This article serves as your guide on how to deploy Deep Instinct using Addigy including how to deploy Full Disk Access.
Note: Please deploy your MDM whitelistings before deploying the software.
Creating the Custom Software Item
First, upload the Deep Instinct DMG into Addigy as seen below:
Here is an example of how your script would look, however, we will note a few things for you to look out for!
[ -d "/Library/Application Support/Deep Instinct" ] || mkdir "/Library/Application Support/Deep Instinct"
cp -R "3.1.0.104_Deepinstinct (1).dmg" "/Library/Application Support/Deep Instinct/"
hdiutil attach -nobrowse "/Library/Addigy/ansible/packages/Deep Instinct (1.0)/3.1.0.104_Deepinstinct (1).dmg"
sudo "/Volumes/Deep Instinct/installer.sh" YOUR_LINK_HERE.deepinstinctweb.com -token YOUR_TOKEN_HERE
hdiutil detach "/Volumes/Deep Instinct/"
A few things to note:
- Be sure that you're using the correct Paths in your custom software, for example, the name of my Deep Instinct file is "3.1.0.104_Deepinstinct (1).dmg", however, yours might be different. Just substitute the correct file name as needed, along with the version.
- Please replace "YOUR_LINK_HERE.deepinstinctweb.com" with your Deep Instinct link, it should end in deepinstinctweb.com.
- Please replace "YOUR_TOKEN_HERE" with the token that you get from Deep Instinct.
Configuring Full Disk Access
In order to configure Full Disk Access, you need a few items to be whitelisted.
First, create an MDM configuration by going to Catalog>MDM Profiles>New>PPPC.
Next, you'll be configuring the "Access to Protected Files" and "Access to System Admin Files" fields. Below you will find the information to paste into both fields.
Identifier | Identifier Type | Code Requirement | Static Code | Allowed |
com.deepinstinct.InstallerPermissionsPlugIn | BundleID | identifier "com.deepinstinct.InstallerPermissionsPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.InstallerSettingsPlugIn | BundleID | identifier "com.deepinstinct.InstallerSettingsPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.UIService | BundleID | identifier "com.deepinstinct.UIService" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.DeepInstinctUtility | BundleID | identifier "com.deepinstinct.DeepInstinctUtility" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
/Library/DeepInstinct/Executables/DeepInstinctClassifier |
Path |
anchor apple generic and identifier DeepInstinctClassifier and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24) |
n/a | Yes |
com.DeepInstinct.DeepInstinctAgent | BundleID | identifier "com.DeepInstinct.DeepInstinctAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.mng | BundleID | anchor apple generic and identifier "com.deepinstinct.mng" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") | n/a | Yes |
com.deepinstinct.InstallerSystemExtPermissionPlugIn | BundleID | identifier "com.deepinstinct.InstallerSystemExtPermissionPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.at | BundleID | anchor apple generic and identifier "com.deepinstinct.at" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") | n/a | Yes |
com.deepinstinct.DeepInstinctUtility.Extension | BundleID |
identifier "com.deepinstinct.DeepInstinctUtility.Extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24 |
When all is configured, it should look like this:
Creating the System Extension
Deep instinct will also need to have System Extension whitelisting. You can make this by navigating to Catalog>MDM Profiles>New>System Extensions.
Here is what you'll enter: MV9BR98H24
When you're done, it should look like the below:
After adding and deploying this configuration to your policies, you may proceed with deploying the software!
If you have any questions about this, please contact us at support@addigy.com