When you deploy the Webroot agent to macOS, Apple mandates that the user grants Webroot Full Disk Access. Additionally, to perform network isolation on macOS devices running Webroot Business Endpoint Protection, Apple mandates that the user grants Webroot Network Filter permission. You can use Jamf to deploy a configuration file that completes these steps prior to the deployment of the Webroot agent.
 
The following page explains what the user experience will be without preconfiguring the user’s machines:

How to give Webroot SecureAnywhere Full Disk Access on macOS
 
Note: In some cases, the first time the user interface is opened, a prompt to approve FDA may still be shown even if it has been pre-configured. If this happens, it can be safely ignored as long as the System Preference’s “Security Privacy” panel shows that FDA has been granted to the Webroot SecureAnywhere app. You can also check that FDA has been successfully granted by verifying that any scan is in progress or has completed.

Deploying a Network Enabled Configuration Profile involves six steps:
  1. Create a Configuration Profile
  2. Configure Full Disk Access (FDA)
  3. Configure Content Filter
  4. Configure System Extensions
  5. Configure Second Payload for macOS 15 (Sequoia) and Later
  6. Deploy the Configuration Profile 


Step 1: Create a Configuration Profile

  1. Log in to your Jamf Pro console.
  2. Navigate to: Computers > Configuration Profiles.
  3. Click the + New button to create a new configuration profile.
  4. In the General payload, provide the following:
    • Display Name: Set to something like “Webroot Configuration”.
    • Description: Briefly explain that this profile manages Webroot’s Full Disk Access and Network/System Extensions.
    • Category: Choose an appropriate category (for example, Security).
    • Level: Set to Computer Level.
    • Distribution Method: Set the profile to Install Automatically (don’t forget to specify a scope of included endpoints or groups).
 

Step 2: Configure Full Disk Access (FDA)

  1. In the left pane, click Privacy Preferences Policy Control (PPPC).
  2. Add the following settings:
    1. Bundle ID: com.webroot.Webroot-SecureAnywhere
    2. Code Requirement:
      identifier "com.webroot.Webroot-SecureAnywhere" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6Q6RVXVYC2"
  3. Set permissions for SystemPolicyAllFiles:
    1. Set Allow for Full Disk Access (FDA).
 

Step 3: Configure Content Filter

  1. In the left pane, click Content Filter, then click Configure.
  2. Set the following:
    • Filter Name: This must be named to match what the agent would name it when installing interactively so that it does not try to install it again. The name to use is: Webroot SecureAnywhere
    • Identifier: This must match the identifier for the filter plug-in: com.webroot.Webroot-SecureAnywhere
    • Filter Order: Set to Inspector.
  3. Enable the Socket Filter option:
    • Socket Filter Bundle Identifier:
      com.webroot.WSDaemon.WSANetworkExtension
    • Socket Filter Designated Requirement:
      anchor apple generic and identifier "com.webroot.WSDaemon.WSANetworkExtension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6Q6RVXVYC2")[A screenshot of a computer Description automatically generated]
 

Step 4: Configure System Extensions

  1. In the left pane, click System Extensions, then click Configure.
  2. Set the following:
    1. Display Name: Set to “Webroot SecureAnywhere”
    2. Team Identifier: 6Q6RVXVYC2
    3. Allowed System Extensions: com.webroot.WSDaemon.WSANetworkExtension



Step 5: Configure Second Payload for macOS 15 (Sequoia) and Later

NOTE: Without this additional payload, users on macOS 15 and later would be able to manually remove the allowance for the operating system to manage the system extension.
 
  1. In the left pane, click System Extensions, then click Configure.
  2. Set the following:
    1. Display Name: Set to “Webroot SecureAnywhere”
    2. Team Identifier: 6Q6RVXVYC2
    3. Non-removable system extensions:
      com.webroot.WSDaemon.WSANetworkExtension
 

Step 6: Deploy the Configuration Profile

  1. Save the profile.
  2. Ensure the scope includes all relevant devices.
  3. Deploy the profile to the endpoints. 
Remember that if the configuration profile is removed from a client, the dialog box for content filtering will appear. Make sure to communicate this behavior to end users.

The information in this article is offered as-is to assist customers. Webroot Support will not be able to answer questions on using Jamf to deploy a configuration profile. For additional resources, you can explore the Jamf Nation Community, and the Webroot SecureAnywhere Installation Guide.

If you are having problems using traditional methods to install the Webroot agent, please contact Support for assistance.
Is this article helpful?
   
Thanks for your feedback!

Powered by noHold, Inc. U.S. Patent No. 10,659,398
All Contents Copyright© 2024