Addigy provides many options for installing third-party software including Webroot security software. To install Webroot silently, you must have access to valid Webroot license keys.
This method of deployment has been configured by referencing the following Webroot documentation:
Installing Webroot
To install Webroot, create a new Smart Software item within Addigy. For more information on how to set up Smart Software, see our support article: Creating Smart Software.
Two installation files are necessary to deploy Webroot via Addigy - a .pkg and a .sh file. If you don't have them already, the files can be downloaded from the following links:
After uploading these Installation Files to your Webroot Smart Software item, the script attached below can be used as the Installation Command:
- Replace XXXX-XXXX-XXXX-XXXX with your valid license key and YourSoftwareName with the name of your Webroot Smart Software item.
- Note: It is also possible to deploy Webroot remotely without providing a license key (by omitting the keycode flag and its value from the command), however the end user will then receive a popup to enter a license key upon installation.
- Ensure the correct file names, paths, and version number are used.
- The silent and suppress_auto_launch keys are set to true by default to allow for a silent installation, but they can be modified as desired. Webroot also offers the ability to configure proxy settings by using additional flags, referenced in the following documentation (optional): Webroot Command Parameters
chmod +x "/Library/Addigy/ansible/packages/YourSoftwareName (1.0)/installMacWSA.sh"
/bin/bash -c "/Library/Addigy/ansible/packages/YourSoftwareName\\ \\(1.0\\)/installMacWSA.sh --pkg=/Library/Addigy/ansible/packages/YourSoftwareName\\ \\(1.0\\)/WSAMACSME.pkg -silent=true -suppress_auto_launch=true -keycode=XXXX-XXXX-XXXX-XXXX"
Adding MDM Whitelisting
Many apps on macOS, especially antiviruses/antimalware like Webroot, require specific whitelisting in order to fully function.
Webroot requires the following MDM Profiles for a completely automated/silent remote deployment:
-
Full Disk Access (PPPC)
- Bundle ID: com.webroot.Webroot-SecureAnywhere
- Code Requirement: identifier "com.webroot.Webroot-SecureAnywhere" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6Q6RVXVYC2"
- Web Content Filter
- Filter Name: This must be named to match what the agent would name it when installing interactively so that it does not try to install it again. The name to use is: Webroot SecureAnywhere
- Identifier: This must match the identifier for the filter plug-in: com.webroot.Webroot-SecureAnywhere
- Filter Order: Set to Inspector.
- Enable Socket Filter:
- Socket Filter Bundle Identifier: com.webroot.WSDaemon.WSANetworkExtension
- Socket Filter Designated Requirement: anchor apple generic and identifier "com.webroot.WSDaemon.WSANetworkExtension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6Q6RVXVYC2")[A screenshot of a computer Description automatically generated]
-
System Extensions
- Display Name: Set to “Webroot SecureAnywhere”
- Team Identifier: 6Q6RVXVYC2
- Allowed System Extensions: com.webroot.WSDaemon.WSANetworkExtension
- Additional System Extensions payload for devices on macOS 15 (Sequoia) and later - Without this additional payload, users on macOS 15 and later would be able to manually remove the allowance for the operating system to manage the system extension.
- Display Name: Set to “Webroot SecureAnywhere”
- Team Identifier: 6Q6RVXVYC2
- Non-removable system extensions: com.webroot.WSDaemon.WSANetworkExtension
Note: Webroot has an issue where it may still ask for Full Disk Access within the app even when it is granted, but this can be ignored assuming a scan can be successfully performed.
Adding a Custom Conditional Command
Additionally, a Custom Conditional Command can be added so that this software is enforced on a recurring basis as part of an Addigy policy.
Here is a simple Condition script that checks for the Webroot application on the device:
if [ -d "/Applications/Webroot SecureAnywhere.app" ]; then echo "Webroot already installed. Skipping installation." exit 1 else echo "Webroot not found. Installing..." exit 0 fi
Note: This Custom Conditional Command assumes that the Install on Success setting is toggled ON.
If you have any questions, please do not hesitate to reach out to us by contacting support@addigy.com