Category filter
How to deploy Bitdefender to your Macs using Hexnode UEM?
Bitdefender is a cybersecurity solution that protects devices from risks such as viruses, malicious software, ransomware, and phishing attacks. The device management capabilities provided by the Bitdefender GravityZone enable IT administrators to efficiently manage security policies and monitor threats across the organization’s devices. Hexnode UEM allows you to remotely install and deploy the Bitdefender app to provide threat protection to your Macs. The following sections give a detailed explanation of how to deploy Bitdefender to your Macs using Hexnode UEM.
Steps to deploy Bitdefender
Custom script for app installation
- Create an installation package on your Bitdefender GravityZone portal. Navigate to Network > Installation Packages > Create, where you can create your package according to your requirements and click Save.
- Now select the package you have created and click on the option Send Download Links.
- Copy the macOS downloader link provided in the subsequent window. Paste this link into the designated Download URL section within the following Bitdefender installation script:
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374# Get the download URL for the Mac installer from your GravityZone server and put it hereDownloadUrl="Download URL"# Locate DMG Download Link From URLregex='^https.*.dmg$'if [[ $DownloadUrl =~ $regex ]]; thenecho "URL points to direct DMG download"validLink="True"elseecho "Searching headers for download links"urlHead=$(curl -s --head $DownloadUrl)locationSearch=$(echo "$urlHead" | grep https:)if [ -n "$locationSearch" ]; thenlocationRaw=$(echo "$locationSearch" | cut -d' ' -f2)locationFormatted="$(echo "${locationRaw}" | tr -d '[:space:]')"regex='^https.*'if [[ $locationFormatted =~ $regex ]]; thenecho "Download link found"DownloadUrl=$(echo "$locationFormatted")elseecho "No https location download link found in headers"exit 1fielseecho "No location download link found in headers"exit 1fifi# Create Temp FolderDATE=$(date '+%Y-%m-%d-%H-%M-%S')TempFolder="Download-$DATE"mkdir /tmp/$TempFolder# Navigate to Temp Foldercd /tmp/$TempFolder# Download File into Temp Foldercurl -s -O "$DownloadUrl"# Capture name of Download FileDownloadFile="$(ls)"echo "Downloaded $DownloadFile to /tmp/$TempFolder"# Verifies DMG Fileregex='\.dmg$'if [[ $DownloadFile =~ $regex ]]; thenDMGFile="$(echo "$DownloadFile")"echo "DMG File Found: $DMGFile"elseecho "File: $DownloadFile is not a DMG"rm -r /tmp/$TempFolderecho "Deleted /tmp/$TempFolder"exit 1fihdiutilAttach=$(hdiutil attach /tmp/$TempFolder/$DMGFile -nobrowse)echo "Used hdiutil to mount $DMGFile "err=$?if [ ${err} -ne 0 ]; thenecho "Could not mount $DMGFile Error: ${err}"rm -r /tmp/$TempFolderecho "Deleted /tmp/$TempFolder"exit 1firegex='\/Volumes\/.*'if [[ $hdiutilAttach =~ $regex ]]; thenDMGVolume="${BASH_REMATCH[@]}"echo "Located DMG Volume: $DMGVolume"elseecho "DMG Volume not found"rm -r /tmp/$TempFolderecho "Deleted /tmp/$TempFolder"exit 1fi# Identify the mount point for the DMG fileDMGMountPoint="$(hdiutil info | grep "$DMGVolume" | awk '{ print $1 }')"echo "Located DMG Mount Point: $DMGMountPoint"# Capture name of App filecd "$DMGVolume/SetupDownloader.app/Contents/MacOS/"./SetupDownloader
- After installing Bitdefender Endpoint Security on a Mac, an SSL certificate is required for its proper functionality. The Bitdefender agent will prompt the local user to install the certificate to enable SSL protection. You can include the SSL certificate in this configuration profile to simplify this process.
- To create an SSL Certificate,
- In the GravityZone portal, set an uninstall password for the endpoints to which you wish to deploy the certificate.
- In Terminal, create a PEM certificate with the associated private key. Example of command line to create the PEM certificate:
1/usr/bin/openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=YourCertName CA SSL' -keyout rootCA.key -out rootCA.pem
- In Terminal, create the PFX certificate named certificate.pfx using the PEM and KEY files from the previous step.
Example of command line to create the certificate.pfx file:1openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out certificate.pfx - Now you will be prompted in Terminal for a password. Make sure you enter the MD5 hash of the uninstall password set in the Bitdefender GravityZone portal.
- Navigate to the directory where the generated certificate is located. You can use the “cd” command to do this. For instance, if the certificate is on the Desktop, you would enter the following command in the terminal:
1cd \Users\YourUserName\Desktop
- Now execute the following command to encode your .pfx certificate.
1openssl base64 -in CertificateName.pfx -out CertificateName_base64.txt
- A .txt file containing the encoded certificate will now be saved in the same location as the .pfx file. Open this file, copy the 64-bit code, and paste it into the EncodedCertificateValue field in the configuration profile provided below:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.bitdefender.networkinstaller</string><key>CriticalAlertEnabled</key><true/><key>NotificationsEnabled</key><true/><key>ShowInCarPlay</key><false/><key>ShowInLockScreen</key><true/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>BadgesEnabled</key><false/><key>BundleIdentifier</key><string>com.bitdefender.epsecurity.BDLDaemonApp</string><key>CriticalAlertEnabled</key><true/><key>NotificationsEnabled</key><true/><key>ShowInCarPlay</key><false/><key>ShowInLockScreen</key><true/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.bitdefender.EndpointSecurityforMac</string><key>CriticalAlertEnabled</key><true/><key>NotificationsEnabled</key><true/><key>ShowInCarPlay</key><false/><key>ShowInLockScreen</key><true/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDescription</key><string>Configures Notification settings for macOS apps</string><key>PayloadDisplayName</key><string>Notifications</string><key>PayloadIdentifier</key><string>BECF8B62-FD02-4910-87B5-2693621515EC</string><key>PayloadOrganization</key><string></string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>DAF3AE76-A56B-4B5C-8694-28D2FA954BC3</string><key>PayloadVersion</key><integer>1</integer></dict><dict><key>AllowUserOverrides</key><true/><key>AllowedTeamIdentifiers</key><array><string>GUNFMW623Y</string></array><key>PayloadDescription</key><string></string><key>PayloadDisplayName</key><string>System Extensions</string><key>PayloadIdentifier</key><string>8B5B11F3-A0D9-4622-8831-AC32814651CD</string><key>PayloadOrganization</key><string>Bitdefender </string><key>PayloadType</key><string>com.apple.system-extension-policy</string><key>PayloadUUID</key><string>F0CC9D5B-6997-4A22-95E7-54E6415C30A2</string><key>PayloadVersion</key><integer>1</integer></dict><dict><key>PayloadDescription</key><string></string><key>PayloadDisplayName</key><string>Privacy Preferences Policy Control</string><key>PayloadIdentifier</key><string>DBD2AA99-C3DF-420F-98A8-3332651328AE</string><key>PayloadOrganization</key><string>Bitdefender</string><key>PayloadType</key><string>com.apple.TCC.configuration-profile-policy</string><key>PayloadUUID</key><string>DBD2AA99-C3DF-420F-98A8-3332651328AE</string><key>PayloadVersion</key><integer>1</integer><key>Services</key><dict><key>SystemPolicyAllFiles</key><array><dict><key>Allowed</key><integer>1</integer><key>CodeRequirement</key><string>anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)</string><key>Identifier</key><string>com.bitdefender.epsecurity.BDLDaemonApp</string><key>IdentifierType</key><string>bundleID</string><key>StaticCode</key><integer>0</integer></dict><dict><key>Allowed</key><integer>1</integer><key>CodeRequirement</key><string>identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y</string><key>Identifier</key><string>com.bitdefender.EndpointSecurityforMac</string><key>IdentifierType</key><string>bundleID</string><key>StaticCode</key><integer>0</integer></dict><dict><key>Allowed</key><integer>1</integer><key>CodeRequirement</key><string>identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y</string><key>Identifier</key><string>/Library/Bitdefender/AVP/BDLDaemon</string><key>IdentifierType</key><string>path</string><key>StaticCode</key><integer>0</integer></dict></array></dict></dict><dict><key>PayloadCertificateFileName</key><string>CertificateName</string><key>PayloadContent</key><data>EncodedCertificateValue</data><key>PayloadDescription</key><string></string><key>PayloadDisplayName</key><string>Bitdefender CA SSL</string><key>PayloadIdentifier</key><string>89BA401A-8EFD-40F2-BAD1-45B8A87B3708</string><key>PayloadOrganization</key><string>Bitdefender</string><key>PayloadType</key><string>com.apple.security.root</string><key>PayloadUUID</key><string>89BA401A-8EFD-40F2-BAD1-45B8A87B3708</string><key>PayloadVersion</key><integer>1</integer></dict><dict><key>FilterPacketProviderBundleIdentifier</key><string>com.bitdefender.cst.net.dci.dci-network-extension</string><key>FilterPacketProviderDesignatedRequirement</key><string>anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)</string><key>FilterPackets</key><true/><key>FilterSockets</key><false/><key>FilterType</key><string>Plugin</string><key>PayloadDisplayName</key><string>Web Content Filter Payload</string><key>PayloadIdentifier</key><string>76F7300E-896D-4403-B073-4AC31E2A1E61</string><key>PayloadOrganization</key><string>Bitdefender</string><key>PayloadType</key><string>com.apple.webcontent-filter</string><key>PayloadUUID</key><string>171C736A-CA59-4EBB-B411-3035422499BF</string><key>PayloadVersion</key><integer>1</integer><key>PluginBundleID</key><string>com.bitdefender.epsecurity.BDLDaemonApp</string><key>UserDefinedName</key><string>Bitdefender</string></dict></array><key>PayloadDescription</key><string>Bitdefender System Extensions, PPPC, Certificate, Notifications, and Network content filter</string><key>PayloadDisplayName</key><string>Bitdefender Settings</string><key>PayloadIdentifier</key><string></string><key>PayloadOrganization</key><string>Bitdefender</string><key>PayloadRemovalDisallowed</key><true/><key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>9110F93F-5C45-43A7-B9C9-426A624D7B92</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
- In the Hexnode portal, navigate to Policies > New Policy > macOS.
- Under the macOS tab, navigate to Configurations > Deploy Custom Configuration.
- Click Configure.
- Click on Choose File and upload the configuration file.
- First deploy the app installation script through Hexnode’s Execute Custom Script remote action.
- Once the installation script has been successfully executed, proceed to the Associate Policies tab within the device management section. From there, locate and select the policy that includes the configuration profile you set up earlier.
- Click on Associate.
- The Bitdefender PKG gets installed on the device, consisting of two apps: the Bitdefender installer app and the Bitdefender Endpoint Security for Mac app.
- The System Extensions, Privacy Preferences Policy Control (PPPC), Notification Permissions, and SSL certificates allocate the necessary permissions to applications accordingly.
Required configurations
To ensure seamless operation of the Bitdefender app on your devices, it is essential to configure System Extensions, Privacy Preferences Policy Control (PPPC), Notification Permissions, and an SSL certificate. Use the following configuration profile that contains all these settings configured together.
Associate target devices
What happens at the device end?
After applying the installation script and configurations to the device, the following processes are initiated.