Views:
Using Mobile Device Management (MDM), administrators can configure the necessary permissions for macOS agents to work without additional operations required from the end-user. In addition to setting permissions, the sections below provide instructions to properly deploy MDM so that Server & Workload Protection for macOS agents operates for the end-user without pop-ups (asking for permission, for example).

Configure required permissions

Before creating MDM profiles for Server & Workload Protection for macOS agents, the following items must be configured to ensure no pop-ups will show on the macOS endpoint after the initial installation of Server & Workload Protection for macOS agents.

Configure kernel extensions

macOS10.15 requires user approval before loading new third-party kernel extensions. Server & Workload Protection for Mac agents uses kernel extensions for the Core Shields real-time protection features. To ensure that your product can fully protect your system, you need to manually allow the extensions.
The following kernel extension MDM profile creation fields are required:
<key>AllowedKernelExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.kext.KERedirect</string>
		<string>com.trendmicro.kext.filehook</string>
		</array>
</dict>
<key>AllowedTeamIdentifiers</key>
<array>
	<string>E8P47U2H32</string>
</array>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>

Configure system extensions

To comply with changes to the Apple guidelines for software developers, starting from macOS Big Sur 11.0, kernel extensions are not loaded by the system. With that, Server & Workload Protection for macOS agent has been updated with our Endpoint Security and Network Extension frameworks.
The following system extension fields are required:
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensionTypes</key>
<dict>
	<key>E8P47U2H32</key>
		<array>
			<string>EndpointSecurityExtension</string>
			<string>NetworkExtension</string>
		</array>
</dict>
<key>AllowedSystemExtensions</key>
<dict>
	<key>E8P47U2H32</key>
	<array>
		<string>com.trendmicro.icore.es</string>
		<string>com.trendmicro.icore.netfilter</string>
	</array>
</dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadDisplayName</key>
<string>System Extension</string>

Configure web content filter

An on-device network content filter examines user network content as it passes through the network stack and determines if that content should be blocked or allowed to pass on to its final destination. For more details, see Content Filter Providers.
When creating an MDM profile, the following web content filter fields are required:
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.icore.netfilter</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.icore.netfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PluginBundleID</key>
<string>com.trendmicro.icore</string>

Configure full disk access

Note
Note
For specific configuration instructions, see https://success.trendmicro.com/dcx/s/solution/000277823?language=en_US.
Full disk access permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your important data in your Mail, Messages, TimeMachine, and Safari files, for example. You'll need to manually grant permission for certain applications to access these protected areas of your macOS endpoint.
Note
Note
In earlier versions of macOS (10.13 and lower), this permission is automatically granted during installation of your product.
WARNING
WARNING
If full disk access is not enabled, Server & Workload Protection is unable to scan all areas of your macOS endpoint. This means it cannot fully protect your endpoint against malware and other network security threats, and can only scan a limited portion of your system folders and hard drive.

Configure browser plugin extension

(Optional) Add the profile settings below into MDM and deploy them to the managed macOS computer to enable Chrome or Firefox extensions automatically and avoid pop-up messages:
After installing the "Google Chrome Extension", Chrome will download and install "Trend Micro Toolbar for Mac" from the Chrome Store, even if the Server & Workload Protection agent for macOS has not been installed. The function of "Trend Micro Toolbar for Mac" does not work yet, and cannot be uninstalled by the uninstaller.
After installing the "Mozilla Firefox Extension", it may appear that MDM has been configured but a pop-up will still prompt you to install the Firefox Extension. This is a timing issue. In fact, Firefox Extension has been installed successfully and you can ignore the pop-up.
Note
Note
For the Safari browser, it is impossible to automate browser extension deployment via MDM due to Apple restrictions.

Deploy agents from Mobile Device Management (MDM)

After you configure Mobile Device Management on Server & Workload Protection for the macOS agent, you can import deployment scripts in your MDM solution to install the agent.