Home » Troubleshooting AD sync issues
Applicable For Endpoint Central MSP 
 
 
Permissions for Endpoint Central macOS agent via MDM

This article describes the steps to configure permissions for macOSlevel that required each 3rd party vendor's System extension to be approved. This required Team ID to be allowed, also known as the Apple Developer ID.

  • With macOS 10.14, Apple added a new default behavior that prevented applications from accessing the disk, remote control, etc
  • With macOS 13, Apple added a option in System settings to disable background process

Table of contents

  1. Granting Permissions
  2. Whitelisting System Extensions
  3. Background Service/Login Item Management

In case, ManageEngine MDM is used, Below mentioned Permission will be deployed to macOS machines Automatically. Follow below steps if Other MDM Vendor is used.

Granting Permissions

Permissions can be provided through MDM Privacy Preferences Policy Control (PPPC) profile. Permissions that will be granted are Full disk access, Accessibility, and Screen capture.

Below contains details required for PPPC Profile:

1. Protector System Extension - Process that monitors the Agent folder and processes and prevents Users from modifying files and interrupting process

Identifier com.manageengine.protectord
Code sign requirement anchor apple generic and identifier "com.manageengine.protectord" and certificate leaf[subject.OU] = TZ824L8Y37
Static code validation No
Allowed Permissions System Policy All Files
Other Permissions User controlled

2. Agent service - Process that performs all agent tasks

Identifier dcagentservice
Code sign requirement identifier dcagentservice and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37
Static code validation No
Allowed Permissions System Policy All Files
Other Permissions User controlled

Apps for Apple Events

# Identifier Code Requirement
1 com.apple.systemevents identifier "com.apple.systemevents" and anchor apple
2 com.apple.systemuiserver identifier "com.apple.systemuiserver" and anchor apple
3 com.apple.finder identifier "com.apple.finder" and anchor apple
4 com.apple.installer identifier "com.apple.installer" and anchor apple

3. Remote Access - Process responsible for taking remote control

Identifier com.zoho.assist.ManageEngineRemoteAccess
Code sign requirement identifier "com.zoho.assist.ManageEngineRemoteAccess" and anchor apple generic and certificate leaf[subject.OU] = TZ824L8Y37
Static code validation No
Allowed Permissions Accessibility, screen capture
Other Permissions User controlled

If the above steps is not helpful, kindly follow steps in this link for providing permission for Remote access.

4. Application Control System Extension - Process that monitors and Controls Other Process based on Application Control policy

Identifier com.manageengine.protectord
Code sign requirement anchor apple generic and identifier "com.manageengine.appctrl.driver" and certificate leaf[subject.OU] = TZ824L8Y37
Static code validation No
Allowed Permissions System Policy All Files
Other Permissions User controlled

Whitelisting System Extensions

System Extensions can be allowed through MDM System Extension profile.

Below contains details required for System extension Profile:

1. Protector System extension

Team Identifier TZ824L8Y37
Allowed Extension Categories Security extensions
Extension bundle identifier(s) com.manageengine.protectord

2. Application Control System Extension

Team Identifier TZ824L8Y37
Allowed Extension Categories Security extensions
Extension bundle identifier(s) com.manageengine.appctrl.driver

Background Service / login item management

Admins can restrict users from disabling the apps running background items on the macOS machine. Team Identifier of the app to be restricted from disabling = TZ824L8Y37