Deploying Bitdefender using Addigy

Addigy supports silent, automated deployment of Bitdefender Endpoint Security to managed Mac devices using Smart Software. This guide covers downloading the installer from the GravityZone portal, configuring the Smart Software item, and setting up the required Device Settings (MDM Profiles) for a fully automated deployment.

Prerequisites

Before you begin, make sure you have the following:

• Access to the Bitdefender GravityZone portal
• Familiarity with Smart Software — see Creating Smart Software if you haven't set one up before

How to Deploy Bitdefender

Step 1: Download the Installer from GravityZone

1. Log in to the Bitdefender GravityZone portal and navigate to Network > Packages.
2. Click the Download button at the top of the page and select the appropriate macOS kit for your fleet:
   • macOS kit (Intel x86) — for Intel-based Macs
   • macOS kit (Apple M Series) — for Apple Silicon Macs

Note: Check which processor architecture your managed devices use before downloading. If you manage a mixed fleet, you may need to create separate Smart Software items for each architecture.

3. Open the downloaded .dmg file and copy the following two files to a location of your choice:
   • antivirus_for_mac.pkg
   • installer.xml

Step 2: Create the Smart Software Item

1. In Addigy, navigate to Catalog > Smart Software > New.
2. Upload both the .pkg and .xml files as Installation Files.
3. Click the Add button in the Install Command column next to the .pkg file. Addigy will automatically generate the installation command.
4. Optionally, add a Condition for Install to auto-remediate devices where Bitdefender is missing or was removed.
5. Save the Smart Software item to your Catalog. 

Tip: We recommend deploying Smart Software items to test devices or virtual machines first to verify accuracy before pushing to production.

How to Add the Required Device Settings (MDM Profiles)

Bitdefender requires several Device Settings (MDM Profiles) to grant the necessary system permissions for a fully automated deployment. Create each profile in Catalog > Device Settings before deploying the Smart Software item.

Important: Device Settings must be installed on a device before the Smart Software item runs. When added to a policy, this happens automatically based on default Installation Priority. If installing on an individual device via GoLive, deploy the Device Settings first.

1. PPPC Profile (Full Disk Access)

This profile silently grants Bitdefender the permissions it needs to operate without prompting the end user. For instructions on creating a PPPC profile, see How to Create a PPPC Payload for Full Disk Access.

Add the following four entries to the profile, enabling Access to Protected Files, Access to System Admin Files, Access to File Provider, and Access to Desktop Folder for each:

2. System Extension Profile

Bitdefender's Team ID is GUNFMW623Y. Adding this Team ID to the Allowed Team Identifiers field of a System Extension profile will whitelist all Bitdefender extensions automatically. See Allow System Extensions with Addigy MDM.

Configure the following:

• Enable Allowed Team Identifiers: Enabled
• Team ID: GUNFMW623Y

3. SSL Certificate Profile

Bitdefender requires a custom SSL certificate to be trusted on managed devices for its network inspection features to function correctly. This certificate must be exported from a Mac that already has Bitdefender installed, then configured as a Certificate Device Setting in Addigy.

1. On a Mac with Bitdefender installed, open Keychain Access.
2. Locate the Bitdefender SSL certificate in the System keychain and ensure it is set to Always Trust.
3. Right-click the certificate and select Export to save it as a .pem file.
4. Navigate to Catalog > Device Settings in Addigy and create a new Certificate profile.
5. Upload the .pem file to the Certificate Device Setting and save it to your Catalog. 

4. Web Content Filter Profile

This profile enables Bitdefender's network filtering extension. Navigate to Catalog > Device Settings, create a new Web Content Filter profile, and configure it with the following settings:

• Filter Type: Plug-In
• User Defined Name: Bitdefender
• Plugin Bundle ID: com.bitdefender.epsecurity.BDLDaemonApp
• Filter WebKit Traffic: Disabled
• Enable Filter Socket Traffic: Enabled
  • Bundle Identifier: com.bitdefender.cst.net.dci.dci-networkextension
  • Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-networkextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

Frequently Asked Questions

Do I need separate Smart Software items for Intel and Apple Silicon devices?

Yes, if you manage a mixed fleet. Bitdefender provides separate macOS kits for Intel and Apple Silicon devices. Create one Smart Software item per architecture and assign each to the appropriate policy.

What's the correct order of operations when deploying to individual devices?

When using GoLive to deploy to a single device, install all Device Settings first, then run the Smart Software item. In a policy, this ordering is handled automatically based on default Installation Priority.

I don't have a Mac with Bitdefender already installed to export the SSL certificate. What do I do?

You'll need to install Bitdefender on at least one test device first to retrieve the certificate. We recommend using a test machine or virtual machine for this purpose before deploying fleet-wide.

Related Articles

• Smart Software Overview
• How to Create a PPPC Payload for Full Disk Access
• Allow System Extensions with Addigy MDM