NAC Policy Deployment Guide for macOS

How to deploy a NAC policy to endpoints

• Download the provided NetworkAccessControlForMac.zip file and extract it. It will contain a zip file named dcNacFirewall.zip and MacQuarantinePolicyGenerator.exe.
• Use the MacQuarantinePolicyGenerator.exe to generate the policy to be applied to the corresponding Mac machine.
• The policy can be created based on the following checks:
  • Software checks
  • Custom checks
  • Patch checks
  • File path checks
  • Application version checks
• Save the encrypted policy JSON file, which can be used later to import and modify the policy for future use.
• Secondly, the deployable zip generation window will open. Provide "yes" to create the deployable zip file. The zip file will be created in the extracted folder, named TrustAgentMac.zip.
• You can deploy this file to endpoints using custom script configuration.
• On the EC server, navigate to the Configurations -> Script repository -> Templates. Select TrustAgentMacScript.sh and add it to the script repository. Then using the TrustAgentMacScript.sh script, create Computer Configuration. Attach the deployable zip file (TrustAgentMac.zip) as the dependency file.
• Use the --load argument to deploy the configuration. (For initial setup, prerequisite required for NAC in macOS, refer to configure pre-requisites for Network Access Control in Mac).
• When an endpoint is found non-compliant (based on rules defined in the policy), that endpoint will be isolated from the network by the restriction policies defined under quarantine settings.
• To update the quarantine policy, re-execute the configuration with the updated deployable zip file (TrustAgentMac.zip) as the dependency file.

How to configure pre-requisites for Network Access Control in Mac.

Type 1: Configure pre-requisites via MDM

1. To complete the prerequisites, you can utilize an MDM solution. Download the pre-configured profile and deploy it to the Mac endpoints requiring management through Network Access Control.
2. If you encounter any difficulty using the provided pre-configured profile, you can manually enter the details to your MDM solution and deploy it to the Mac endpoints. Below are the necessary details for configuring both prerequisites manually using an MDM solution.

System Extension Policy

• Payload Scope: System
• Target Device Type: Mac
• Allow System Extension:
  1. Team identifier - TZ824L8Y37
  2. Extension bundle identifier - com.manageengine.dc.nac
• Allowed System Extension Type:
  1. Team identifier - TZ824L8Y37
  2. Extension type: NetworkExtension

Allow Web Content Filter

• Filter Type: Plug-In
• User Defined Name: dcNacFirewall
• Plugin Bundle Id: com.manageengine.dc.nac.app
• Enable Socket Filtering: true
• Filter Data Provider System Extension Bundle Id: com.manageengine.dc.nac
• Filter Data Provider Designated Requirement: identifier "com.manageengine.dc.nac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "TZ824L8Y37"

Type 2: Configure pre-requisites manually

During a fresh install, two prompts will be shown to the user seeking permission:

1. The first prompt is for the system extension. A prompt will be displayed for access, and by clicking "Open System Settings," it may directly open the settings page. The user must allow access for the application dcNacFirewall. Allowing it will prompt for user credentials with administrator privileges. If the user ignores the prompt or clicks "OK," they must manually allow the application dcNacFirewallby going to "Settings" -> "Privacy & Security.".

   

2. Once the system extension has been allowed, the second prompt will open to seek access for "Filter Network Content." The user must allow this. If the user neglects or ignores it, the prompt will be shown during the next installation attempt.

   

How to create a compliance policy

IT admins can create a compliance policy according to various standards supported by Endpoint Central. A policy can be defined when:

• A device installs/contains any susceptible software.
• A device is missing some important patches.
• A device is running with system-level customized problems.

Adding Software Checks

Specify the exact installation location of the application on your Mac that needs to be checked. Select the type as 'Software' and status either as 'Exists' or 'NotExists'.

Adding Patch Criteria Checks

In the tool console, specify the patch details, which include PatchType, SeverityType, and the number of patches that violated the rule. Any endpoint falling under this criteria will be quarantined.

Adding PatchID Checks

You can quarantine an endpoint when it is missing important security patches. To do so, define the PatchID in the patch column (In the policy generator tool). An endpoint that is missing the specified patch will be quarantined.

Adding Custom Checks

Custom tags are used to name/identify the conditions that are checked. These tags can be named according to the user's convenience. The custom tags are treated as individual checks, and the system is considered non-compliant even if one of these tags is satisfied. If you wish to run a group check, then specify the various conditions under a single tag.

File Path Check

• Name the custom tag as needed
• Check Type: File path
• Check Path: File path (e.g., "/Library/ManageEngine/UEMS_Agent")
• Applicable Check Mode: Exist / Not Exist

Application Version Check

• Name the custom tag as needed
• Check Type: Application Version
• Check Path: (e.g., "/Applications/Safari.app")
• Applicable Check Mode: Value equals / Value not Equals / Value Lesser Than / Value Greater Than
• Value: Application Version

Quarantine Settings

If the system is found non-compliant, the following quarantine measures can be undertaken:

• You can choose to block all network access (Internet/Intranet) or choose to block the Intranet access in the range that you desire.
• You can also set the domains or IP addresses that you wish to allow the quarantined machine to access.
• Further, you can also set to automatically revoke the quarantine when the quarantined machine loses connectivity to all the heartbeat machines (Machines that establish connectivity and form a network).

How to revoke a deployed quarantine policy?

In macOS, the quarantine policy revocation can be performed in two ways:

Case 1: Disable NAC Without Uninstalling the NAC Agent

Execute the script with the argument --stop alongside the dependency file and apply the configuration to the relevant machine.

Case 2: Uninstall the NAC Agent Completely

Execute the script with the argument --removeNAC along with the dependency file and apply the configuration to the respective machine (Uninstalling will remove the permissions given for Network Access Control for Mac if they are given manually).

Points to Remember

• This feature is supported on macOS Catalina version 10.15 and above.
• System-wide proxy settings are automatically applied.
• Any application-specific proxy that is to be allowed can be either whitelisted fully by giving their team ID and path, or the IPs or hostname, or just the application names that are to be whitelisted.
• Active directory domains must be whitelisted so that the machine can reach them.
• VPN apps that are being used must be whitelisted so that they can make connections. It can be whitelisted in three ways:
• By giving the team ID of the VPN app to be whitelisted. Note: All the apps associated with the team ID will also be whitelisted.
• By giving only the paths of the VPN app.Note: All binaries and apps in that location will also be whitelisted.
• By giving both the team ID and path.Note: Only the apps and binaries for the given team ID will be whitelisted only if they are located in the specified path.
• If any help links are given, the corresponding hostname or IP must be whitelisted.
• Domains must be whitelisted if needed. Additionally, ensure that the DNS server IP address is also whitelisted.
• To check the team ID, use the command codesign -dv <application path> in the terminal. It will list the corresponding team ID of the application.