MDM Deployment
Note: MDM deployment requires macOS Enterprise Edition.
Automated deployment of Aquilon DLP via Mobile Device Management (MDM) for enterprise macOS fleets.
Overview
MDM deployment enables:
- Zero-touch provisioning of Full Disk Access permissions
- Automated app installation across hundreds/thousands of Macs
- Centralized configuration and compliance enforcement
- Silent deployment without user interaction
Why MDM?
Aquilon DLP uses macOS Endpoint Security framework, which requires Full Disk Access (FDA). In enterprise environments:
- Manual FDA grants don’t scale
- Users may skip or misconfigure permissions
- Compliance requires consistent deployment
MDM solves this by deploying PPPC (Privacy Preferences Policy Control) profiles that automatically grant FDA before app installation.
Prerequisites
- MDM Platform: Jamf Pro, Microsoft Intune, Kandji, SimpleMDM, or compatible
- macOS Version: 11.0 (Big Sur) or later
- Signed App Bundle: Code-signed with Endpoint Security entitlement
- Admin Access: MDM console with profile deployment permissions
- Enrolled Devices: Target Macs enrolled in your MDM
Before You Begin
-
Verify your signed app bundle has correct code requirement:
./scripts/extract_code_requirement.sh target/debug/aquilon-dlp.app -
Create a pilot group (10-50 devices) for initial testing
-
Document your rollback plan in case of issues
Deployment Process
The deployment follows three phases, always in this order:
- Deploy PPPC Profile - Grants Full Disk Access permission
- Wait for Confirmation - Verify profile installation
- Deploy App - Install after FDA is granted
Critical: Deploy profile BEFORE app. macOS only applies PPPC grants during app installation.
Jamf Pro
Step 1: Upload PPPC Profile
-
Navigate to: Computers > Configuration Profiles > + New
-
Configure:
- Display Name:
Aquilon DLP - Full Disk Access - Category: Security
- Distribution Method: Install Automatically
- Display Name:
-
Click Privacy Preferences Policy Control payload
-
Click Upload and select
deployment/mdm/pppc-jamf.mobileconfig -
Verify imported settings:
- Identifier:
dev.aquilon.dlp-plugin - System Policy All Files: Checked
- Identifier:
Step 2: Scope and Deploy
- Click Scope tab
- Add target computer groups (start with pilot group)
- Click Save
Profile deploys on next check-in (typically 15-30 minutes).
Step 3: Verify Installation
On target Mac:
sudo profiles list | grep -i aquilon
# Expected: com.aquilonsecurity.dlp.pppc.jamf
Step 4: Package and Deploy App
-
Create PKG installer:
pkgbuild --root /path/to/aquilon-dlp.app \ --identifier dev.aquilon.dlp-plugin \ --version 0.1.0 \ --install-location /Library/Application\ Support/aquilon-dlp.app \ aquilon-dlp-0.1.0.pkg -
Upload to Jamf:
- Settings > Computer Management > Packages > + New
- Upload signed package
-
Create installation policy:
- Computers > Policies > + New
- Add package with Install action
- Scope to same groups as PPPC profile
Timeline
| Event | Timing |
|---|---|
| Profile propagates | 15-30 minutes |
| App installs | 15-30 minutes after profile |
| Total | ~60-90 minutes |
Microsoft Intune
Step 1: Upload PPPC Profile
-
Navigate to: Devices > macOS > Configuration profiles > + Create profile
-
Select:
- Platform: macOS
- Profile type: Templates > Custom
-
Configure:
- Name:
Aquilon DLP - Full Disk Access - Upload
deployment/mdm/pppc-intune.mobileconfig - Deployment channel: Device channel
- Name:
Step 2: Assign to Devices
- Click Assignments tab
- Add target Azure AD device groups
- Optionally add filter for macOS 11.0+
Step 3: Package App for Intune
Intune requires .intunemac format:
# Download Intune App Wrapping Tool from:
# https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac
./IntuneAppUtil -c /path/to/aquilon-dlp.app \
-o aquilon-dlp.intunemac \
-n "0.1.0" \
-v "0.1.0"
Step 4: Deploy App
- Navigate to: Apps > macOS > + Add
- App type: Line-of-business app
- Upload
.intunemacfile - Configure app information
- Assign to same device groups as profile
Note: Wait 24 hours after profile deployment before deploying app, or use dynamic groups.
Timeline
| Event | Timing |
|---|---|
| Profile propagates | 1-8 hours |
| App installs | 1-8 hours after profile |
| Total | ~2-16 hours |
Tip: Force sync via Company Portal > Settings > Sync to speed up check-ins.
Kandji
Step 1: Create Custom Profile
-
Navigate to: Library > Custom Profiles > + Add Profile
-
Configure:
- Name:
Aquilon DLP - Full Disk Access - Upload
deployment/mdm/pppc-kandji.mobileconfig - Enforcement: Deploy Always
- Name:
-
Assign to target blueprints
Step 2: Create Custom App
-
Navigate to: Library > Custom Apps > + Add App
-
Upload PKG installer
-
Configure:
- Install Type: Package
- Run as: System
-
Set PPPC profile as dependency (optional but recommended)
-
Assign to same blueprints
Timeline
| Event | Timing |
|---|---|
| Profile propagates | 15-60 minutes |
| App installs | 15-60 minutes after profile |
| Total | ~30-120 minutes |
Generic MDM
For SimpleMDM, FileWave, Mosyle, or other platforms:
Profile Deployment
- Download
deployment/mdm/pppc-generic.mobileconfig - Upload to your MDM’s configuration profile section
- Assign to target devices/groups
App Deployment
- Package app as
.pkginstaller - Upload to your MDM’s app distribution
- Deploy after confirming profile installation
Key Configuration
The profile must contain:
- Bundle ID:
dev.aquilon.dlp-plugin - Service:
SystemPolicyAllFiles(Full Disk Access) - Code Requirement: Match your signed app
Verification
After deployment, verify on target Mac:
Check Profile Installation
sudo profiles list | grep -i aquilon
# Expected: com.aquilonsecurity.dlp.pppc.<mdm>
# Where <mdm> is: jamf, intune, or kandji
Check FDA Grant
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT auth_value FROM access
WHERE service = 'kTCCServiceSystemPolicyAllFiles'
AND client = 'dev.aquilon.dlp-plugin';"
# Expected: 2
Check App Function
sudo /Library/Application\ Support/aquilon-dlp.app/Contents/MacOS/aquilon-dlp \
--socket /tmp/osquery.sock
Expected output:
Attempting to initialize Endpoint Security monitoring...
Full Disk Access verified
Endpoint Security client created successfully
Endpoint Security monitoring active
Troubleshooting
FDA Not Granted After Installation
Cause: App installed before PPPC profile
Solution:
# 1. Verify profile is installed
sudo profiles list | grep aquilon
# 2. Remove app
sudo rm -rf /Library/Application\ Support/aquilon-dlp.app
# 3. Reinstall via MDM (triggers on next check-in)
System Settings Shows FDA Unchecked
Cause: Known macOS UI bug - checkbox doesn’t reflect TCC database
Solution: Trust the TCC database query. If auth_value = 2, FDA IS granted.
Warning: Do NOT manually toggle the checkbox - it may revoke the PPPC grant.
“Failed to create ES client” Error
Causes and solutions:
-
FDA not granted: Check TCC database (see above)
-
Not running as root: Use
sudo -
ES entitlement missing: Check code signing
codesign -d --entitlements - /Library/Application\ Support/aquilon-dlp.app
Code Requirement Mismatch
Symptom: Profile installed but TCC has no entry
Solution:
-
Extract app’s actual code requirement:
codesign -dr - /Library/Application\ Support/aquilon-dlp.app -
Update profile to match
-
Redeploy profile and reinstall app
Profile Won’t Install
Solutions:
-
Validate profile:
plutil -lint deployment/mdm/pppc-*.mobileconfig -
Check device enrollment status
-
Remove conflicting profiles:
# Replace <mdm> with: jamf, intune, or kandji sudo profiles remove -identifier com.aquilonsecurity.dlp.pppc.<mdm>
Diagnostic Script
Save and run this script on target Mac:
#!/bin/bash
# FDA Troubleshooting Diagnostic
echo "=== Aquilon DLP FDA Diagnostic ==="
echo
echo "1. Profile Installation:"
profiles list | grep -q "com.aquilonsecurity.dlp.pppc" && \
echo "✓ Profile installed" || echo "✗ Profile NOT installed (check for .jamf/.intune/.kandji suffix)"
echo "2. TCC Database Entry:"
AUTH=$(sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT auth_value FROM access WHERE service = 'kTCCServiceSystemPolicyAllFiles'
AND client = 'dev.aquilon.dlp-plugin';" 2>/dev/null)
[ "$AUTH" = "2" ] && echo "✓ FDA granted" || echo "✗ FDA NOT granted"
echo "3. App Bundle:"
[ -d "/Library/Application Support/aquilon-dlp.app" ] && \
echo "✓ App installed" || echo "✗ App NOT installed"
echo "4. Code Signature:"
codesign --verify /Library/Application\ Support/aquilon-dlp.app 2>/dev/null && \
echo "✓ Valid signature" || echo "✗ Invalid signature"
echo "5. ES Entitlement:"
codesign -d --entitlements - /Library/Application\ Support/aquilon-dlp.app 2>&1 | \
grep -q "endpoint-security" && \
echo "✓ ES entitlement present" || echo "✗ ES entitlement missing"
echo "=== End Diagnostic ==="
Best Practices
Staged Rollout
- Pilot (Week 1): Deploy to IT/security team (10-50 devices)
- Early Adopters (Week 2): Expand to 100-500 devices
- Production (Week 3+): Roll out to all devices
Smart Groups
Create groups to track deployment status:
- Profile Installed: Devices with PPPC profile
- App Installed: Devices with app bundle
- Needs Remediation: App installed but FDA not granted
Remediation Policy
Create automated remediation for FDA issues:
- Detect: App installed but FDA not in TCC
- Action: Remove app, trigger reinstall
- Monitor: Alert on repeated failures
Next Steps
- Fleet monitoring: See Enterprise Deployment for large-scale management
- Troubleshooting: Refer to Troubleshooting for detailed solutions
- Support: Contact support@aquilonsecurity.com for deployment assistance