <key>PayloadUUID</key>
            <string>8237701A-4ED8-473A-AC86-4BEFF6662A62</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PluginBundleID</key>
            <string>com.example.ourapp</string>
            <key>UserDefinedName</key>
            <string>Example OurApp</string>
    </dict>

For the filter Filter[Data|Packet]ProviderBundleIdentifier and the Filter[Data|PacketProvider]DesignatedRequirement fields, the values are derived from using codesign -dr- <path to system extension bundle>.

For the PluginBundleID the value is the identifier of the enclosing app. This requirement is mention in this post.

The rest of the fields are derived from the various examples online.

Beyond this, I can't see any reason this should not work. There are reports from some users saying they have got their profiles to work but can't confirm that.

Is there something wrong in the payload above?
Are we missing some fields?
Are there any specific requirements for some of these fields I have missed?
I can't find detailed documentation for this payload for content filters.
We're testing on mainly on Catalina, is pre-approval of content filter actually working for Catalina? Big Sur?

Any pointers would be appreciated. Thanks.

Boost

Answer 1

Systems Engineer OP

Apple

May ’21

This works correctly for the system extension but we are unable to get the content filter pre-approval to work
is pre-approval of content filter actually working for Catalina? Big Sur?

Last I knew, a Network System Extension could be pre-approved but the actual Network Configuration to start the Content Filter still had to be allowed by the user and this is an Enhancement Request.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

Systems Engineer OP

Apple

May ’21

I want to follow up on my previous post regarding:

but the actual Network Configuration to start the Content Filter still had to be allowed by the user and this is an Enhancement Request.

Using the com.apple.webcontent-filter payload, this should be possible by setting the FilterType to "Plugin" and setting PluginBundleID to the bundle identifier of the app. Both of which it looks like you have done, so you may want to double check your profile again or contact Apple Support as they specialize in helping with configuration profile deployments. If you contact Apple Support and everything is confirmed there to be setup correctly you may want to get a bug report down for this and in that case please follow up with a Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 3

muddymurphydog OP

May ’21

Thanks for the feedback, Matt. I'll get in touch with support and update this thread when I know more.

0

Answer 4

hardloafz OP

Aug ’21

Having exactly same issue - cannot install com.apple.webcontent-filter from .mobileconfig file (system throws an error "Profile installation failed." "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." The config is essentially identical to the OP. In the console I get this

CPProfileManager.installProfile returning error -319 (The ‘VPN Service’ payload could not be installed. The VPN service could not be created.)
CPProfileManager.installProfile for user 'zandrey' returning = -319 (INSTALL FAILED)

0

Answer 5

hardloafz OP

Aug ’21

I'll answer my own question. Profile needs system scope defined like this. It's at the same level with PayloadContent key.

        <key>PayloadScope</key>
        <string>System</string>

1