Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Capture Client PPPC, System Extensions, & Content Filter via MDM

russell_feagleyrussell_feagley Newbie ✭
in Capture Security Center

Hey All,

I know as part of the Capture Client install the end user is prompted to approve PPPC permissions, System Extensions, and the Web Content Filter. I'm really hoping to pre-approve these via MDM, however I cannot find any documentation on the system extension that needs approval, or the app for the web content filter. Once I can deploy these via MDM, then I can silently deploy Capture Client without the end user having to approve any prompts. Our environment is full of Mac standard users.

Thank you,

Russell

Category: Capture Security Center
Reply
Tagged:

Answers

  • SuroopMCSuroopMC SonicWall Employee

    @russell_feagley - have you seen this KB article? Please let us know if you see any missing info:

    https://www.sonicwall.com/support/knowledge-base/cc-3-6-mac-installation-s1-not-enforcing-security/210406061503130/


  • SyzygySyzygy Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/9955#Comment_9955

    Suroop:

    There is (still) missing/incorrect information. Going back to a separate thread "Capture Client 3.6 - Release Status and Availability"

    https://community.sonicwall.com/technology-and-support/discussion/comment/9088#Comment_9088

    you said back on May 25 that the KB article that you cited above would be fixed, but it does not seem to be fixed.

    Is there a corrected KB article?

  • SuroopMCSuroopMC SonicWall Employee

    @Syzygy - sorry about that. Not sure why that KB hasnt been updated yet. We'll get that fixed that.

    But while we do that - what info are you looking for? We'll try to grab that as well from Engg to add to this KB.

  • russell_feagleyrussell_feagley Newbie ✭

    @SuroopMC When capture client is installed it prompts you to approve system extensions and a web content filter.

    System Extension Information Needed:

    1. Team Identifier
    2. Bundle Identifier

    Web Content Filter Requirements:

    1. Bundle Identifier
    2. Bundle Requirement

    Pre-deploying these along with the Sentinel PPPC prompts will stop the need of the user having to manually approve the PPPC, System Extension, and Web Content Filter settings.

    Russell

  • russell_feagleyrussell_feagley Newbie ✭

    @Syzygy

    So I think I've come a little closer to completely getting this working. Here are some of the things you will need to do for your MDM configs:

    1. PPPC Permissions
      1. SentinelOne Extension
        1. Bundle ID: com.sentinelone.extensions-wrapper
        2. Signature: anchor apple generic and identifier "com.sentinelone.extensions-wrapper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      2. SentinelOne Shell
        1. Bundle ID: com.sentinelone.sentinel-shell
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      3. SentinelD
        1. Bundle ID: com.sentinelone.sentineld
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      4. SentinelD Helper
        1. Bundle ID: com.sentinelone.sentineld-helper
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
    2. System Extension
      1. Team ID: 3KRRBEHHYE
      2. Bundle ID: com.sonicwall.SonicWall-Capture-Client.ext
    3. Content Filter
      1. Filter Name: Sonicwall Capture Client
      2. Identifier: com.sonicwall.SonicWall-Capture-Client
      3. Filter Socket Traffic
      4. Bundle Identifier: com.sonicwall.SonicWall-Capture-Client.ext
      5. Designated Requirement: anchor apple generic and identifier "com.sonicwall.SonicWall-Capture-Client.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3KRRBEHHYE")


    Hopefully this helps you. I'm still getting one prompt, I'm testing out Kernel extensions right now to see if I can get this completely silent

  • russell_feagleyrussell_feagley Newbie ✭

    Well I found out that the last prompt that I'm still getting is due to a legacy system extension that Capture Client still uses, and the last prompt is inevitable currently, until Sonicwall updates their software. I haven't pinpoint what kernel extension it is, but I'm assuming it's the CFDriver.kext file that I found. Sending a kext config doesn't fix this. If you're working with non-admin users, you can enforce the legacy system extension to install by:

    1. Pushing a restart of the device from your MDM provider
    2. Allow User Overrides, which allows a non-admin user to approve the legacy system extension
Sign In or Register to comment.