Follow

How To: Pre-configure User Agent for macOS and signing the application bundle

Applies To:

Venafi Enterprise Mobility Protect Agent 18.2+ for macOS

Summary:

Before pushing the User Agent for macOS to your organization you may want to minimize end user input by pre-configuring the registration data or to disable some functionalities.

To pre-configure the User Agent for macOS, an Apple code-signing certificate is required to sign the application after customer-specific changes are applied. The User Agent’s configuration is stored in the application bundle in DefaultPreferences.plist file.

Pre-configure User Agent for macOS:

Open <Venafi Enterprise Mobility Protect Agent.app>/Contents/Resources/Mac/DefaultPreferences.plist in your favorite text editor.

You can modify the following properties:

Property

Type

Default value

Introduced in version

Description

Example

Client API URL

String

(empty string)

16.4

Server URL. The URL of the Trust Protection Platform VEDClient.

https://tpp.example.com/vedclient

Disallow Modify Server Url

Boolean

false

18.2

Allow/disallow the end user to modify the Server URL.

false

Enrollment Password

String

(empty string)

16.4

The password needed to register the User Agent to Trust Protection Platform.

MyRegistrationPassword

Disallow Modify Password Or Secret

Boolean

false

18.2

Allow/disallow the end user to modify the enrollment password.

false

Automatic Update Check

Boolean

false

18.2

Enable or disable automatic software update for the User Agent. For more information go to Publishing User Agent software updates.

false

SUFeedURL

String

(empty string)

18.2

The URL of the software update server pointing to the AppCast XML file. If automatic software update is enabled this URL must be specified.

https://updates.example.com /macOS/release.xml

Update Check Interval

Integer (Seconds)

604800 (7 days)

16.4

How often the User Agent will check for software updates.

604800

SUPublicDSAKeyFile

String

SUPublicDSAKey.pem

18.2

Relative or full path to the public key used for verification of the software update integrity.

SUPublicDSAKey.pem

Hide Update Preference

Boolean

false

18.2

Display or hide the "Update" tab in "Preferences" window. If automatic software update is disabled, you can hide the "Update" tab.

true

Retry Interval

Integer (Seconds)

86400 (1 day)

16.4

The User Agent retry time interval for failed check-in operation.

86400

Check-In Interval

Integer (Minutes)

1440 (1 day)

16.4

How often the User Agent will perform check-in operation.

1440

LogLevel

Enumerate (Disabled, Error, Warning, and Information)

Warning

16.4

The logging level of the User Agent.

Information

Start At Login

Boolean

true

18.2

Whether or not to start the User Agent after successful OS login.

true

BW Status Icon

Boolean

true

18.2

Whether or not to use Black & White Venafi icon.

true

EULAAccepted

Boolean

false

18.2

Applicable only for User Agent for macOS. Whether or not the End User License Agreement is accepted.

false

Notifications Disabled

Boolean

false

18.2

Whether or not the notifications for newly installed certificates are enabled.

false

Hide Account Preference Boolean false 18.2

Applicable only for User Agent for Windows. Display or hide the "Account" tab in "Preferences" window. If the User Agent will be deployed on domain-joined Windows device, you can hide the "Account" tab.

true

Client Id

String

(empty string)

16.4

Read only property. The unique ID of the client installation. 

 Client+Default:11:162

Initial Setup Complete

Boolean

false

18.2

Applicable only in case of non-domain joined Windows and macOS devices. Whether or not the initial configuration is completed. 

true

Send Status As Notifications

Boolean

false

18.2

All messages sent to the log are also displayed as Notifications. Use only for troubleshooting.

true

 

Signing the application bundle after making changes to DefaultPreferences.plist

After making changes to the DefaultPreferences.plist file the application bundle must be signed. An Apple code-signing certificate is required to sign the application.

Assuming that $VenafiEMPAgentPath is the location of the altered User Agent application bundle, and $DevCertHash is the SHA1 fingerprint of the code-signing certificate, execute the following commands in the terminal of a Mac device:

DevCertHash="1398F1C31E1967742F9B006DFE09679F61AA6BA4" #Change the value with SHA1 hash of the Apple code-signing certificate.
VenafiEMPAgentPath="/Applications/Venafi Enterprise Mobility Protect Agent.app" #Change the path to the actual full path to the modified application bundle.

/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/OSLog.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/LetsMove.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Frameworks/Sparkle.framework"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath/Contents/Library/LoginItems/MacAJLoginHelper.app"
/usr/bin/codesign --force --sign $DevCertHash "$VenafiEMPAgentPath"

 

If the signing operation is successful you should see the following output:

/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Library/LoginItems/MacAJLoginHelper.app: replacing existing signature
/Applications/Venafi Enterprise Mobility Protect Agent.app: replacing existing signature

 

To verify that the application bundle is signed correctly you can execute:

/usr/bin/codesign --verify -vvvv --deep "$VenafiEMPAgent"

 

The application bundle is successfully signed if the output is similar to:

--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/LetsMove.framework/Versions/Current/.
--prepared:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/OSLog.framework/Versions/Current/.
--validated:/Applications/Venafi Enterprise Mobility Protect Agent.app/Contents/Frameworks/OSLog.framework/Versions/Current/.
/Applications/Venafi Enterprise Mobility Protect Agent.app: valid on disk
/Applications/Venafi Enterprise Mobility Protect Agent.app: satisfies its Designated Requirement

 

Once you see that application bundle is signed correctly you need to compress it. Use the command below:

ditto -c -k --sequesterRsrc --keepParent "$VenafiEMPAgentPath" "Pre-configured Venafi Enterprise Mobility Protect Agent.zip" 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments