The Reveal Agent on macOS is provided as a .pkg file which can be installed using a fleet management/MDM solution in much the same way as any macOS application. There are however some small additional steps required to ensure maximum visibility and minimize user interaction required.

All MDM profiles can be found within the agent-accessory.zip bundle file on the Agent Downloads page.

Installation considerations

• System extensions support (Big Sur or later), including.
• MDM extension approval.
• Network extension web filtering approval.
• Endpoint Security Extension file access approval.
• Kernel extension approval (Catalina or earlier).
• MDM profiles for browser extension support and optional configuration:
• Private browsing support.
• DNS-over-HTTPS functionality.
• Primary application (.pkg) installation.
• Agent Enrollment post installation.
• macOS Privacy and Security prompts.

The purpose of this article is to outline these various considerations in a tool-agnostic manner to allow customers to configure their existing fleet management tools in line with the manufacturer's documentation.

System Extension settings (Big Sur or later):

Before the installation of the .pkg file, macOS System Extensions and associated settings should be approved by pushing the attached MDM profile systemExtensions.mobileconfig

Kernel Extension settings (Catalina or earlier):

Fortinet does not currently have an MDM profile for approving legacy kernel extensions, but many MDM tools can build a profile using the existing team and extension identifiers:

Team Identifier: JE7N8449S9

Bundle Identifier: uk.ava.reveal.Reveal-Agent

Browser Extension settings:

All browser extension installation profiles can be found within the agent-accessory.zip bundle file on the Agent Downloads page.

The relevant included files are:

• browserInstall.mobileconfig: Used to install all browser extensions on all supported browsers.
• dnsOverHttps.mobileconfig: Used to disable DNS-over-HTTPS settings (Optional).
• privateBrowsing.mobileconfig: Used to disable private browsing (Optional).
• uninstallFirefoxExtension.mobileconfig: See below.

Extension installation:

Installing the browserInstall.mobileconfig MDM profile will add the Reveal browser extension to the force-installed extensions list for all supported browsers. If users wish to exclude specific browsers, they can modify this file before uploading it to their MDM tool.

For those users that already use an MDM profile for managing other browser settings, such as extension installation or block lists, we recommend taking the relevant settings from the browserInstall.mobileconfig file and incorporating them with the existing profiles. The important parts to include are:

Firefox:

PayloadType = 

• org.mozilla.firefox

<key>EnterprisePoliciesEnabled</key>

  <true/>

<key>ExtensionSettings</key>

<dict>

  <key>browser-extension@jazznetworks.com</key>

  <dict>

    <key>installation_mode</key>

    <string>force_installed</string>

    <key>install_url</key>

              <string>file:///Library/Application%20Support/Ava/Reveal/browser-extension@jazznetworks.com.xpi</string>

  </dict>

</dict>

Chrome, Chrome Canary, Brave, Vivaldi:

Payload Types =

• com.google.Chrome
• com.google.Chrome.canary
• com.brave.Browser
• com.vivaldi.Vivaldi

<key>ExtensionInstallForcelist</key>

<array>

  <string>gbojkjpincgojijodbnliimgeggnomai</string>

</array>

<key>NativeMessagingUserLevelHosts</key>

<false />

Edge:

PayloadType = 

• com.microsoft.Edge

<key>ExtensionInstallForcelist</key>

<array>

  <string>ngpldaehnklbpdkphcjafbhajnklkiki</string>

</array>

<key>NativeMessagingUserLevelHosts</key>

<false />

For further details of the full settings and Identifiers, please see browserInstall.mobileconfig in the Agent Accessory Bundle.

DNS-over-HTTPS support:

By default, DNS-over-HTTPS settings are not modified by installing the browser extension(s). Installing this profile will explicitly disable support for DNS-over-HTTPS within supported browsers.

Private Browsing:

By default, installing the Reveal Extension will not disable private browsing modes. As the Reveal extension cannot monitor events in these modes, customers may choose to install this profile will explicitly disable private browsing.

Firefox Extension removal:

Required if removing the Reveal Agent after the Firefox extension has been installed. Other extensions can be removed simply by removing the browserInstall.mobileconfig profile.

PKG installation:

After all appropriate MDM profiles have been pushed to a machine, installing the Reveal Agent can be installed via an existing "Application install" mechanism within a fleet management tool. In some instances, for example Microsoft Endpoint Manager, it may be necessary to instead use a shell script to invoke the macOS installer directly with the .pkg file, as the targeted root folder may not always be supported.

Example shell script:

curl -o /tmp/reveal-agent.pkg 'https://<local-web-server>/jazznetworks.pkg'

sudo installer -pkg /tmp/reveal-agent.pkg -target /

Enrollment after installation:

Once the Reveal Agent has been installed, the final step should be to enroll the agent using a one-line shell script that contains either an enrollment code or bundle file. This can be combined with the above installation script if desired.
 

sudo /Library/Application\ Support/Ava/Reveal/agent/agent enroll <enroll-code>