Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Capture Client PPPC, System Extensions, & Content Filter via MDM

Hey All,

I know as part of the Capture Client install the end user is prompted to approve PPPC permissions, System Extensions, and the Web Content Filter. I'm really hoping to pre-approve these via MDM, however I cannot find any documentation on the system extension that needs approval, or the app for the web content filter. Once I can deploy these via MDM, then I can silently deploy Capture Client without the end user having to approve any prompts. Our environment is full of Mac standard users.

Thank you,

Russell

Category: Capture Security Center
Reply
Tagged:

Answers

  • SuroopMCSuroopMC SonicWall Employee
  • SyzygySyzygy Newbie ✭

    Suroop:

    There is (still) missing/incorrect information. Going back to a separate thread "Capture Client 3.6 - Release Status and Availability"

    you said back on May 25 that the KB article that you cited above would be fixed, but it does not seem to be fixed.

    Is there a corrected KB article?

  • SuroopMCSuroopMC SonicWall Employee

    @Syzygy - sorry about that. Not sure why that KB hasnt been updated yet. We'll get that fixed that.

    But while we do that - what info are you looking for? We'll try to grab that as well from Engg to add to this KB.

  • @SuroopMC When capture client is installed it prompts you to approve system extensions and a web content filter.

    System Extension Information Needed:

    1. Team Identifier
    2. Bundle Identifier

    Web Content Filter Requirements:

    1. Bundle Identifier
    2. Bundle Requirement

    Pre-deploying these along with the Sentinel PPPC prompts will stop the need of the user having to manually approve the PPPC, System Extension, and Web Content Filter settings.

    Russell

  • @Syzygy

    So I think I've come a little closer to completely getting this working. Here are some of the things you will need to do for your MDM configs:

    1. PPPC Permissions
      1. SentinelOne Extension
        1. Bundle ID: com.sentinelone.extensions-wrapper
        2. Signature: anchor apple generic and identifier "com.sentinelone.extensions-wrapper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      2. SentinelOne Shell
        1. Bundle ID: com.sentinelone.sentinel-shell
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentinel-shell" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      3. SentinelD
        1. Bundle ID: com.sentinelone.sentineld
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentineld" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
      4. SentinelD Helper
        1. Bundle ID: com.sentinelone.sentineld-helper
        2. Signature: anchor apple generic and identifier "com.sentinelone.sentineld-helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4AYE5J54KN")
    2. System Extension
      1. Team ID: 3KRRBEHHYE
      2. Bundle ID: com.sonicwall.SonicWall-Capture-Client.ext
    3. Content Filter
      1. Filter Name: Sonicwall Capture Client
      2. Identifier: com.sonicwall.SonicWall-Capture-Client
      3. Filter Socket Traffic
      4. Bundle Identifier: com.sonicwall.SonicWall-Capture-Client.ext
      5. Designated Requirement: anchor apple generic and identifier "com.sonicwall.SonicWall-Capture-Client.ext" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3KRRBEHHYE")


    Hopefully this helps you. I'm still getting one prompt, I'm testing out Kernel extensions right now to see if I can get this completely silent

  • Well I found out that the last prompt that I'm still getting is due to a legacy system extension that Capture Client still uses, and the last prompt is inevitable currently, until Sonicwall updates their software. I haven't pinpoint what kernel extension it is, but I'm assuming it's the CFDriver.kext file that I found. Sending a kext config doesn't fix this. If you're working with non-admin users, you can enforce the legacy system extension to install by:

    1. Pushing a restart of the device from your MDM provider
    2. Allow User Overrides, which allows a non-admin user to approve the legacy system extension
Sign In or Register to comment.