使用行動裝置管理 (MDM),管理員可以配置必要的權限,使 macOS 代理無需終端使用者進行額外操作即可運作。除了設定權限外,下列部分還提供了正確部署 MDM 的指導,以便
macOS 代理的 Zero Trust Secure Access 在終端使用者端運行時不會出現彈出視窗(例如要求權限)。
 |
注意本文件提供 Microsoft Intune 的詳細配置說明。至於其他 MDM 平台,如 Jamf、AirWatch (Workspace One) 或其他解決方案,請參閱為 Mac 上的TrendAI™ Security Agent 創建和配置 MDM 配置檔案。
|
使用 Microsoft Intune 部署行動裝置管理設定檔
若要使用 Microsoft Intune 部署行動裝置管理設定檔:
- 登入Microsoft Intune。
- 點擊「裝置」 > 「macOS」以進入 macOS 裝置設定頁面。
- 前往「Configuration profiles」 > 「Create profile」,然後選擇「Templates」。
- 選擇「自訂」。(此方法允許您上傳自行建立的 .mobileconfig 檔案,以部署所有類型的設定檔,包括系統擴充功能、網頁內容過濾器、完整磁碟存取和服務管理設定檔。)
- 在「Basics」部分,提供macOS設定檔的「名稱」和「說明」。
- 在「Configuration settings」部分,添加「Configuration profile name」並上傳您的.mobileconfig 「Configuration profile file」(例如,SystemExtension.mobileconfig)。
- 在「Assignments」部分,根據您的需求設定「Included groups」或「Excluded groups」,以控制哪些設備接收設定檔。
- 在「Review + create」部分,檢視您的配置,然後建立設定檔。
- 在「Basics」部分,提供macOS設定檔的「名稱」和「說明」。
- 如果部署長時間未更新,請點擊「Assignments」重新執行。
秘訣
您可以在設定檔防護總覽頁面監控部署進度。完成後,「部署狀態」將顯示「成功」。
- 在受管理的 Mac 電腦上,請透過檢查「System Settings > Privacy & Security > Profiles」來確認已安裝的設定檔。
- 對於每個所需的 .mobileconfig 配置檔(包括系統擴展、網頁內容過濾器、完整磁碟存取和服務管理 - 管理的登入項目),重複步驟 3-6。
|
注意如需替代的部署方法或其他 MDM 平台,請參閱透過 AirWatch (Workspace One) 和 Microsoft Intune 安裝 Mac 端點和工作負載安全代理。
|
配置系統擴充功能
為了遵循 Apple 對軟體開發者的指導方針變更,從 macOS Big Sur 11.0 開始,系統不再載入核心擴展。macOS 代理的 Zero Trust Secure
Access 使用系統擴展與網路擴展框架來提供安全存取功能。
Network Extension 框架允許您自訂和擴展核心網路功能。參考資料請見:https://developer.apple.com/documentation/networkextension。
以下系統擴充欄位為必填:
<key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensions</key> <dict> <key>E8P47U2H32</key> <array> <string>com.trendmicro.ztnasase.tunnel</string> </array> </dict> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadDisplayName</key> <string>System Extension</string>
以下是一個允許系統擴展的 MDM 配置檔案範例:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>E8P47U2H32</key>
<array>
<string>com.trendmicro.ztnasase.tunnel</string>
</array>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.yourorg.systemextension</string>
<key>PayloadOrganization</key>
<string>Your Org.</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>170970B2-F040-49C1-9325-05E27BB63C6A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extension</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.system-extension-policy.EB63187C-EDAB-4CEE-9311-4DDB40587CED</string>
<key>PayloadOrganization</key>
<string>Your Org.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>com.apple.system-extension-policy.EB63187C-EDAB-4CEE-9311-4DDB40587CED</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
設定網路內容過濾器
裝置上的網路內容過濾器會在網路堆疊中檢查使用者的網路內容,並決定該內容是否應被已封鎖或允許暫不處理至其最終目的地。欲了解更多詳情,請參閱內容過濾器提供者。
在建立 MDM 設定檔時,以下網頁內容過濾器欄位是必填的:
<key>FilterBrowsers</key> <true/> <key>FilterDataProviderBundleIdentifier</key> <string>com.trendmicro.ztnasase.tunnel</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string> <key>FilterGrade</key> <string>firewall</string> <key>FilterPackets</key> <true/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PluginBundleID</key> <string>com.trendmicro.ztnasase</string>
以下是 Web 內容過濾器設定檔配置範例,以協助內部 VPN 設定:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterBrowsers</key>
<true/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.trendmicro.ztnasase.tunnel</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>FilterPackets</key>
<true/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDescription</key>
<string>Adds a Web Content Filter</string>
<key>PayloadDisplayName</key>
<string>ZTSA Web Content Filter</string>
<key>PayloadIdentifier</key>
<string>D738AB74-9848-4097-9429-137DB1C9ZTSA</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>D738AB74-9848-4097-9429-137DB1C9ZTSA</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.trendmicro.ztnasase</string>
<key>UserDefinedName</key>
<string>TrendAI™ - ZTSA</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>YourOrg</string>
<key>PayloadDisplayName</key>
<string>YourOrg</string>
<key>PayloadIdentifier</key>
<string>66CE283B-CA7E-49E3-BA51-A396ACE2ZTSA</string>
<key>PayloadOrganization</key>
<string>YourOrg</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A19134F2-F9C3-4F35-B10B-1E75613BZTSA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
設定完整磁碟存取權限
macOS Mojave (10.14) 引入的完整磁碟存取權限是一項隱私安全功能,可防止某些應用程式存取您在郵件、訊息、TimeMachine 和 Safari
檔案中的重要資料。例如,您需要手動授與某些應用程式存取這些受保護區域的權限,以便在您的 macOS 端點上使用。
|
注意在較早版本的 macOS(10.13 及以下),此權限會在安裝您產品時自動授予。
|
 |
警告如果未啟動完整磁碟存取,Zero Trust Secure Access可能無法在某些網路存取情境和配置管理任務中正常運作。
|
在建立完整磁碟存取的行動裝置管理設定檔時,建議使用隱私安全偏好政策控制工具 (PPPC Utility) 應用程式。
以下是所需的路徑和權限:
- 安裝程式路徑:
/Applications/Zero Trust Secure Access.app/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access
- 必要的權限:
- 屬性:可存取性 → 允許
- 屬性:所有檔案 → 允許
- Apple 事件:系統事件 → 允許
以下是一個 PPPC 配置檔案的範例,用於在應用程式執行期間抑制用戶提示:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadDisplayName</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadIdentifier</key>
<string>0AC7C2F2-B3E7-4B5F-8B92-A1F905501BAF</string>
<key>PayloadOrganization</key>
<string> Your Org.- ZTSA PPPC</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C47E2D8A-3A91-4E35-8027-1EABFEB50D9A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>Accessibility</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>AEReceiverIdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>AEReceiverIdentifier</key>
<string>com.trendmicro.ztnasase</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDesktopFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDocumentsFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyDownloadsFolder</key>
<array>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier ztnp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/ztnp</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Applications/Zero Trust Secure Access.app/Contents/MacOS/Zero Trust Secure Access</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>Authorization</key>
<string>Allow</string>
<key>CodeRequirement</key>
<string>identifier "com.trendmicro.ztnasase.openvpn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.trendmicro.ztnasase.openvpn</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Your Org</string>
<key>PayloadDisplayName</key>
<string>Your Org</string>
<key>PayloadIdentifier</key>
<string>0AC7C2F2-B3E7-4B5F-8B92-A1F905501BAF</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>FEE78DB2-FAAC-4A56-9503-9ECFB7A0E419</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
配置服務管理 - 管理的登入項目(macOS 13.0 Ventura及更高版本)
從 macOS 13.0 Ventura 開始,LaunchAgents 和 LaunchDaemons(位於 /Library 和 ~/Library 中)現在由
「System Settings」 > 「一般」 > 「Login Items」 面板管理。它們是「允許在背景中運行」下的項目。
下列設定是必需的:
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>TrendAI™</string>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>E8P47U2H32</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.trendmicro.ztnasase</string>
</dict>
</array>
以下是管理登入項目和背景程序的服務管理配置檔案範例:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Service Management - Managed Login Items</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.EE60CA62-F2C3-4E0D-A5EE-0B48CAADF5DB</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>EE60CA62-F2C3-4E0D-A5EE-0B48CAADF5DB</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>Comment</key>
<string>TrendAI™</string>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>E8P47U2H32</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.trendmicro</string>
</dict>
<dict>
<key>RuleType</key>
<string>LabelPrefix</string>
<key>RuleValue</key>
<string>com.trendmicro.ztnasase</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>TrendAI™ - Login Items</string>
<key>PayloadIdentifier</key>
<string>B631E20B-CC84-4E45-991D-11258DA55B39</string>
<key>PayloadOrganization</key>
<string>TrendAI™, Inc.</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B631E20B-CC84-4E45-991D-11258DA55B39</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>