This article serves as your guide on how to deploy Deep Instinct using Addigy including how to deploy Full Disk Access.
Warning: Please deploy your Full Disk Access MDM configuration before deploying the software
Creating the Custom Software Item
First, upload the Deep Instinct DMG into Addigy as seen below:
Here is an example of how your script would look, however, we will note a few thing for you to look out for!
[ -d "/Library/Application Support/Deep Instinct" ] || mkdir "/Library/Application Support/Deep Instinct"
cp -R "3.1.0.104_Deepinstinct (1).dmg" "/Library/Application Support/Deep Instinct/"
hdiutil attach -nobrowse "/Library/Addigy/ansible/packages/Deep Instinct (1.0)/3.1.0.104_Deepinstinct (1).dmg"
sudo "/Volumes/Deep Instinct/installer.sh" YOUR_LINK_HERE.deepinstinctweb.com -token YOUR_TOKEN_HERE
hdiutil detach "/Volumes/Deep Instinct/"
A few things to note:
1. Be sure that you're using the correct Paths in your custom software, for example, the name of my Deep Instinct file is "3.1.0.104_Deepinstinct (1).dmg", however, yours might be different. Just substitute the correct file name as needed, along with the version.
2. Please replace "YOUR_LINK_HERE.deepinstinctweb.com" with your Deep Instinct link, it should end in deepinstinctweb.com.
3. Please replace "YOUR_TOKEN_HERE" with the token that you get from Deep Instinct.
Configuring Full Disk Access
In order to configure Full Disk Access, you need a few items to be whitelisted.
First, create an MDM configuration by going to Policies>Catalog>MDM configurations>Privacy Preferences Policy Control.
Next, you'll be configuring the "Access to Protected Files" and "Access to System Admin Files" fields. Below you will find the information to paste into both fields.
Identifier | Identifier Type | Code Requirement | Static Code | Allowed |
com.deepinstinct.InstallerPermissionsPlugIn | BundleID | identifier "com.deepinstinct.InstallerPermissionsPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.InstallerSettingsPugIn | BundleID | identifier "com.deepinstinct.InstallerSettingsPugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.UIService | BundleID | identifier "com.deepinstinct.UIService" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.DeepInstinctUtility | BundleID | identifier "com.deepinstinct.DeepInstinctUtility" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
/Library/DeepInstinct/Executables/DeepInstinctClassifier |
Path |
anchor apple generic and identifier DeepInstinctClassifier and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24) |
n/a | Yes |
com.DeepInstinct.DeepInstinctAgent | BundleID | identifier "com.DeepInstinct.DeepInstinctAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.mng | BundleID | anchor apple generic and identifier "com.deepinstinct.mng" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") | n/a | Yes |
com.deepinstinct.InstallerSystemExtPermissionPlugIn | BundleID | identifier "com.deepinstinct.InstallerSystemExtPermissionPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" | n/a | Yes |
com.deepinstinct.at | BundleID | anchor apple generic and identifier "com.deepinstinct.at" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") | n/a | Yes |
com.deepinstinct.DeepInstinctUtility.Extension |
identifier "com.deepinstinct.DeepInstinctUtility.Extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24 |
When all is configured, it should look like this:
Creating the System Extension
Deep instinct will also need to have System Extension whitelisting.
You can make this by navigating to Policies>MDM configurations>System Extension.
Here is what you'll enter:MV9BR98H24
When you're done, it should look like the below:
After adding and deploying this configuration to your policies, you may proceed with deploying the software!
If you have any questions about this, please contact us at support@addigy.com