MFGJ Placeholder Mac OS

  1. Mfgj Placeholder Mac Os Catalina
  2. Mfgj Placeholder Mac Os 11

Mac computers on which the OS X configuration profile will be deployed must run OS X Mountain Lion (or later) and must be members of a domain. Export a Root CA Certificate First, you need to export a root CA certificate to a file, so you can later install it on Mac computers by including it in the Certificates payload of the OS X configuration. Mac OS X 10.10; Firefox 38.0; More system details Additional System Details Installed Plug-ins. Creative Cloud Desktop Plugin.v3000 Plugin to display and edit chemical structures. Provides information about the default web browser Dragon Dictate-Web Applications The Google Earth Plugin allows you to view 3D imagery and terrain in your web.


This advisory describes the changes and steps administrators can take to deploy Mac Connector 1.14.

  1. Install a Mac agent. Before you can use SolarWinds N-central to monitor and manage computers at a customer's site, you need to install the agent. The Mac agent monitors local services and reports any issues. There are customer-specific and generic system installers.
  2. Instead, I’ll direct you to the Mac OS X Automation site. Here you’ll find an AppleScript and Pages page that provides instructions for using the free Pages Data Merge utility (the page also.

Mac Connector version 1.14 introduces a number of changes that require user attention. Most notably, this Connector release includes changes to full disk access approvals and adds support for macOS 11 (Big Sur) System Extensions.
Since the inital 1.14 launch, compatibility issues have been discovered with 3rd party applications on macOS 10.15 Catalina when system extensions are in use. Apple will be addressing these issues in future releases of macOS 11 but will not be fixing these issues in macOS 10.15. Consequently, starting with version 1.14.1, the Mac Connector will use legacy kernel extensions instead of system extensions on all versions of macOS 10.15.
Mac Connector 1.14 is required to ensure endpoint protection on macOS 11. Older Mac Connectors will not work on this version of macOS.
It is highly recommended to deploy the Mac Connector with an MDM profile that grants the required approvals. MDM profiles must be installed before installing or upgrading the Mac Connector to ensure the needed permissions are recognized. Refer to the Known Issues section later in this document if MDM cannot be used.

Minimum OS Requirements

AMP for Endpoints Mac Connector 1.14.0 supports the following macOS versions:

  • macOS 11, using macOS system extensions.
  • macOS 10.15.5 and later, using macOS system extensions.
  • macOS 10.15.0 through macOS 10.15.4, using macOS kernel extensions
  • macOS 10.14, using macOS kernel extensions.

AMP for Endpoints Mac Connector 1.14.1 supports the following macOS versions:

  • macOS 11, using macOS system extensions.
  • macOS 10.15 using macOS kernel extensions.
  • macOS 10.14, using macOS kernel extensions.

For deployments that include endpoints running older macOS versions, consult the OS Compatibility Table for compatible Mac Connector versions.

Important Changes

Mac Connector 1.14 introduces important changes in three areas:

  1. Approving AMP macOS Extensions to load
  2. Full Disk Access
  3. New Directory Structure

Approving Mac Connector macOS Extensions

The Mac Connector uses either System Extensions or legacy Kernel Extensions to monitor system activities, depending on the macOS version. On macOS 11, System Extensions replace the legacy Kernel Extensions that are unsupported in macOS 11. User approval is required on all versions of macOS before either type of extension is allowed to run. Without approval, certain Connector functions such as on-access file scan and network access monitoring will be unavailable.

Mac Connector 1.14 introduces two new macOS system extensions:

Mfgj
  1. An Endpoint Security extension, named AMP Security Extension, to monitor system events
  2. A Network Content Filter extension, named AMP Network Extension, to monitor network access

The two legacy Kernel Extensions, ampfileop.kext and ampnetworkflow.kext, are included for backwards compatibility on older macOS versions that don't support the new macOS System Extensions.

The following approvals are required for macOS 11** and later:

  • Approve AMP Security Extension to load
  • Approve AMP Network Extension to load
  • Allow AMP Network Extension to filter network content

** Mac Connector version 1.14.0 also required these approvals on macOS 10.15. These approvals are no longer required on macOS 10.15 when running Mac Connector 1.14.1 or later.

The following approvals are required for macOS 10.14 and macOS 10.15:

  • Approve AMP Kernel Extensions to load

These approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.

Approving Mac Connector macOS Extensions at the Endpoint

System and Kernel extensions can be approved manually from the macOS Security & Privacy Preferences pane.

Approving Mac Connector macOS Extensions using MDM

NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:

1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had themanagement profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.

AMP extensions can be approved using a management profile with the following payloads and properties:

PayloadPropertyValue
SystemExtensionsAllowedSystemExtensionscom.cisco.endpoint.svc.securityextension, com.cisco.endpoint.svc.networkextension
AllowedSystemExtensionTypesEndpointSecurityExtension, NetworkExtension
AllowedTeamIdentifiersDE8Y96K9QP
SystemPolicyKernelExtensionsAllowedKernelExtensionscom.cisco.amp.fileop, com.cisco.amp.nke
AllowedTeamIdentifiersTDNYQP7VRK
WebContentFilterAutoFilterEnabledfalse
FilterDataProviderBundleIdentifiercom.cisco.endpoint.svc.networkextension
FilterDataProviderDesignatedRequirementanchor apple generic and identifier 'com.cisco.endpoint.svc.networkextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
FilterGradefirewall
FilterBrowsersfalse
FilterPacketsfalse
FilterSocketstrue
PluginBundleIDcom.cisco.endpoint.svc
UserDefinedNameAMP Network Extension

Full Disk Access

MacOS 10.14 and later require approval before an application can access parts of the filesystem that contain personal user data (e.g. Contacts, Photos, Calendar, and other applications). Certain Connector functions such as on-access file scan will be unable to scan these files for threats without approval.

Previous Mac Connector versions required the user to grant Full Disk Access to the ampdaemon program. Mac Connector 1.14 requires Full Disk Access for:

  • 'AMP for Endpoints Service' and
  • 'AMP Security Extension'

The ampdaemon program no longer requires Full Disk Access starting with this new Mac Connector version.

Full Disk Access approvals can be granted using the macOS Security & Privacy Preferences on the endpoint, or by using Mobile Device Management (MDM) profiles.

Approving Full Disk Access at the Endpoint

Full Disk Access can be approved manually from the macOS Security & Privacy Preferences pane.

Approving Full Disk Access Using MDM

NOTE: macOS Extensions cannot be retroactively approved via MDM. If the MDM profile is not deployed prior to installing the Connector then the approvals will not be granted and additional intervention will be required in one of the following forms:

1. Manual approval of the macOS Extensions on endpoints that had the management profile deployed retroactively.
2. Upgrading the Mac Connector to a newer version than the one currently deployed. Endpoints that had the management profile deployed retroactively will recognize the management profile after upgrade and gain approval once the upgrade completes.

Full Disk Access can be approved using a management profile's Privacy Preferences Policy Control payload with a SystemPolicyAllFiles property with the following two entries, one for the AMP for Endpoints Service and one for the AMP Security Extension:

DescriptionPropertyValue
AMP for Endpoints ServiceAllowedtrue
CodeRequirementanchor apple generic and identifier 'com.cisco.endpoint.svc' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
Identifiercom.cisco.endpoint.svc
IdentifierTypebundleID
AMP Security ExtensionAllowedtrue
CodeRequirementanchor apple generic and identifier 'com.cisco.endpoint.svc.securityextension' and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = DE8Y96K9QP)
Identifiercom.cisco.endpoint.svc.securityextension
IdentifierTypebundleID

If your deployment includes computers running AMP Connector version 1.12.7 or older, the following additional entry is still required to grant full disk access to ampdaemon for those computers:

DescriptionPropertyValue
ampdaemonAllowedtrue
CodeRequirementidentifier ampdaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TDNYQP7VRK
Identifier/opt/cisco/amp/ampdaemon
IdentifierTypepath

New Directory Structure

Mac Connector 1.14 introduces two changes to the directory structure:

  1. The Applications directory has been renamed from Cisco AMP to Cisco AMP for Endpoints.
  2. The command-line utility ampcli has been moved from /opt/cisco/amp to /Applications/Cisco AMP for Endpoints/AMP for Endpoints Connector.app/Contents/MacOS. The directory /opt/cisco/amp contains a symlink to the ampcli program at its new location.

The complete directory structure for the new AMP Connector is as follows:

Known Issues with macOS 11.0 and Mac Connector 1.14.1.

  • Guidance for fault 10, 'Reboot required to load kernel module or system extension,' may be incorrect if four or more Network Content Filters are installed on the computer. Refer to the AMP For Endpoints Mac Connector Faults article for more details.

Known Issues with macOS 10.15/11.0 and Mac Connector 1.14.0.

  • Some faults raised by the Mac Connector may be raised unexpectedly. Refer to the AMP For Endpoints Mac Connector Faults article for more details.
    • Fault 13, Too many Network Content Filter system extensions, may be raised after upgrading. Rebooting the computer will resolve the fault in this situation.
    • Fault 15, System Extension requires Full Disk Access, may be raised after reboot due to a bug in macOS 11.0.0. This issue is fixed in macOS 11.0.1. The fault can be resolved by re-granting full disk access in the Security & Privacy pane in macOS System Preferences.
  • During installation, the Security & Privacy pane may display 'Placeholder Developer' as the application name when granting permission for the Mac Connector system extensions to run. This is due to a bug in macOS 10.15. Check the boxes beside 'Placeholder Developer' to allow the Mac Connector to protect the computer.

    • The systemextensionsctl listcommand can be used to determine which system extensions are awaiting approval. System extensions with the state [activated waiting for user]in this output are displayed as 'Placeholder Developer' in the macOS preferences page shown above. If more than two 'Placeholder Developer' entries are showin in the above preferences page, uninstall all software that uses system extensions (including the Mac Connector) so that no system extensions are awaiting approval, and then reinstall the Mac Connector.
      The Mac Connector sysem extensions are identified as follows:
      • The Network Extension is shown as com.cisco.endpoint.svc.networkextension.
      • The Endpoint Security extension is shown has com.cisco.endpoint.svc.securityextension.
  • During install, the prompt to allow the Mac Connector's Content Filter to monitor network traffic may display '(null)' as the application name. This is caused by a bug in macOS 10.15. The user needs to select 'Allow' to to ensure protection of the computer.
    If the prompt was dismissed by clicking 'Don't Allow' it can be displayed again by clicking the AMP Agent menulet icon in the menu bar and selecting 'Allow Network Filter.'
    Once enabled, the AMP Network Extension filter will be listed in the Network Preferences page.
  • On macOS 11, when upgrading from Mac Connector 1.12 to Mac Connector 1.14, Fault 4, System Extension Failed to Load, may be raised temporarily while the Connector is transitioning from the kernel extensions to the new system extensions.

Revision History

Dec 1, 2020

  • Mac Connector 1.14.1 no longer uses system extensions on macOS 10.15.
  • Additional guidance on using terminal check which 'Placeholder Developer' System Extensions are awaiting approval when using Mac Connector 1.14.0.

Nov 9, 2020

  • Corrected bundle ID in full disk access CodeRequirement MDM payload.

Nov 3, 2020

  • Release date for 1.14.0 Mac Connector is November 2020.
  • The 1.14.0 Mac Connector will use System Extensions starting with macOS 10.15.5. Previously this was 10.15.6.
  • Added Known Issues section.
  • Updated directory structure outline.

When the WatchGuard Mobile VPN client starts for the first time after you install it, it prompts you to manually configure a profile. To skip the manual profile configuration step, click No in the Windows client, or Cancel in the Mac OS X client. Then, you must import the mobile VPN configuration .WGX or .INI file to the WatchGuard Mobile VPN client.

Import the End-User Profile in the Windows Client

To import a Mobile VPN configuration .WGX or .INI file to the WatchGuard Mobile VPN Client for Windows:

  1. From your Windows desktop, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor.
  2. Select Configuration > Profiles.
  3. Click Add/Import.
    The Profile Import Wizard starts.
  4. On the Select User Profile screen, browse to the location of the .WGX or .INI configuration file.
  5. Click Next.
  6. For a .WGX file, on the Decrypt User Profile screen, type the passphrase. The passphrase is case-sensitive.
  7. Click Next.
  8. On the Overwrite or add Profile screen, you can select to overwrite a profile of the same name. This is useful if your network administrator gives you a new .WGX file to import.
  9. Click Next.
  10. On the Authentication screen, you can select whether to type the user name and password that you use to authenticate the VPN tunnel.
    If you keep these fields empty, you are prompted to enter your user name and password each time you connect.
    If you type your user name and password, the Firebox stores them and you do not have to enter this information each time you connect. However, this is a security risk. You can also type just your user name and keep the Password text box empty.
  11. Click Next.
  12. Click Finish.
    The computer is now ready to use Mobile VPN with IPSec.

Import the End-User Profile in the Mac OS X Client

Mfgj Placeholder Mac Os Catalina

To import a Mobile VPN configuration .WGX or .INI file to the WatchGuard Mobile VPN Client for Mac OS X:

Mfgj Placeholder Mac Os 11

  1. Start the WatchGuard Mobile VPN Client.
  2. Select WatchGuard Mobile VPN Client > Profiles.
  3. Click Import.
    The Profile Import Wizard starts.
  4. On the Select User Profile screen, browse to the location of the .WGX or .INI configuration file.
  5. Click Next.
  6. For a .WGX file, on the Decrypt User Profile screen, type the passphrase. The passphrase is case-sensitive.
  7. Click Next.
  8. Select the profile within the imported file to import.
    The imported profile automatically overwrites any existing profile that has the same name.
  9. Click Next.
  10. On the Authentication screen, you can select whether to type the user name and password that you use to authenticate the VPN tunnel.
    If you keep these fields empty, you are prompted to enter your user name and password each time you connect.
    If you type your user name and password, the Firebox stores them and you do not have to enter this information each time you connect. However, this is a security risk. You can also type just your user name and keep the Password text box empty.
  11. Click Next.
  12. Click Finish.
    The computer is now ready to use Mobile VPN with IPSec.