This article discusses how to configure a Mobile Device Management (MDM) to deploy and update macOS Clients for SDP users in your account.
This feature is supported for macOS Client v5.0 and higher.
Starting with macOS Client v5.0, you can configure the Cato Management Application to use an MDM to manage the deployment and updates for macOS Clients in your organization. All Client updates are controlled using the MDM and end users don't receive notifications of new Client versions.
This is an overview of the workflow to implement an MDM solution for macOS Clients in your account.
From the navigation menu, click Access > Client Rollout.
Click the Upgrade Policy tab.
For the macOS Client, choose Managed by Admin.
Import the macOS package.
Configure the MDM to create a policy that allows the DMG extension and VPN profiles for end users.
Otherwise, end users need to manually approve and allow the above items in the macOS.
In the MDM, distribute the new macOS Client version to the end users in your account.
To use the Managed Upgrade for the macOS Client in your account, first you need to import the package to the MDM.
From the navigation menu, select Settings > Computer Management.
Select Packages and click New.
Enter the Display Name.
Click Choose File and select the macOS Client package.
Click Save.
The macOS Client package is imported to JAMF.
Starting with the macOS Client v5.0, the following permissions are required to install the Client on a macOS host:
Allow the Cato Client to create a VPN profile
Allow system extensions for the Cato Client
You can configure the MDM to automatically allow these permissions for end user as part of the installation process for the new Client version. Otherwise, the end user must manually configure the macOS settings as part of the installation process.
In the MDM, create a VPN Payload that contains the settings to automatically set the macOS to allow permissions for the Cato Client VPN profile. When the Client is installed, the VPN Profile permissions are set correctly and the macOS doesn't request the end user to manually configure them.
Setting | Value |
|---|---|
Connection Name | Cato Networks VPN |
Connection Type | Custom SSL (from the drop-down menu) |
Identifier | com.catonetworks.mac.CatoClient |
Server | vpn.catonetworks.net |
Account | CatoClientVPN |
Provider Bundle Identifier | com.catonetworks.mac.CatoClient.CatoClientSysExtension |
User Authentication |
|
Provider Type | Packet Tunnel |
Provider Designated Requirement | anchor apple generic and identifier "com.catonetworks.mac.CatoClient" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CKGSB8CH43) |
Create the new profile and then configure the VPN settings for that profile.
Create the profile for the macOS Client:
From the navigation pane, select Computers > Configuration Profiles.
Click New and create a new profile for the Cato Client.
Edit the VPN settings to allow the VPN permissions for the profile (based on the data in the table above):
In Configuration Profiles, edit the profile you created in the previous step and select VPN.
Enter the settings for the VPN Type, Connection Type, Identifier, Server, Account, and Provider Bundle Identifier.
Configure the settings for the User Authentication, Provider Type, and Provider Designated Requirement.
In the MDM, configure the policy to allow the system extensions that are used by the macOS Client. When the Client is installed, the system extension permissions are set correctly and the macOS doesn't request the end user to manually configure them.
Setting | Value |
|---|---|
Display Name | CatoClient System Extension |
System Extension Types | Allowed System Extensions |
Team Identifier | CKGSB8CH43 |
Allowed System Extensions |
|
Edit the System Extensions settings to allow the system permissions for the profile (based on the data in the table above).
In the MDM, select the users and groups that are receiving the Cato VPN profile. Then create a new policy with the macOS package and push the policy to the users.
Starting with macOS v5.10.6, you can deploy a silent installation that suppresses the EULA screen.
To suppress the EULA screen during deployment:
Open the profile file in a text editor.
In the PayloadContent section of the file, under mcx_preference_settings, include the following:
<dict> <key>suppressEULAScreen</key> <integer>1</integer> </dict>Save the file.
A sample profile for JAMF is attached to this page.
In Computers > Configuration Profiles, select the group or specific users that are receiving the Cato VPN profile.
Create a new policy and add the macOS package to it.
In Computers > Policy, create a new policy.
From the General section, configure these settings:
Enter the Display Name.
Configure the other policy settings based on the requirements for your organization.
In the Packages section, add the macOS Client package.
Click Save. The profile is ready to distribute the Client to the macOS devices.
If you upgrade the Client with an MDM, pop ups are sometimes displayed requesting permission to allow the installation of system extensions and the VPN configuration.
To prevent this issue, you can first distribute the permissions for DMG extension and the VPN payload, then distribute the Clients to the macOS hosts.