Instructions for the MDM Configuration for macOS

Team: Huntress EDR
Product: macOS agent
Environment: Huntress Portal, your macOS MDM system
Summary: The following instructions apply specifically to Addigy, but can hopefully be followed in spirit for other MDMs. Configuring MDM can help expedite the install of the macOS System Extension.

Important! Upload these mobileconfig files to your MDM to skip all of the below steps and automatically create all of the necessary profiles the Huntress macOS agent needs to function!

In this Article

A Technical Note on Bundle IDs

Creating an MDM Policy in Addigy

Verifying the Configuration

A Technical Note on Bundle IDs

With the release of agent version 0.13.72+, the bundle IDs for our new agent are changing. You can find them in the following articles and below:

Huntress PPPC Payload for Full Disk Access in Addigy

Generic Deployment and PPPC Payload for Full Disk Access

Creating an MDM Policy in Addigy

Create a new policy or edit an existing policy, and open the “MDM Profiles” section of the policy.

To bypass both the extension installation prompt and the network filter prompt, create a System Extensions profile and a Web Content Filter profile, as described below.

System Extensions profile

To permit the Huntress Agent to automatically install and remove the system extension without prompting the user, enter the following settings:

• Allowed Team Identifiers:
  • 7W6HQ9J9XA [this is Huntress’s Team ID]
• Removable System Extensions:
  • Team Identifier: 7W6HQ9J9XA
  • Bundle Identifier: com.huntress.sysext

Web Content Filter profile

To permit the Huntress Agent to isolate and release this endpoint without prompting the user for approval, enter the following settings:

• Filter Type: Plug-In
• User Defined Name: Huntress
  • This is the value that will be shown to the user when describing the filter (for example, in the Network settings panel)
• Plugin Bundle ID: com.huntress.app
  • This is specifically the bundle ID of the application installing the network extension, not the extension itself.
• Enable Filter Socket Traffic
  • Bundle Identifier: com.huntress.sysext
    • This is the bundle ID of the network extension.
  • Designated Requirement: Copy and paste the following:
    • identifier "com.huntress.sysext" and anchor apple generic and certificate leaf[subject.OU] = "7W6HQ9J9XA" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13]
    • This is used to verify that the Huntress app is genuine and not an imitation, and should be pasted in as presented above.
      
• Enable Filter Network Packets
  • Bundle Identifier: com.huntress.sysext
    • This is the bundle ID of the network extension.
  • Designated Requirement: Copy and paste the following:
    • identifier "com.huntress.sysext" and anchor apple generic and certificate leaf[subject.OU] = "7W6HQ9J9XA" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13]
    • This is used to verify that the Huntress app is genuine and not an imitation, and should be pasted in as presented above.
• Filter Grade: Firewall

After creating these two MDM profiles, add them to your policy of choice and deploy them to one or more devices.

Verifying the Configuration

Due to the nature of MDM policies, there is no surefire way to verify that a policy is correctly configured for the Huntress agent without actually installing the extension; thus, you must simply install it on an endpoint and see whether you are prompted for permissions.

As described here, the extension can be installed either from the endpoint via the command line or from the Huntress portal. Regardless of which method you employ, with a properly configured MDM policy, the extension should install silently, without prompting the user for approval. If you are asked to approve the extension or allow control of network traffic, double-check that you have entered everything correctly for the System Extension and Web Content Filter profiles described above and deployed the MDM policy to the endpoint.

To verify that the extension has been installed properly, you can check its status from the agent details page on the Huntress portal (see other article), or run the following command on the endpoint as an administrator account:

sudo /Applications/Huntress.app/Contents/MacOS/Huntress extensionctl status

If the extension has been properly installed and network filter authorization granted, the first two lines of the output should look like this:

Extension Status: installed
Preauthorization Status: granted