This KB article serves as a guide on installing Bitdefender via Addigy, along with profiles for PPPC permissions, Kernel Extensions (KEXT), and System Extensions.
Table of Contents
- Configuring the Custom Software
- Configuring the PPPC Profile
- Configuring the Kernel Extension and/or System Extension Profile
Configuring the Custom Software
Before getting started, we must download the relevant DMG from the Bitdefender GravityZone portal. This DMG can be downloaded in the Network > Packages page, and from the "Download" button at the top of this page, download the Intel and/or Silicon (Apple M Series) macOS kit. Make sure to check what
Once downloaded, go ahead and copy/paste the pkg and installer.xml files out of the dmg as these will be needed later on.
Once done pasting the files, continue below:
- Navigate to Catalog > Smart Software > New
-
Upload the .pkg and .xml files into the Smart Software. Once the files are added, it should look like this:
-
Next, Select the "Add" button under the "Add installation script" column in the above screenshot. This will automatically generate the install command for the Bitdefender pkg.
- Add a Condition For Install script of your choosing (recommended)
- Save & Review your custom software, and confirm the changes.
Configuring the PPPC Profile
To prevent prompts for Full Disk Access and additional permissions, a PPPC payload can be deployed which automatically sets these permissions. The known Identifiers and code requirements for Bitdefender are listed below:
Indentifier | Identifier Type | Code Requirement |
/Library/Bitdefender/AVP/BDLDaemon | Path | identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y |
com.bitdefender.EndpointSecurityforMac | Bundle ID | identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y |
com.bitdefender.epsecurity.BDLDaemonApp | Bundle ID | anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y) |
com.bitdefender.cst.net.dci.dci-network-extension | Bundle ID | anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y) |
When pasted into the profile, it should look like this:
Access to Protected Files
Access to System Admin Files
Access to File Provider
Access to Desktop Folder
Configuring the Kernel Extension and/or System Extension Profile
The Team ID for Bitdefender is currently GUNFMW623Y. Adding this Team ID to the Allowed Team Identifiers section of the Kernel/System Extension MDM profile will whitelist all extensions under that Team ID.
Kernel Extension (not recommended for macOS 11+)
System Extension (recommended for macOS 11+)
SSL Certificate
To properly deploy this SSL certificate, you must add it to the keychain on a device with Bitdefender and ensure it is approved. The SSL certificate in Keychain Access can be exported by right-clicking the certificate in System and selecting "Export (name of cert)...". You will have to retrieve this from a device that has BitDefender installed.
After that, add it to Apple Configurator (if you are using Windows, you may need to use an alternative profile creation tool like iMazing).
Note: See How To: Configure and Deploy a Custom MDM Profile for details on how to bring this custom profile into Addigy.
Configuring the Web Content Filter (aka Network Filter)
The last piece of our puzzle is to set up a Web Content Filter MDM profile, which can be configured in Catalog > MDM Profiles > New.
You will want to set it up as shown in this screenshot by using the content below:
Plugin Bundle ID:
com.bitdefender.epsecurity.BDLDaemonApp
Filter Socket Traffic:
Bundle Identifier:
com.bitdefender.cst.net.dci.dci-network-extension
Designated Requirement:
anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)
After adding the Bitdefender custom software and MDM profiles to a policy, you should be able to deploy Bitdefender to the devices in that policy successfully.
We recommend deploying your Smart Software items to test devices and virtual machines to verify their accuracy and robustness before pushing them out to your devices in production.