Topic
This article explains how to deploy a pre-built macOS mobile configuration profile. These instructions are specific to macOS devices using the NinjaOne agent while enrolled in a third-party mobile device management (MDM) solution.
Environment
- NinjaOne Agent
- Apple macOS
Description
Use these instructions in scenarios where a technician wants to deploy the NinjaOne agent to macOS devices that are enrolled in an MDM solution outside of NinjaOne.
The following steps describe the process to deploy the NinjaOne agent at a high level:
- Generate and download the NinjaOne agent installer in the NinjaOne console.
- Upload the .pkg (package) installer to the MDM solution and deploy it to your managed macOS devices.
- Configure the required permissions and settings for the NinjaOne agent, and deploy them as an MDM profile to your managed macOS devices.
Defining the NinjaOne Configuration Settings
You can define the following NinjaOne permissions and configurations via MDM:
- Grant the NinjaOne agent permission to access all files.
- Grant NinjaOne Remote permission to access all files and the necessary Accessibility application programming interfaces (APIs). Additionally, local standard user accounts can enable the Screen Recording permissions.
- Grant NinjaOne Backup permission to access all files.
- Prevent the device's user from disabling background processing of the NinjaOne agent.
Generally, MDM services will allow for two options to configure MDM profiles to deploy to devices:
- Directly upload or paste the contents of a
mobileconfigfile, which contains all required settings. - Manually define the appropriate settings in the MDM service console.
The next sections will explain each of these approaches.
Index
- Configure NinjaOne with a Configuration File
- Manually configure NinjaOne MDM profile settings
- Additional Resources
Configure NinjaOne with a Configuration File
To configure NinjaOne with a configuration file, perform the following steps:
- Download the NinjaOne_Agent.mobileconfig file attached to the bottom of this article. You can upload this file directly into an MDM service and deploy to managed devices.
- Alternatively, paste the full contents of the file, as shown in the following pre-formatted text field, into a supported MDM service profile to send to managed devices:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>NinjaOne Agent Privacy Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>F90E3D0E-AD13-486C-84D4-A495C460354B</string>
<key>PayloadOrganization</key>
<string>NinjaOne</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>F90E3D0E-AD13-486C-84D4-A495C460354A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>Accessibility</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E</string>
<key>Identifier</key>
<string>com.ninjarmm.ncstreamer</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>ScreenCapture</key>
<array>
<dict>
<key>Authorization</key>
<string>AllowStandardUserToSetSystemService</string>
<key>CodeRequirement</key>
<string>identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E</string>
<key>Identifier</key>
<string>com.ninjarmm.ncstreamer</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E</string>
<key>Identifier</key>
<string>com.ninjarmm.ncstreamer</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "ninjarmm-macagent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E</string>
<key>Identifier</key>
<string>/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent</string>
<key>IdentifierType</key>
<string>path</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier lockhart and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E</string>
<key>Identifier</key>
<string>/Applications/NinjaRMMAgent/programfiles/lockhart/bin/lockhart</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
</array>
</dict>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Permissions for NinjaOne Agent and Remote</string>
<key>PayloadDisplayName</key>
<string>NinjaOne Agent Service Management</string>
<key>PayloadIdentifier</key>
<string>com.ninjaone.NinjaOneAgentServiceManagement</string>
<key>PayloadUUID</key>
<string>0d8e2ece-dfa7-4103-97ff-e91a9f842a1e</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>EBNT3ZX97E</string>
<key>Comment</key>
<string>NinjaOne Agent</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Permissions for NinjaOne Agent and Remote</string>
<key>PayloadDisplayName</key>
<string>NinjaOne Agent and Remote</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>5239630D-0350-4236-B4E8-8A0AC610C88B</string>
<key>PayloadOrganization</key>
<string>NinjaOne</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5239630D-0350-4236-B4E8-8A0AC610C88B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Manually configure NinjaOne MDM profile settings
When manually configuring MDM profiles, you may notice that the precise name of the payloads and keys may vary from one MDM service to another. The payload and key names used in this section match those defined by Apple. If you find any discrepancies in the names listed here and those listed in the MDM server, contact your MDM service to confirm the appropriate key names.
You must configure Privacy Preferences Policy Control payloads for the following, including one Service Management configuration:
To learn more about the Privacy Preferences Policy Control payload, refer to PrivacyPreferencesPolicyControl | Apple Developer Documentation (external). To learn more about the Service Management configuration, refer to ServiceManagementManagedLoginItems | Apple Developer Documentation (external).
NinjaOne Agent
Use the following table to configure the NinjaOne agent payload in your supported MDM service profile:
| Key | Value | ||||
|---|---|---|---|---|---|
| Identifier | /Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent | ||||
| IdentifierType | path | ||||
| Code Requirement | identifier "ninjarmm-macagent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = EBNT3ZX97E | ||||
| StaticCode | 0 | ||||
| Permissions |
|
NinjaOne Remote
Use the following table to configure the NinjaOne agent payload in your supported MDM service profile:
| Key | Value | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Identifier | com.ninjarmm.ncstreamer | ||||||||
| IdentifierType | bundleID | ||||||||
| Code Requirement | identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = EBNT3ZX97E | ||||||||
| StaticCode | 0 | ||||||||
| Permissions |
|
NinjaOne Backup
Use the following table to configure the NinjaOne agent payload in your supported MDM service profile:
| Key | Value | ||||
|---|---|---|---|---|---|
| Identifier | /Applications/NinjaRMMAgent/programfiles/lockhart/bin/lockhart | ||||
| IdentifierType | path | ||||
| Code Requirement | identifier lockhart and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = EBNT3ZX97E | ||||
| StaticCode | 0 | ||||
| Permissions |
|
Service Management Configuration
Use the following table to add the configuration in your supported MDM service profile:
| Key | Value |
|---|---|
| RuleType | TeamIdentifier |
| RuleValue | EBNT3ZX97E |
| Comment | NinjaOne Agent |
Additional Resources
Refer to the following resources to learn more about MDM services for macOS: