Installing Webroot via Addigy

Addigy supports silent, automated deployment of Webroot SecureAnywhere to managed Mac devices using Smart Software. This guide walks you through setting up the installation files, Device Settings (MDM Profiles), and an optional conditional command to keep Webroot enforced across your fleet.

This method of deployment has been configured by referencing the following Webroot documentation:

• Webroot Installation Parameters
• Webroot Config Profiles 

Prerequisites

Before you begin, make sure you have the following:

• A valid Webroot license key
• Familiarity with Smart Software — see Creating Smart Software if you haven't set one up before

How to Install Webroot

Webroot can be deployed using a Smart Software item with two installation files and a custom installation command.

1. Download the two required installation files:
   • WSAMACSME.pkg
   • installMacWSA.sh
2. In Addigy, navigate to Catalog > Software and create a new Smart Software item.
3. Upload both files as Installation Files within the Smart Software item.
4. In the Installation Command field, enter the following script — replacing XXXX-XXXX-XXXX-XXXX with your Webroot license key and YourSoftwareName with the name of your Smart Software item:

chmod +x "/Library/Addigy/ansible/packages/YourSoftwareName (1.0)/installMacWSA.sh"
/bin/bash -c "/Library/Addigy/ansible/packages/YourSoftwareName (1.0)/installMacWSA.sh --keycode=XXXX-XXXX-XXXX-XXXX --silent=true --suppress_auto_launch=true"

Note: The --silent and --suppress_auto_launch flags are set to true by default for a fully silent installation. If you omit --keycode and its value, Webroot will install but prompt the end user to enter a license key. Webroot also supports optional proxy configuration — see Webroot Command Parameters for additional flags.

Tip: Make sure the file names, paths, and version number in your command exactly match what was uploaded.

How to Add the Required Device Settings (MDM Profiles)

A silent, fully automated Webroot deployment requires three Device Settings (MDM Profiles) to grant the necessary system permissions. Create each profile in Catalog > Device Settings before deploying the Smart Software item.

Important: Device Settings must be installed on a device before the Smart Software item runs. When added to a policy, this happens automatically based on default Installation Priority. If installing on an individual device via GoLive, deploy the profiles first.

1. PPPC (Full Disk Access)

This profile grants Webroot access to protected and system admin files. For step-by-step instructions on creating a PPPC profile, see How to Create a PPPC Payload for Full Disk Access (FDA).

Use the following values:

• Bundle ID: com.webroot.Webroot-SecureAnywhere
• Code Requirement: identifier "com.webroot.Webroot-SecureAnywhere" and anchor apple generic
• Access to Protected Files: Enabled
• Access to System Admin Files: Enabled

Note: Webroot may display a Full Disk Access prompt within the app even after the profile is applied. This is a known Webroot behavior — as long as scans complete successfully, the prompt can be safely ignored.

2. Web Content Filter

This profile enables Webroot's network filtering extension. Create a new Web Content Filter Device Setting and configure it with the following settings:

• Filter Type: Plugin
• User Defined Name: Webroot SecureAnywhere
• Plugin Bundle ID: com.webroot.Webroot-SecureAnywhere
• Enable Filter Socket Traffic: Enabled
• Socket Filter Bundle Identifier: com.webroot.WSDaemon.WSANetworkExtension
• Socket Filter Designated Requirement: anchor apple generic and identifier "com.webroot.WSDaemon.WSANetworkExtension"
• Filter Grade: Inspector

3. System Extensions

This profile allows Webroot's system extension to load without prompting the user. For instructions on creating this profile type, see Allow System Extensions with Addigy MDM.

Configure the profile with:

• Enable Allowed System Extensions: Enabled
• Team ID: 6Q6RVXVYC2
• Bundle ID: com.webroot.WSDaemon.WSANetworkExtension

macOS 15 (Sequoia) and later: Add a second entry to prevent users from removing the extension:

• Enable Non-Removable System Extensions: Enabled
• Team ID: 6Q6RVXVYC2
• Bundle ID: com.webroot.WSDaemon.WSANetworkExtension

How to Add a Condition for Install (Optional)

Adding a Custom Conditional Command to your policy ensures Webroot is re-installed automatically if it's ever removed from a device.

1. In your Smart Software item, navigate to the Conditional for Install.
2. Paste the following script into the Advanced: Custom Conditional Commands section:

if [ -d "/Applications/Webroot SecureAnywhere.app" ]; then
    echo "Webroot already installed. Skipping installation."
    exit 1
else
    echo "Webroot not found. Installing..."
    exit 0
fi

Note: This script requires Install if return value is 0 to be enabled in your Smart Software item settings (this setting is enabled by default).

Frequently Asked Questions

Do I need a license key to deploy Webroot?

A license key is required for a fully silent deployment. If you omit the --keycode flag from the installation command, Webroot will still install, but end users will see a popup asking them to enter a license key manually.

Why is Webroot still asking for Full Disk Access even after I deployed the PPPC profile?

This is a known display issue with Webroot. As long as a scan can be completed successfully, the prompt can be ignored — the PPPC profile has granted the necessary permissions.

What's the correct order of operations when deploying to individual devices?

When using GoLive to deploy to a single device, install the three Device Settings (MDM Profiles) first, then run the Smart Software item. In a policy, this ordering is handled automatically.

Related Articles

• Creating Smart Software
• Addigy PPPC Payload Guide
• Allow System Extensions with Addigy MDM