Applies to Mac Agents
Article No: 28115273343767
If you use Jamf for Mac endpoint management, you can deploy the Veriato Mac Agent to endpoints via your Jamf console.
Note: For account-driven device enrollment method, Jamf requires endpoints to have Mac OS 14 (Sonoma) or later.
Set up the Jamf server and enroll devices
If you haven't already done so, set up your Jamf cloud server and enroll your Mac devices. For more help, see https://learn.jamf.com.
-
Log into your Jamf cloud account.
Change the computer check-in time to a 5 minute interval to match the agent check-in interval. This ensures receiving Mac activity data as soon as possible. -
Use "Device Enrollment for Computers" to enroll Mac devices.
Click Settings in the sidebar.
In the Global section, click Edit and select the Devices tab.
Check Enable for personally owned devices. -
Enroll a new computer.
You can invite the user to initiate enrollment or log into the endpoint Mac with Admin credentials.
Access the enrollment link yourself. For example:
https://myaccount.jamfcloud.com.enroll
a. Login to your Jamf account
b. Leave "Assign to User" empty and press Enroll.
c. To enroll a Mac in Jamf, install your MDM profile on the device. Press Continue.
d. Select Allow to allow downloads from your account.
e. Finally, run the downloaded package. A popup prompts you to continue in System Settings.
-
Open System Settings on the Mac to finish the profile installation.
Open System Settings, select Privacy and Security in the left sidebar and Profiles on the right.
a. Double click the MDM profile.
b. Verify the signing certificate and press Install. You are prompted for the local admin password.
c. Enter the local admin password to complete the installation. -
The MDM Profile now appears in the endpoint's profile lists.
Eventually other installed Jamf profiles will appear.
-
Log into your jamf cloud platform.
For example: mycompany.jamfcloud.com
The Mac device is now enrolled in Jamf and should appear in your Devices section.
Create a Configuration Profile for the Veriato Agent
The configuration profile will be used to install the Agent on devices. In your Jamf console:
- Navigate to Computers > Configuration Profiles. Press the New button.
- Add a name in the General options.
- Select Privacy Preferences Policy Control from the left menu.
- Click Configure.
Identify, configure, and set the Mac Privacy permissions for each of the three following agent apps.
a. Helpdesk.app
i. Identifier: com.spsecure.Viewer
ii. Code Requirement:
identifier "com.spsecure.Viewer" and anchor apple generic and
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = "94L7REHXB6"
iii. Local System Permissions needed to run
1. Accessibility
2. Full Disk Access (System Policy All Files)
3. Screen Recording
4. Open at Login
5. Allow in the Background
b. Agent.app
i. Identifier: com.spsecure.useragent
ii. Code Requirement:
identifier "com.spsecure.useragent" and anchor apple generic and
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = "94L7REHXB6"
iii. Local System Permissions needed to run:
1. Accessibility
2. Full Disk Access (System Policy All Files)
3. Screen Recording
4. Open at Login
5. Allow in the Background
c. spsecure
i. Identifier: com.spectorsoft.Recorder
ii. Code Requirement:
anchor apple generic and identifier "com.spectorsoft.Recorder" and
(certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and
certificate leaf[subject.OU] = "94L7REHXB6")
iii. Local System Permissions needed to run
1. Full Disk Access (System Policy All Files)
Configuration for the spsecure app
- Add the Team Identifier with the security certificate: 94L7REHXB6.
Note: Open at Login/Allow in the Background is beyond the scope of this document.
Create a New Smart Group
Make the Configuration Profiles known to other Jamf components.
Note: Screen Recording permissions need to be granted for the Agent and Helpdesk.
-
Assign the Configuration Profile to a Mac computer.
Click the Scope tab and configure the scope of the Profile. To distribute the profile during enrollment using a computer PreStage enrollment, ensure the scope of the profile contains the computers that are in the scope of the PreStage enrollment. Ensure the profile has been installed on the device by checking the device's System Settings > Privacy & Security > Profiles. -
Create and name a new Smart Computer Group.
In the Jamf console, under Computers, select Smart Computer Groups. -
Assign the agent Configuration Profiles to the group.
In Criteria, click Show Advanced Criteria.
Select either Profile Name or Profile Identifier.
Enter the agent's profile Name (e.g., spsecure) or its Identifier (com.spectorsoft.Recorder).
Note: This automatically adds computers to the group when they report that they have the policy.
Set up Distribution Point
- Settings > Global > Cloud Services Connection.
- Select Enable.
- Settings -> Server -> Cloud distribution point.
- Select Edit.
- Select Jamf Cloud.
- Save.
Create a package (PKG) to deliver the agent
To deliver the Veriato Mac Agent, you will need to create and run a script. You can use the JamfComposer to do this. Refer to this article for more help:
https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Scripts.html
Note: During the download process, popups display stating an application downloaded from the internet and Managed Login Items Added:
-
Download the Mac Agent from your Veriato app:
a. Log on to the Veriato access Admin
b. Select Download Agents section and then the Mac Platform icon.
c. Follow the wizard steps to choose if installer reboots automatically or No Reboot after installation.
Note: The auto-reboot is recommended, because whenever the installer runs the system reboots.
d. Press Next and Download the installer zip file. - Unzip the download containing two files:
a. A1InstallerDataMac.zip
b. Install.sh - Download Jamf Composer.
Install it on a Mac. - In /private/tmp create a new folder, such as, ClientInstall.
- Unzip the Zip folder downloaded from the server, and copy the contents into the folder /private/tmp/ClientInstall.
- Launch Jamf Composer.
- Drag the folder ClientInstall into the sidebar of Composer:
- Expand the folders to display ClientInstall and its contents.
- For all three (the folder, Install.sh, and A1InstallDataMac.zip):
a. Change the Owner to root.
b. Check the boxes under X (execute) for Owner and Group.
- Expand the ClientInstall Source on the left.
- Right Click on Scripts.
- Select Add Shell Script -> postinstall.
- Add a call to the .sh file in the postintall script.
- Save.
- Click the ClientInstall Source.
- Click Build as PKG.
Add the PKG file to Jamf
- Settings -> Computer Management -> Packages.
- Click + New button.
- Name the Package.
- Drag and drop the File into Filename.
- Save.
Create an Install Policy
- Navigate to Computer-> Policies.
- Click + New.
- Name the policy.
- Set your Triggers and other General options.
- Open Packages in the options section.
- Select the package you created.
- Select the appropriate Distribution Point. e.g., Cloud distribution point, based on the setup above.
- Ensure Install is selected.
- Choose Scope tab.
- Click Edit.
- With Specific Computers selected click + Add button.
- Click Computer Groups.
- Add the new smart group.