Contents x
    Deployment with Jamf
      • Print
      • Dark
        Light
      • PDF
      Contents

      Deployment with Jamf

        • Print
        • Dark
          Light
        • PDF
        Article summary

        This article describes how to deploy and configure ControlUp for Desktops onto macOS devices using Jamf.

        Download the Agent Manager package

        1. Sign into app.controlup.com and go to the Devices tab.
          AccessDevicesTab.png

        2. Click on the settings icon at the top-right of the screen.
          SettingsIcon.png

        3. Go to Downloads > macOS Agent and click Download to download the Mac Agent Manager. Save the Agent Manager to a location from which you can upload to Jamf Pro.
          DownloadMacAgentManager.png

        Take note of the your tenant name and device registration code on the Downloads page, because you'll need these in a later step.

        Upload the Agent Manager to Jamf Pro

        1. Login to your Jamf Pro environment.
        2. Go to Settings > Computer Management > Packages
        3. Click + New
        4. Choose a display name and then drag and drop the Agent Manager package you download or browse to it in the Filename section.
          Jamf1.png
        5. No other settings are required, so click the Save button.

        Agent configuration script

        The script is needed to configure the Agent Manager so it can communicate with the correct DEX environment and if needed add the device to a device group.

        1. In your Jamf Pro environment, go to Settings > Computer Management > Scripts.
        2. Click New.
        3. Give the script a name.
          Jamf2.png
        4. Click on the Script tab.
        5. Set the Mode to Shell / Bash.
        6. Copy and Paste this script. You must edit the tenant and deviceregcode to match the ones you took note of earlier. Optionally, if you want to automatically add devices to a device group, add the name of the group to the group parameter.
        #!/bin/zsh 
sudo mkdir -p /usr/local/com.controlup.edgedx 
# take the values for tenant and deviceregcode from the download page. 
tenant="YourTenantNameHere.sip.controlup.com" 
deviceregcode="YourDeviceRgistrationsCodeHere" 
group="" 
echo "{ \"Tenant\": \"$tenant\",\"Device Registration Code\": \"$deviceregcode\",\"Device Group\": \"$group\"}" > /tmp/TenantInfo.json 
sudo cp /tmp/TenantInfo.json /usr/local/com.controlup.edgedx

        1. Click the Options tab and select Priority to Before.
          Jamf3.png

        2. Click Save.

        Policies

        Next you need to create a policy to install the Agent Manager and deploy the configuration script.

        1. Click Computers > Policies.
        2. Click New to add a policy.
        3. Give the policy a name.
        4. Make sure the policy is enabled, and choose the trigger you want to use.
          Jamf4.png
        5. Go to Packages and click Configure.
          Jamf5.png
        6. Click Add to the right of the package you added earlier.
          Jamf6.png
        7. Go to Scripts and click Configure.
          Jamf7.png
        8. Click Add next to the script you added earlier.
          Jamf8.png
        9. Set the scope for the computers / users you want to target.
        10. Click Save.

        Configuration profiles

        Configuration profiles are necessary to limit the number of prompts for the end user to grant the Agent the necessary permissions on the device.

        1. Click on each link to download the following profiles:
        1. Login to your Jamf Pro console
        2. Go to Computers > Configuration Profiles.
        3. Click Upload in the top-right and then you can upload the profiles one at a time.
        4. After the profiles are uploaded, edit each profile to add the scope of devices you want to deploy them to.

        (Optional) How to manually create each configuration profile

        If you don't want to download and import the configuration profiles above, you can follow the steps in this section to manually create each configuration profile. To create each profile, go to Computers > Configuration Profiles.

        Allow ControlUp Network Filtering

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "Allow ControlUp Network Filtering".
        3. Click on Content Filter
        4. Name the filter something like "ControlUp Network Filter", and make sure the include switch on the right is enabled.
        5. For the identifier, use com.controlup.edgedx.WW-NetworkFilter, and make sure the switch is enabled.
        6. Scroll down to the Network Filter section and select Enable.
          • For Network Filter Bundle Identifier, use com.controlup.edgedx.WW-NetworkFilter
          • For the Network Filter Designated Requirement, use identifier "com.controlup.edgedx.WW-NetworkFilter" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN).
        7. Make sure the switch is enabled.
        8. Click Save.

        Allow ControlUp Network Filtering Extension

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "Allow ControlUp Network Filtering Extension".
        3. Click on Content Filter
        4. Name the filter something like "ControlUp Network Filtering Extension", and make sure the include switch on the right is enabled.
        5. For the identifier, use com.controlup.edgedx.WW-NetworkFilterExtension, and make sure the switch is enabled.
        6. Scroll down to the Socket Filter section and select Enable.
          • For Socket Filter Bundle Identifier use com.controlup.edgedx.WW-NetworkFilterExtension
          • For the Socket Filter Designated Requirement, use identifier "com.controlup.edgedx.WW-NetworkFilterExtension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN)
        7. Make sure the switch is enabled.
        8. Set the scope for the computers/users you want to target.
        9. Click Save.

        Deploy ControlUp Network Filtering

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "Deploy ControlUp Network Filter".
        3. Click on System Extensions.
        4. Check Allow users to approve system extensions.
        5. Give it a display name like "ControlUp Network Extension".
        6. For System Extension Types, select Allowed team identifiers.
        7. For Team Identifier, use CMTXZP5HFN.
        8. Set the scope for the computers/users you want to target.
        9. Click Save.

        Deploy ControlUp Survey Toaster

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "Deploy ControlUp Survey Toaster".
        3. Click on Notifications.
        4. Name the app something like "ControlUp Survey Toaster".
        5. Enable Notifications.
        6. Set Banner Type to Temporary.
        7. Set Notifications on Lock Screen to Hide.
        8. Set Notifications in Notification Center to Display.
        9. Set Badge app icon to hide.
        10. Set Play sound for notifications to Enable.
          Jamf9.png
        11. Set the scope for the computers/users you want to target.
        12. Click Save.

        Deploy ControlUp WebWatcher

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "Deploy ControlUp WebWatcher".
        3. Click on Privacy Preferences Policy Control.
        4. Click Configure.

        You must add three App Access items:

        App Access 1

        1. Set the identifier to com.controlup.edgedx.UserAgent.
        2. Set the Identifier Type to Bundle ID.
        3. Set Code Requirement to anchor apple generic and identifier "com.controlup.edgedx.UserAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN).
        4. Click Add to add an App / Service.
        5. Set App or Service to AppleEvents, and set Access to Allow.
        6. Set Receiver Identifier to com.apple.Safari.
        7. Set Receiver Identifier Type to Bundle ID.
        8. Set Receiver Code Requirement to identifier "com.apple.Safari" and anchor apple.
        9. Click Save to the right.
        10. Optionally, if your users are using Google Chrome, perform these additional steps:
          1. Click Add to add an App / Service.
          2. Set App or Service to AppleEvents, and set Access to Allow.
          3. Set Receiver Identifier to com.google.Chrome.
          4. Set Receiver Code Requirement to (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV.
          5. Click Save to the right.

        Jamf10.png

        App Access 2

        1. At the top, to the right side of the App access Header, click the plus button.
        2. Set the identifier to /usr/local/com.controlup.edgedx.agent/Data\ Collector/WebWatcher.
        3. Set the Identifier Type to Path.
        4. Set the Code Requirement to anchor apple generic and identifier "com.controlup.edgedx.WebWatcher" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN)
        5. Click Add to add an App / Service.
        6. Set App or Service to AppleEvents, and set Access to Allow.
        7. Set Receiver Identifier to com.apple.Safari.
        8. Set Receiver Code Requirement to identifier "com.apple.Safari" and anchor apple.
        9. Click Save on the right side of the section.
        10. Optionally, if your users are using Google Chrome, perform these additional steps:
          1. Click Add to add an App / Service
          2. Choose AppleEvents, Allow for Access.
          3. Set Receiver Identifier to com.google.Chrome.
          4. Set Receiver Code Requirement (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV.
          5. Click Save to the right.

        Jamf11.png

        App Access 3

        1. At the top, to the right side of the App access Header, click the plus button.
        2. Set the identifier to com.controlup.edgedx.WebWatcher.
        3. Set the Identifier Type to Bundle ID.
        4. Set the Code Requirement to anchor apple generic and identifier "com.controlup.edgedx.WebWatcher" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN)
        5. Click Add to add an App / Service.
        6. Set App or Service to AppleEvents, and set Access to Allow.
        7. Set Receiver Identifier to com.apple.Safari.
        8. Set Receiver Code Requirement to identifier "com.apple.Safari" and anchor apple.
        9. Click Save on the right side of the section.
        10. Optionally, if your users are using Google Chrome, perform these additional steps:
          1. Click Add to add an App / Service
          2. Set App or Service to AppleEvents, and set Access to Allow.
          3. Set Receiver Identifier to com.google.Chrome.
          4. Set Receiver Code Requirement (identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV.
          5. Click Save to the right.

        Jamf12.png

        After adding all App Access items above, set the scope for the computers/users you want to target and save your changes.

        ScreenRecording Privacy Preferences Configuration Profile

        1. Click Add to add a new configuration profile.
        2. Name the profile something like "ScreenRecording Privacy Preferences Configuration Profile.
        3. Click on Privacy Preferences Policy Control.
        4. Click Configure.

        You must add two App Access items:

        App Access 1

        1. Set the identifier to com.controlup.edgedx.UserAgent.
        2. Set the Identifier Type to Bundle ID.
        3. Set Receiver Code Requirement to anchor apple generic and identifier "com.controlup.edgedx.UserAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN).
        4. Click Add to add an App / Service.
        5. Set App or Service to ListenEvent, and set Access to Allow Standard Users to Allow Access.
        6. Click Save to the right.
        7. Click Add to add an App / Service.
        8. Set App or Service to ScreenCapture, and set Access to Allow Standard Users to Allow Access.
        9. Click Save to the right.
        10. Click Add to add an App / Service.
        11. Set App or Service to Accessibility, and set Access to Allow.
        12. Click Save to the right.

        App Access 2

        1. At the top, to the right side of the App access Header, click the plus button.
        2. Set the identifier to com.controlup.edgedx.ScreenCapture.
        3. Set the Identifier Type to Bundle ID.
        4. Set Receiver Code Requirement to anchor apple generic and identifier "com.controlup.edgedx.ScreenCapture" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CMTXZP5HFN).
        5. Click Add to add an App / Service.
        6. Set App or Service to ScreenCapture, and set Access to Allow Standard Users to Allow Access.
        7. Click Save to the right.

        After adding all App Access items above, set the scope for the computers/users you want to target and save your changes.

        Was this article helpful?
        What's Next