This KB article serves as a guide on installing Bitdefender via Addigy, along with profiles for PPPC permissions, Kernel Extensions (KEXT), and System Extensions.
Table of Contents
- Configuring the Custom Software
- Configuring the PPPC Profile
- Configuring the Kernel Extension and/or System Extension Profile
Configuring the Custom Software
The Bitdefender installer will normally be a DMG file. To make things as simple as possible, we recommend getting the PKG and XML files that are inside of the DMG and uploading them into Addigy. If you open the Bitdefender DMG, you'll see the two files that you will need:
- Upload the .pkg and .xml files into the Custom Software. Once the files are added, your custom software should look like this:
-
Addigy will automatically generate the installation script for the .pkg file. By clicking the Add button, the installation script will be filled in for you.
- Add a condition script and/or a removal script if desired.
- Save & Review your custom software, and confirm the changes.
Configuring the PPPC Profile
To prevent prompts for Full Disk Access and additional permissions, a PPPC payload can be deployed which automatically sets these permissions. The known Identifiers and code requirements for Bitdefender are listed below; they can be pasted into a PPPC Profile:
Indentifier | Identifier Type | Code Requirement |
/Library/Bitdefender/AVP/BDLDaemon | Path | identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y |
com.bitdefender.EndpointSecurityforMac | Bundle ID | identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y |
com.bitdefender.epsecurity.BDLDaemonApp | Bundle ID | anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y) |
com.bitdefender.cst.net.dci.dci-network-extension | Bundle ID | anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y) |
Please note below the sections where these Identifiers & Code Requirements need to be added in the Payload:
Access to Protected Files
Access to System Admin Files
Access to File Provider
Access to Desktop Folder
Configuring the Kernel Extension and/or System Extension Profile
The Team ID for Bitdefender is currently GUNFMW623Y. Adding this Team ID to the Allowed Team Identifiers section of the Kernel/System Extension MDM profile will whitelist all extensions under that Team ID.
Kernel Extension
System Extension
SSL Certificate
To properly deploy this SSL certificate, you must add it to the keychain on a device with Bitdefender and ensure it is approved. The SSL certificate in Keychain Access can be exported by right-clicking the certificate in System and selecting "Export (name of cert)..."
After that, add it to Apple Configurator (if you are using Windows, you may need to use an alternative profile creation tool like iMazing).
Note: See How To: Configure and Deploy a Custom MDM Profile for details on how to bring this custom profile into Addigy.
The last piece of our puzzle is to set up a Web Content Filter MDM profile, which can be configured in Catalog > MDM Profiles > New.
You will want to set it up like this:
Plugin Bundle ID:
com.bitdefender.epsecurity.BDLDaemonApp
Filter Socket Traffic:
Bundle Identifier:
com.bitdefender.cst.net.dci.dci-network-extensioncom.bitdefender.cst.net.dci.dci-network-extension
Designated Requirement:
anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)
After adding the Bitdefender custom software and MDM profiles to a policy, you should be able to successfully deploy Bitdefender to the devices in that policy.
We recommend deploying your Custom Software items to test devices and virtual machines to verify their accuracy and robustness before pushing them out to your devices in production.