Mit Mobile Device Management (MDM) können Administratoren die erforderlichen Berechtigungen
für macOS-Agenten konfigurieren, damit diese ohne zusätzliche Eingriffe des Endbenutzers
funktionieren. Neben der Einrichtung von Berechtigungen bieten die folgenden Abschnitte
Anweisungen zur ordnungsgemäßen Bereitstellung von MDM, damit Zero Trust Secure Access
für macOS-Agenten ohne Pop-ups (z. B. zur Berechtigungsanfrage) für den Endbenutzer
funktioniert.
 |
HinweisDiese Dokumentation bietet detaillierte Konfigurationsanweisungen für Microsoft Intune.
Für andere MDM-Plattformen wie Jamf, AirWatch (Workspace One) oder andere Lösungen,
lesen Sie bitte Erstellen und Konfigurieren von MDM-Profilen für Trend Micro Security Agent für Mac.
|
Bereitstellen von Mobile Device Management-Profilen mit Microsoft Intune
Um ein Mobile Device Management-Profil mit Microsoft Intune bereitzustellen:
- Melden Sie sich bei Microsoft Intune an.
- Klicken Sie auf Geräte > macOS, um die Einstellungsseite für macOS-Geräte aufzurufen.
- Gehen Sie zu Configuration profiles > Create profile und wählen Sie Vorlagen aus.
- Wählen Sie Benutzerdefiniert aus. (Mit dieser Methode können Sie selbst erstellte .mobileconfig-Dateien hochladen,
um alle Arten von Profilen bereitzustellen, einschließlich Systemerweiterungen, Web-Content-Filter,
Vollzugriff auf Festplatten und Dienstverwaltungsprofile.)
- Geben Sie im Abschnitt Basics das Name und Beschreibung des macOS-Profils an.
- Fügen Sie im Abschnitt Configuration settings die Configuration profile name hinzu und laden Sie Ihre .mobileconfig Configuration profile file hoch (zum Beispiel, SystemExtension.mobileconfig).
- Im Assignments-Abschnitt legen Sie Included groups oder Excluded groups entsprechend Ihren Anforderungen fest, um zu steuern, welche Geräte das Profil erhalten.
- Im Abschnitt Review + create überprüfen Sie Ihre Konfiguration und erstellen dann das Profil.
- Geben Sie im Abschnitt Basics das Name und Beschreibung des macOS-Profils an.
- Wenn die Bereitstellung für längere Zeit nicht aktualisiert wird, klicken Sie auf
Assignments, um erneut auszuführen.
Tipp
Sie können den Fortschritt der Bereitstellung auf der Profil-Überblick-Seite überwachen. Sobald abgeschlossen, zeigt das Verteilungsstatus "Erfolgreich" an.
- Überprüfen Sie auf dem verwalteten Mac-Computer, ob das Profil installiert ist, indem Sie System Settings > Privacy & Security > Profiles überprüfen.
- Wiederholen Sie die Schritte 3-6 für jedes erforderliche .mobileconfig-Profil (für
Systemerweiterung, Web-Content-Filter, Vollzugriff auf Festplatten und Dienstverwaltung
- verwaltete Anmeldeobjekte).
|
HinweisFür alternative Bereitstellungsmethoden oder andere MDM-Plattformen siehe Installieren des Endpoint und Workload Security Agent für Mac über AirWatch (Workspace
One) und Microsoft Intune.
|
Systemerweiterungen konfigurieren
Um den Änderungen der Apple-Richtlinien für Softwareentwickler zu entsprechen, werden
ab macOS Big Sur 11.0 Kernel-Erweiterungen nicht mehr vom System geladen. Zero Trust
Secure Access für macOS-Agent verwendet Systemerweiterungen mit dem Network Extension-Framework,
um sichere Zugriffsfunktionen bereitzustellen.
Das Network Extension Framework ermöglicht es Ihnen, die grundlegenden Netzwerkfunktionen
anzupassen und zu erweitern. Weitere Informationen finden Sie unter: https://developer.apple.com/documentation/networkextension.
Die folgenden Systemerweiterungsfelder werden benötigt:
<key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensions</key> <dict> <key>E8P47U2H32</key> <array> <string>com.trendmicro.ztnasase.tunnel</string> </array> </dict> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadDisplayName</key> <string>System Extension</string>
Nachfolgend finden Sie ein Beispiel für ein MDM-Konfigurationsprofil, das Systemerweiterungen
zulässt:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.ztnasase.tunnel</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.yourorg.systemextension</string>
<key>PayloadOrganization</key>
<string>Your Org.</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>170970B2-F040-49C1-9325-05E27BB63C6A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extension</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.system-extension-policy.EB63187C-EDAB-4CEE-9311-4DDB40587CED</string>
<key>PayloadOrganization</key>
<string>Your Org.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>com.apple.system-extension-policy.EB63187C-EDAB-4CEE-9311-4DDB40587CED</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Web-Content-Filter konfigurieren
Ein Content-Filter auf dem Gerät untersucht die Netzwerk-Inhalte des Benutzers, während
sie durch den Netzwerk-Stack geleitet werden, und entscheidet, ob diese Inhalte gesperrt
oder zur endgültigen Zieladresse übergehen sollen. Weitere Informationen finden Sie
unter Content-Filter-Anbieter.
Beim Erstellen eines MDM-Profils sind die folgenden Content-Filter-Felder erforderlich:
<key>FilterBrowsers</key> <true/> <key>FilterDataProviderBundleIdentifier</key> <string>com.trendmicro.ztnasase.tunnel</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string> <key>FilterGrade</key> <string>firewall</string> <key>FilterPackets</key> <true/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PluginBundleID</key> <string>com.trendmicro.ztnasase</string>
Nachfolgend finden Sie ein Beispiel für die Konfiguration eines Web-Content-Filter-Profils
zur Erleichterung der internen VPN-Einrichtung:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.ztnasase.tunnel</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<true/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDescription</key>
<string>Adds a Web Content Filter</string>
<key>PayloadDisplayName</key>
<string>ZTSA Web Content Filter</string>
<key>PayloadIdentifier</key>
<string>D738AB74-9848-4097-9429-137DB1C9ZTSA</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>D738AB74-9848-4097-9429-137DB1C9ZTSA</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.trendmicro.ztnasase</string>
<key>UserDefinedName</key>
<string>Trend Micro - ZTSA</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>YourOrg</string>
<key>PayloadDisplayName</key>
<string>YourOrg</string>
<key>PayloadIdentifier</key>
<string>66CE283B-CA7E-49E3-BA51-A396ACE2ZTSA</string>
<key>PayloadOrganization</key>
<string>YourOrg</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A19134F2-F9C3-4F35-B10B-1E75613BZTSA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Vollzugriff auf Festplatte konfigurieren
|
HinweisFür spezifische Konfigurationsanweisungen siehe https://success.trendmicro.com/dcx/s/solution/000277823?language=en_US.
|
Die Berechtigung für den vollständigen Festplattenzugriff ist eine Datenschutzfunktion,
die in macOS Mojave (10.14) eingeführt wurde. Sie verhindert, dass einige Anwendungen
auf Ihre wichtigen Daten in Ihren Mail-, Nachrichten-, TimeMachine- und Safari-Dateien
zugreifen. Sie müssen manuell die Berechtigung erteilen, damit bestimmte Anwendungen
auf diese geschützten Bereiche Ihres macOS-Endpunkts zugreifen können.
|
HinweisIn früheren Versionen von macOS (10.13 und niedriger) wird diese Berechtigung während
der Installation Ihres Produkts automatisch erteilt.
|
 |
WarnungWenn der vollständige Festplattenzugriff nicht aktiviert ist, funktioniert Zero Trust
Secure Access möglicherweise nicht ordnungsgemäß für bestimmte Netzwerkzugriffsszenarien
und Konfigurationsverwaltungsaufgaben.
|
Bei der Erstellung des Mobile Device Management-Profils für den vollständigen Festplattenzugriff
wird empfohlen, die Datenschutz-Präferenzrichtlinien-Steuerungsanwendung (PPPC Utility)
zu verwenden.
Nachfolgend sind die erforderlichen Pfade und Berechtigungen aufgeführt:
- Installationspfade:
/Applications/Zero Trust Secure Access.app/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access
- Erforderliche Zugriffsrechte:
- Eigenschaften:Barrierefreiheit → Erlauben
- Eigenschaften: Alle Dateien → Erlauben
- Apple-Ereignisse:Systemereignisse → Erlauben
Nachfolgend finden Sie ein Beispiel für ein PPPC-Konfigurationsprofil, das Benutzeraufforderungen
während der Ausführung der Anwendung unterdrückt:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadDisplayName</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadIdentifier</key>
<string>0AC7C2F2-B3E7-4B5F-8B92-A1F905501BAF</string>
<key>PayloadOrganization</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C47E2D8A-3A91-4E35-8027-1EABFEB50D9A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>Accessibility</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDesktopFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDocumentsFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDownloadsFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Your Org</string>
<key>PayloadDisplayName</key>
<string>Your Org</string>
<key>PayloadIdentifier</key>
<string>0AC7C2F2-B3E7-4B5F-8B92-A1F905501BAF</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>FEE78DB2-FAAC-4A56-9503-9ECFB7A0E419</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Konfigurieren Sie das Servicemanagement - Verwaltete Anmeldeobjekte (macOS 13.0 Ventura und später)
Ab macOS 13.0 Ventura werden LaunchAgents und LaunchDaemons (sowohl in /Library als
auch in ~/Library) jetzt über das System Settings > Allgemein > Login Items-Fenster verwaltet. Sie sind die Elemente unter "Im Hintergrund erlauben".
Die folgende Konfiguration ist erforderlich:
<key>Rules</key> <array> <dict> <key>Comment</key> <string>Trend Micro</string> <key>RuleType</key> <string>TeamIdentifier</string> <key>RuleValue</key> <string>E8P47U2H32</string> </dict> <dict> <key>RuleType</key> <string>LabelPrefix</string> <key>RuleValue</key> <string>com.trendmicro.ztnasase</string> </dict> </array>
Nachfolgend finden Sie ein Beispiel für ein Service-Management-Konfigurationsprofil,
das Anmeldeobjekte und Hintergrundprozesse verwaltet:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Service Management - Managed Login Items</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.EE60CA62-F2C3-4E0D-A5EE-0B48CAADF5DB</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>EE60CA62-F2C3-4E0D-A5EE-0B48CAADF5DB</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>Trend Micro</string>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>E8P47U2H32</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.trendmicro</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.trendmicro.ztnasase</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Trend Micro - Login Items</string>
<key>PayloadIdentifier</key>
<string>B631E20B-CC84-4E45-991D-11258DA55B39</string>
<key>PayloadOrganization</key>
<string>Trend Micro, Inc.</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B631E20B-CC84-4E45-991D-11258DA55B39</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>