Applies To:
Venafi Enterprise Mobility Protect Agent 18.2+ for macOS
Summary:
Before pushing the User Agent for macOS to your organization you may want to minimize end user input by pre-configuring the registration data or to disable some functionalities.
To pre-configure the User Agent for macOS, an Apple code-signing certificate is required to sign the application after customer-specific changes are applied. The User Agent’s configuration is stored in the application bundle in DefaultPreferences.plist file.
Pre-configure User Agent for macOS:
Open <Venafi Enterprise Mobility Protect Agent.app>/Contents/Resources/Mac/DefaultPreferences.plist in your favorite text editor.
You can modify the following properties:
Property |
Type |
Default value |
Introduced in version |
Description |
Example |
Client API URL |
String |
(empty string) |
16.4 |
Server URL. The URL of the Trust Protection Platform VEDClient. |
https://tpp.example.com/vedclient |
Disallow Modify Server Url |
Boolean |
false |
18.2 |
Allow/disallow the end user to modify the Server URL. |
false |
Enrollment Password |
String |
(empty string) |
16.4 |
The password needed to register the User Agent to Trust Protection Platform. |
MyRegistrationPassword |
Disallow Modify Password Or Secret |
Boolean |
false |
18.2 |
Allow/disallow the end user to modify the enrollment password. |
false |
Automatic Update Check |
Boolean |
false |
18.2 |
Enable or disable automatic software update for the User Agent. For more information go to Publishing User Agent software updates. |
false |
SUFeedURL |
String |
(empty string) |
18.2 |
The URL of the software update server pointing to the AppCast XML file. If automatic software update is enabled this URL must be specified. |
https://updates.example.com /macOS/release.xml |
Update Check Interval |
Integer (Seconds) |
604800 (7 days) |
16.4 |
How often the User Agent will check for software updates. |
604800 |
SUPublicDSAKeyFile |
String |
SUPublicDSAKey.pem |
18.2 |
Relative or full path to the public key used for verification of the software update integrity. |
SUPublicDSAKey.pem |
Hide Update Preference |
Boolean |
false |
18.2 |
Display or hide the "Update" tab in "Preferences" window. If automatic software update is disabled, you can hide the "Update" tab. |
true |
Retry Interval |
Integer (Seconds) |
86400 (1 day) |
16.4 |
The User Agent retry time interval for failed check-in operation. |
86400 |
Check-In Interval |
Integer (Minutes) |
1440 (1 day) |
16.4 |
How often the User Agent will perform check-in operation. |
1440 |
LogLevel |
Enumerate (Disabled, Error, Warning, and Information) |
Warning |
16.4 |
The logging level of the User Agent. |
Information |
Start At Login |
Boolean |
true |
18.2 |
Whether or not to start the User Agent after successful OS login. |
true |
BW Status Icon |
Boolean |
true |
18.2 |
Whether or not to use Black & White Venafi icon. |
true |
EULAAccepted |
Boolean |
false |
18.2 |
Applicable only for User Agent for macOS. Whether or not the End User License Agreement is accepted. |
false |
Notifications Disabled |
Boolean |
false |
18.2 |
Whether or not the notifications for newly installed certificates are enabled. |
false |
Hide Account Preference | Boolean | false | 18.2 |
Applicable only for User Agent for Windows. Display or hide the "Account" tab in "Preferences" window. If the User Agent will be deployed on domain-joined Windows device, you can hide the "Account" tab. |
true |
Client Id |
String |
(empty string) |
16.4 |
Read only property. The unique ID of the client installation. |
Client+Default:11:162 |
Initial Setup Complete |
Boolean |
false |
18.2 |
Applicable only in case of non-domain joined Windows and macOS devices. Whether or not the initial configuration is completed. |
true |
Send Status As Notifications |
Boolean |
false |
18.2 |
All messages sent to the log are also displayed as Notifications. Use only for troubleshooting. |
true |
Signing the application bundle after making changes to DefaultPreferences.plist
After making changes to the DefaultPreferences.plist file the application bundle must be signed. An Apple code-signing certificate is required to sign the application.
Assuming that $VenafiEMPAgentPath is the location of the altered User Agent application bundle, and $DevCertHash is the SHA1 fingerprint of the code-signing certificate, execute the following commands in the terminal of a Mac device:
DevCertHash="1398F1C31E1967742F9B006DFE09679F61AA6BA4" #Change the value with SHA1 hash of the Apple code-signing certificate.
VenafiEMPAgentPath="/Applications/Venafi Enterprise Mobility Protect Agent.app" #Change the path to the actual full path to the modified application bundle.
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/OSLog.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/LetsMove.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/Sparkle.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Library/LoginItems/MacAJLoginHelper.app"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath"
If the signing operation is successful you should see the following output:
/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Library/LoginItems/MacAJLoginHelper.app: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app: replacing existing signature
To verify that the application bundle is signed correctly you can execute:
/usr/bin/codesign --verify -vvvv --deep "$VenafiEMPAgent"
The application bundle is successfully signed if the output is similar to:
--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework/Versions/Current/.
--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/OSLog.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/OSLog.framework/Versions/Current/.
/Applications/Venafi Enterprise Mobility Protect Agent.app: valid on disk
/Applications/Venafi Enterprise Mobility Protect Agent.app: satisfies its Designated Requirement
Once you see that application bundle is signed correctly you need to compress it. Use the command below:
ditto -c -k --sequesterRsrc --keepParent "$VenafiEMPAgentPath" "Pre-configured Venafi Enterprise Mobility Protect Agent.zip"
Comments