Deploying Coro to macOS devices with Microsoft Intune

This guide describes how to deploy the Coro Agent to your macOS endpoints through the Microsoft Intune endpoint management platform.

To successfully deploy Coro to macOS endpoints via Intune, you need to:

  1. Deploy a configuration profile for full disk access permissions
  2. Deploy a configuration profile to automatically enable Coro notifications
  3. Deploy a configuration profile to automatically approve Coro system extensions
  4. Deploy a configuration profile to automatically approve Coro Network Filter extension
  5. Prepare a shell script for deploying the Coro Agent
  6. Create the deployment in Intune
Important

Steps 1 to 4 are optional and designed to minimize user intervention for a silent deployment. If your organizational policies limit such configuration settings, skip straight to steps 5 and 6.

If you do proceed with steps 1 to 4, make sure you force-synchronize the profiles to your macOS endpoint devices after each step.

Deploying a configuration profile for full disk access permissions

Perform the following steps:

  1. Sign into the Microsoft Intune admin center at https://intune.microsoft.com .
  2. Go to Devices > Configuration profiles :

    Selecting Devices > Configuration profiles

  3. In the Policies tab, select Create > New Policy :

    Creating a new policy

    The Create a profile dialog appears:

    Create a profile dialog

  4. In the Platform dropdown, select macOS . Then, for Profile type , select Templates .
  5. From the list of templates, select Device restrictions , then select Create :

    Selecting the Device restrictions template

    The Device restrictions profile dialog appears, starting at the Basics step:

    Device restrictions dialog - Basics

  6. Enter the following details for the new profile:
    • Name : Enter a suitable name. For example, "Coro Full Disk Access".
    • Description : (Optional) Enter a suitable short description.
  7. Select Next to continue to the Configuration settings step:

    Device restrictions dialog - Configuration settings

  8. Expand the Privacy preferences section, then select Add :

    Privacy preferences

    The Add Row dialog appears:

    Add row dialog

  9. Enter the following details:
    Field Value
    Name Coro Endpoint Protection
    Identifier type Select Bundle ID
    Identifier net.coro.endsec.Coro
    Code requirement anchor apple generic and identifier "net.coro.endsec.Coro" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E3P52EVK39)
    Reminders Select Allow
    Full disk access Select Allow
    System admin files Select Allow
    note

    Leave all remaining settings as their default values.

  10. Select Save .
  11. In the Privacy preferences section, select Add again to add a second row with the following new settings:
    Field Value
    Name Coro Endpoint Protection
    Identifier type Select Bundle ID
    Identifier net.coro.endsec.CoroService
    Code requirement anchor apple generic and identifier "net.coro.endsec.CoroService" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E3P52EVK39)
    Reminders Select Allow
    Full disk access Select Allow
    System admin files Select Allow
    note

    Leave all remaining settings as their default values.

  12. Select Save .

    Your Privacy preferences section should now resemble the following:

    Completed Privacy preferences

  13. Select Next to continue to the Assignments step:

    Device restrictions dialog - Assignments

  14. Use the available options to select your required macOS devices.
  15. Select Next to continue to the Review + create step.
  16. Review your settings, then select Create :

    Device restrictions dialog - Review and Create

note

On your macOS devices, the Coro Agent software might not show as having full disk access in System Preferences > Security and Privacy. However, the agent shows correctly in System Preferences > Profiles.

Deploying a configuration profile to automatically enable Coro notifications

Perform the following steps:

  1. Sign into the Microsoft Intune admin center at https://intune.microsoft.com .
  2. Go to Devices > Configuration profiles :

    Selecting Devices > Configuration profiles

  3. In the Policies tab, select Create > New Policy :

    Create a new policy

    The Create a profile dialog appears:

    Create a profile

  4. In the Platform dropdown, select macOS . Then, for Profile type , select Settings catalog .
  5. Select Create .

    The Create profile dialog appears, starting at the Basics step:

    Create profile dialog - Basics

  6. Enter the following details for the new profile:
    • Name : Enter a suitable name. For example, "Auto enable Coro notifications".
    • Description : (Optional) Enter a suitable short description.
  7. Select Next to continue to the Configuration settings step:

    Create profile dialog - Configuration settings

  8. Select + Add settings .

    The Settings picker dialog appears:

    Settings picker dialog

  9. From the category list, select User Experience > Notifications . Then select Select all these settings :

    Select all settings

  10. Select X at the top-right to close the Settings picker dialog.
  11. In the Notification Settings section, select + Edit instance :

    Select Edit instance

    The Configure instance dialog appears:

    Create profile dialog - Assignments

  12. In Bundle Identifier , enter "net.coro.endsec.Coro". Leave all other settings as their default values.
  13. Select Save to save your changes and close the Configure instance dialog.
  14. In the Create profile dialog, select Next to continue to the Scope tags step.

    Leave all settings in this step as their default values.

  15. Select Next to continue to the Assignments step:

    Create profile dialog - Assignments

  16. Use the available options to select your required macOS devices.
  17. Select Next to continue to the Review + create step.
  18. Review your settings, then select Create :

    Create profile dialog - Review and Create

Deploying a configuration profile to automatically approve Coro system extension

Perform the following steps:

  1. Sign into the Microsoft Intune admin center at https://intune.microsoft.com .
  2. Go to Devices > Configuration profiles :

    Selecting Devices > Configuration profiles

  3. In the Policies tab, select Create > New Policy :

    Create a new policy

    The Create a profile dialog appears:

    Create a profile

  4. In the Platform dropdown, select macOS . Then, for Profile type , select Settings catalog .
  5. Select Create .

    The Create profile dialog appears, starting at the Basics step:

    Create profile dialog - Basics

  6. Enter the following details for the new profile:
    • Name : Enter a suitable name. For example, "Auto approve Coro extensions".
    • Description : (Optional) Enter a suitable short description.
  7. Select Next to continue to the Configuration settings step:

    Create profile dialog - Configuration settings

  8. Select + Add settings .

    The Settings picker dialog appears:

    Settings picker dialog

  9. From the category list, select System Configurations > System Extensions . Then, select Allow User Overrides and Allowed Team Identifiers :

    Select System Extension settings

  10. Select X at the top-right to close the Settings picker dialog.
  11. In the System Extensions section, enter "E3P52EVK39" in the textbox under Allowed Team Identifiers , then set Allow User Overrides to False :

    Enter a team identifier

  12. Select Next to continue to the Scope tags step.

    Leave all settings in this step as their default values.

  13. Select Next to continue to the Assignments step:

    Create profile dialog - Assignments

  14. Use the available options to select your required macOS devices.
  15. Select Next to continue to the Review + create step.
  16. Review your settings, then select Create :

    Create profile dialog - Review and Create

Deploying a configuration profile to automatically approve Coro Network Filter extension

Perform the following steps:

  1. Sign into the Microsoft Intune admin center at https://intune.microsoft.com .
  2. Go to Devices > Configuration profiles :

    Selecting Devices > Configuration profiles

  3. In the Policies tab, select Create > New Policy :

    Create a new policy

    The Create a profile dialog appears:

    Create a profile

  4. In the Platform dropdown, select macOS . Then, for Profile type , select Settings catalog .
  5. Select Create .

    The Create profile dialog appears, starting at the Basics step:

    Create profile dialog - Basics

  6. Enter the following details for the new profile:
    • Name : Enter a suitable name. For example, "Auto approve Coro network extension".
    • Description : (Optional) Enter a suitable short description.
  7. Select Next to continue to the Configuration settings step:

    Create profile dialog - Configuration settings

  8. Select + Add settings .

    The Settings picker dialog appears:

    Settings picker dialog

  9. From the category list, select Web Content Filter . Then, select the folliowing settings:
    • Filter Data Provider Bundle Identifier
    • Filter Data Provider Designated Requirement
    • Filter Grade
    • Filter Packets
    • Filter Sockets
    • Plugin Bundle ID
    • User Defined Name

    Select Web Content Filter settings

  10. Select X at the top-right to close the Settings picker dialog.
  11. In the Web Content Filter section, enter the following settings:
    Setting Value
    Filter Data Provider Bundle Identifier net.coro.endsec.TrafficService
    Filter Data Provider Designated Requirement anchor apple generic and identifier "net.coro.endsec.Coro" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = E3P52EVK39)
    Filter Grade firewall
    Filter Packets False
    Filter Sockets True
    Plugin Bundle ID net.coro.endsec.Coro
    User Defined Name Coro Network Protector

    Enter Web Content Filter settings

  12. Select Next to continue to the Scope tags step.

    Leave all settings in this step as their default values.

  13. Select Next to continue to the Assignments step:

    Create profile dialog - Assignments

  14. Use the available options to select your required macOS devices.
  15. Select Next to continue to the Review + create step.
  16. Review your settings, then select Create :

    Create profile dialog - Review and Create

Preparing a shell script for deploying the Coro Agent

To silently deploy the Coro Agent to macOS devices via Intune, Coro recommends using a shell script rather than the native app deployment process. This is because Coro Agent installer filenames contain activation codes. Microsoft Intune modifies installer filenames during app deployment, causing macOS devices to fail to register with a Coro workspace.

Coro provides a predefined script template and guidance in this article: Using a shell script to deploy Coro to macOS devices.

Make sure you modify the template script with your workspace-specific Agent download URL and installer filename. Save the personalized script as a text file to your local workstation, then proceed to the next step.

note

Coro recommends testing the script first by manually running it against a single device prior to activating it for mass deployment.

Creating the deployment in Intune

Perform the following steps:

  1. Sign into the Microsoft Intune admin center at https://intune.microsoft.com .
  2. Go to Devices > Scripts :

    Selecting Devices > Scripts

  3. Select + Add > macOS :

    Add a new script

    The Add script dialog appears, on the Basics step:

    Add script dialog - Basics

  4. Enter the following details for the new script:
    • Name : Enter a suitable name. For example, "Coro Agent macOS deployment".
    • Description : (Optional) Enter a suitable short description.
  5. Select Next to continue to the Script settings step.
  6. Select Select a file :

    Add script dialog - Script settings

  7. Browse to and select your prepared script (see Preparing a shell script for deploying the Coro Agent ).

    Intune displays the script contents in the read-only editor pane:

    Add script dialog - Script loaded

  8. Configure the following settings:
    Setting Value
    Run script as signed-in user No
    Hide script notifications on devices Yes
    Script frequency Every 15 minutes
    Max number of times to retry if script fails 2 times
    note

    Script frequency and Max number of times to retry if script fails are optional settings. The values provided here are suggested by Coro, but should be adjusted to meet your organization's needs.

  9. Select Next to continue to the Assignments step:

    Add script dialog - Assignments

  10. Use the available options to select your required macOS devices.
  11. Select Next to continue to the Review + add step.
  12. Review your settings, then select Add :

    Add script dialog - Review and add