Upload the new CA to a new configuration profile in Jamf for deployment.Using the create_deploy script on the SmartAgent 2.0 dmg, generate the deployment files (new CA certificate, ETC files, and deployment plists).This is the most complicated part of the process.Updating the certificate used by Relay for filtering.Ensure that your current Relay certificate, corresponding ETC files, and 2 new configuration profiles are installed on the device before installing 2.0.Fresh install of Smart Agent 2.0 on a device.After successful tests, set 2.0 as default install in Relay portal.Manually install Relay 2.0 on a test device with the profiles to make sure the prompts don't show and that the filtering works as expected.Socket Filter Designated Requirement: anchor apple generic and identifier "-extension" and (certificate leaf /* exists */ or certificate 1 /* exists */ and certificate leaf /* exists */ and certificate leaf = ZAGTUU2342) Socket Filter Bundle Identifier: -extension ![]() When adding, select Socket Filter and use the following values: Use the settings below when setting this up.įilter Name (found at System Preferences > Network): Lightspeed Agent Identifier: -agentįilter Order: Firewall (Give this the highest priority setting available) Jamf will want to configure a content filter payload to pre-approve the security prompts when the Network Extension asks to filter the device.System Extension Bundle IDs: -agentĬom.-extension Use the same information below to also approve these System Extensions with Network as the type. Jamf also has you approve specific System Extension types. Jamf will require that the following Team ID and Bundle IDs are added as approved System Extensions.Before upgrading, create two configuration profiles in Jamf and deploy to your target devices.Automated upgrade to 2.0 using the Relay portal from version 1.7.7.There are 3 main scenarios that need to be planned for: Test, test, test, and test some more to make sure everything works as intended before deploying anything to entire fleet. This will create the support files needed by the new CA, copy them to the ETC folder (overwriting the existing files), then restart the services to use the new files. Once the profile is on the device, have a policy to install the LightSpeed utility agent. Upload the deployment_ist to a configuration profile, deploy to fleet. Upload the new certificate to Jamf and deploy to fleet (this can be in a new profile deployed alongside your existing Relay certificate, the old one will be used until the other files are replaced and the services restarted). Please look at the Generate Certificate section of the documentation you linked for the steps on this.Īgain, basically, you will use the create_deploy to generate the certificate and deployment files needed. This can be done automatically with Lightspeed's new utility agent, also included on the. By doing this, you will also need to re-deploy the necessary ETC files needed by the root CA. You would use the create_deploy utility included on the SmartAgent.dmg that you can download from Relay to generate a new root CA and deploy to your fleet. ![]() The autoupdate will NOT renew the CA certificate used by Relay for filtering, so you will need to renew this certificate manually before the expiration date. There is another consideration, however, that you will need to check on: the certificate utilized by Relay for filtering. That's it for what's needed for the autoupdate to work successfully. Socket Filter Bundle Identifier: -extensionĪnchor apple generic and identifier "-extension" and (certificate leaf /* exists */ or certificate 1 /* exists */ and certificate leaf /* exists */ and certificate leaf = ZAGTUU2342).When adding, select Socket Filter and use the following values:.Filter Order: Firewall (Give this the highest priority setting available).Filter Name (found at System Preferences > Network): Lightspeed Agent.Use the settings below when setting this up. ![]() Jamf will want to configure a content filter payload to pre-approve the security prompts when the Network Extension asks to filter the device. If this is the case, use the same information below to also approve these System Extensions with Network as the type. Jamf will also have you approve specific System Extension types. Jamf requires that the following Team ID and Bundle IDs are added as approved System Extensions. The process is not complicated, but there are a lot of pieces to making it work properly that have to be done in a certain order.īasically, you need to create some new profiles that will pre-approve the network extension and socket filtering to suppress the permission prompts on devices, as outlined in steps 5 & 6 under MDM deployment in the guide that you linked.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |