Reply To: Add Umbrella roaming agent on Mac devices

#12600
AvatarCatherine George
Moderator
1 pt

Indeed, you can install the Umbrella Roaming client on the macOS devices silently from the Hexnode console. The automatic installation is straightforward, where you can distribute it like any other enterprise app.

It involves a series of steps:

  1. Push the configurations for the roaming client using scripts.
  2. Upload the PKG file for the roaming client to the Hexnode app inventory.
  3. Install the application on the target macOS devices.
  4. Distribute root certificate to the devices.

Let’s discuss each of the steps in detail.

1. Push the configurations for the roaming client using scripts.

Initially, you have to download the roaming client zip file for Mac OS X from the Cisco Umbrella dashboard.

  1. Go to Deployments > Core Identities > Roaming Computers.
  2. Select Roaming Client.
  3. Click on Download.
  4. Choose Download macOS Client.
  5. Next, extract the .zip file.

Since you have begun the installation manually on some devices, you may omit the above step to download the roaming client zip file. However, for users who are about to install the roaming client on a macOS device for the first time, they will have to download and extract the Umbrella roaming client onto it.

For mass deployments, you can push specific configuration settings unique to your organizational environment. The configuration file (OrgInfo.plist) downloaded along with the roaming client zip file contains the necessary configuration settings. You can make use of these configurations to create a custom shell script.

For instance,

#/bin/bash 

  

####Push the configurations#### 

 

###1. creating a folder on the device 

  

mkdir "/Library/Application Support/OpenDNS Roaming Client/" 

 

###2. Adding the OrgInfo.plist to the above location 

 

cat <<EOF > "/Library/Application Support/OpenDNS Roaming Client/OrgInfo.plist" 

 

<?xml version="1.0" encoding="UTF-8"?> 

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> 

<plist version="1.0"> 

<dict> 

	<key>APIFingerprint</key> 

	<string>xxxxxx</string> 

	<key>APIOrganizationID</key> 

	<string>xxxxxx</string> 

	<key>APIUserID</key> 

	<string>xxxxxxx</string> 

	<key>InstallMenubar</key> 

        <false/> 

</dict> 

</plist> 

EOF 

The following parameters, APIFingerprint, APIOrganizationID, and the APIUserID, will be auto-populated with the relevant data in the OrgInfo.plist file. While you create a custom script, retrieve these values directly from the plist file. After customizing the shell script, you can push the configurations to the macOS device directly from the Hexnode console using the Execute Custom Script action.

2. Uploading the app to the app inventory

Next, add the PKG file for the roaming client to the Hexnode app inventory. The zip file includes the PKG file for the Umbrella roaming client already.

  1. Log in to the Hexnode console.
  2. Navigate to the Apps tab.
  3. Go to +Add Apps > Enterprise App.
  4. Choose the app platform as macOS
  5. Provide a suitable App Name.
  6. Specify a Category and Description for the app.
  7. Choose the PKG file.
  8. Click on Add.

3. Install the application on the target devices.

After uploading the app to the Hexnode app inventory, you can distribute it to the devices by configuring a Mandatory Apps policy. It automatically installs the roaming client on the macOS endpoints.

  1. From the Hexnode console, go to the Policies tab.
  2. Provide a Policy name and Description.
  3. Navigate to macOS > App Management > Mandatory Apps.
  4. Click on Configure.
  5. Move to the +Add drop-down displayed on top.
  6. Select Add App.
  7. Choose the app which was uploaded and click Done.
  8. Now, navigate to the Policy Targets tab.
  9. Select Device Groups and add the macOS device group if you want to associate the policy with a group of macOS devices. You may also associate the policy with devices separately.
  10. Save the policy.

4. Distribute root certificate to the devices.

The advanced Cisco Umbrella features such as Block Page, Block Page Bypass, etc., require the installation of Cisco Umbrella root certificates on the devices. To distribute the root certificate:

  1. Log in to Cisco Umbrella.
  2. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate.
  3. Next, log in to the Hexnode portal.
  4. Move to Policies > New Policy. Specify a policy name and description. You may also use the same Mandatory Apps policy configured for the app installation.
  5. Go to macOS > Security > Certificates.
  6. Click on Add Certificate.
  7. Upload the certificate obtained in step 2.
  8. Add Policy Targets.
  9. Save the policy.

The root certificates installed on the devices avoid specific certificate warnings or related error pages. Though the error pages are expected during browsing, the messages might be ambiguous if the certificate is not installed.

I hope this helps you,

Catherine George,
Hexnode UEM