# macOS MDM Deployment The MyZen macOS installer is distributed as a standard `.pkg` file, which can be deployed through any MDM that supports macOS package distribution. This guide covers deployment steps, PPPC configuration profiles, and background items management for each supported MDM platform. ## App & Team Identifiers {% hint style="info" %} **Apple Developer Team ID:** `5KPT5U8WVR` (Zenstack Private Limited) **Bundle Identifiers:** {% endhint %} | Variant | Bundle ID | Install Path | | -------- | ------------------ | --------------------------- | | Standard | `ai.we360.MyZenV2` | `/Applications/MyZenV2.app` | | Stealth | `ai.zs.zs` | `/usr/local/zs/zs.app` | {% hint style="info" %} **Code Requirement (Stealth):** {% code overflow="wrap" fullWidth="true" %} ``` identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR" ``` {% endcode %} To extract the code requirement yourself, run on a Mac with the app installed: ```bash codesign -dr - /usr/local/zs/zs.app # Stealth codesign -dr - /Applications/MyZenV2.app # Standard ``` {% endhint %} ## Important Points for Stealth App Install {% hint style="danger" %} **Do not rename the stealth installer file.** The **stealth** installer filename is tied to your organization's license. Renaming it, or allowing extra characters to be appended (e.g. `(1)` or `(2)` from duplicate downloads), will cause the installation to fail. {% endhint %} {% hint style="info" %} If you're having issues with the Stealth App installation, with install please check the /tmp/zs-postinstall.log . If the **PACKAGE\_PATH** variable in the first few lines does not match the package file name as downloaded from portal, you will require a pre-install script to run on the machine before the package can be installed, as our unique package name contains your tenant/org's license details. The following preinstall script should work: ``` #!/bin/sh basename "" .pkg | base64 --decode | tee /Library/Preferences/zs.json ``` > If your MDM does not support pre-install scripts, please contact our support team for a custom installer. (Not all custom installer requests may be approved) > {% endhint %} {% hint style="info" %} **Restart may be required after MDM install.** When installing via MDM, by default our installer tries to start the apps immediately via `launchctl`. This should not fail unless there's some MDM or OS level controls blocking this.\ A **logout/login** or **system restart** may be required to circumvent such scenarios. {% endhint %} ## macOS Permissions MyZen requires several macOS privacy permissions. How they are granted depends on whether you use an MDM with PPPC support. **With MDM (PPPC profile):** * **Accessibility** — can be pre-approved via a PPPC configuration profile. * **Browser URL Reading (AppleEvents/Automation)** — can be pre-approved via PPPC per browser. If not granted via PPPC, the user will be prompted to allow browser URL access the first time a browser is used. * **Screen Recording** **(Optional)** — **cannot** be approved via any MDM. Apple does not allow Screen Recording to be granted programmatically. The end user must approve this manually. **Without MDM:** * All permissions will prompt the user at first use. {% hint style="info" %} **After granting Screen Recording permission**, the user must perform a **logout/login** or **restart the MyZen/zs app** for the permission to take effect. {% endhint %} ## Configuration Profiles Three `.mobileconfig` profiles are provided for MDM deployment. Deploy these **before** installing the agent PKG. | Profile | Filename | Purpose | | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | | PPPC (Privacy Preferences) | [`zs-pppc.mobileconfig`](https://github.com/zenstack-we360/documentation/blob/main/it-ops/agent-deployment-hub/mass-deployment/zs-pppc.mobileconfig) | Pre-approves Accessibility, simplifies Screen Recording prompt, and grants browser Automation (AppleEvents) for URL reading | | Background Items | [`zs-background-items.mobileconfig`](https://github.com/zenstack-we360/documentation/blob/main/it-ops/agent-deployment-hub/mass-deployment/zs-background-items.mobileconfig) | Suppresses "Background Items Added" notification and prevents users from disabling ZS services (macOS 13+) | | Screen Capture (standalone) | [`zs-screen-capture.mobileconfig`](https://github.com/zenstack-we360/documentation/blob/main/it-ops/agent-deployment-hub/mass-deployment/zs-screen-capture.mobileconfig) | Standalone Screen Recording PPPC entry — use if you deploy screen capture permissions separately | {% hint style="warning" %} **PPPC profiles must be delivered via MDM.** Manually installed `.mobileconfig` files (double-clicked by users) **cannot** grant TCC permissions — macOS may ignore TCC payloads from user-installed profiles for security reasons. {% endhint %} ### Background Items (macOS 13+) Starting with macOS 13 Ventura, macOS shows a "Background Items Added" notification when an application installs LaunchAgents or LaunchDaemons. Users can disable these from **System Settings > General > Login Items & Extensions**. The background items profile prevents this. **Managed background items for MyZen:** | Mode | Launch Agent Label | Updater Daemon Label | | -------- | ------------------ | -------------------------- | | Standard | `ai.we360.MyZenV2` | `ai.we360.MyZenV2-updater` | | Stealth | `ai.zs.zs` | `ai.zs.zs-updater` | The provided profile uses a `TeamIdentifier` rule (`5KPT5U8WVR`) which covers all current and future LaunchAgents/Daemons signed by Zenstack. ### Install Locations MDM administrators may need these paths for configuration profiles, detection rules, or post-install scripts.
ItemStandard App PathStealth App Path
Application/Applications/MyZenV2.app/usr/local/zs/zs.app
Launch Agent/Library/LaunchAgents/ai.we360.MyZenV2.plist/Library/LaunchAgents/ai.zs.zs.plist
Updater Daemon/Library/LaunchDaemons/ai.we360.MyZenV2-updater.plist/Library/LaunchDaemons/ai.zs.zs-updater.plist
Config file-/Library/Preferences/zs.json
Install logs/tmp/MyZenV2-*.log/tmp/zs-*.log
## General Deployment Sequence Regardless of which MDM you use, follow this order: 1. **Deploy the PPPC profile** (`zs-pppc.mobileconfig`) to target devices. 2. **Deploy the Background Items profile** (`zs-background-items.mobileconfig`) to target devices. 3. **Upload and deploy** the MyZen `.pkg` installer. 4. **Instruct end users** to grant Screen Recording permission when prompted, then logout/login. 5. **Verify** the agent appears online in the We360.ai dashboard. > **Note:** The PKG is signed by Zenstack Private Limited (Team ID `5KPT5U8WVR`). You may need to add this to your allowed developers list. *** ## MDM Platform Guides
Jamf Pro **PKG Upload & Deployment** 1. Log in to **Jamf Pro** (`your-instance.jamfcloud.com`). 2. Navigate to **Settings > Computer Management > Packages**. 3. Click **New** to create a new package entry. 4. Upload the MyZen `.pkg` file. 5. Set a **Display Name** (e.g., "MyZenV2 Stealth"). 6. Click **Save**. 7. Navigate to **Computers > Policies** and click **New**. 8. Configure the **General** payload: * **Display Name:** e.g., "Deploy MyZenV2" * **Trigger:** Recurring Check-in (or Enrollment Complete for new devices) * **Execution Frequency:** Once per computer 9. Click the **Packages** payload and click **Configure**. 10. Select the uploaded PKG and set the **Action** to **Install**. 11. Click the **Scope** tab and add target computers or smart/static groups. 12. Click **Save**. **PPPC Profile Deployment** **Option A — Built-in PPPC builder:** 1. Navigate to **Computers > Configuration Profiles**. 2. Click **New**. 3. Set a **Name** (e.g., "ZS App Permissions"). 4. In the left sidebar, click **Privacy Preferences Policy Control**. 5. Click **Add** (+). 6. Fill in the fields: * **Identifier:** `ai.zs.zs` * **Identifier Type:** Bundle ID * **Code Requirement:** paste from `codesign -dr -` output * **Static Code:** No 7. Under **App or Service**, click **Add**: * Select **Accessibility** and set to **Allow**. 8. Repeat for additional permissions (AppleEvents for each browser). 9. Scope to target computers and **Save**. **Option B — Upload pre-built profile:** 1. Navigate to **Computers > Configuration Profiles > Upload**. 2. Upload `zs-pppc.mobileconfig`. 3. Scope to target computers and **Save**. **Background Items** 1. Navigate to **Computers > Configuration Profiles > New**. 2. Upload `zs-background-items.mobileconfig` (or use **Managed Background Items** payload in Jamf Pro 10.44+). 3. Scope and **Save**. **Verification** 1. Navigate to **Computers > Search Inventory** and select a target device. 2. Go to the **Configuration Profiles** tab — confirm both PPPC and Background Items profiles are installed. 3. Go to the **Applications** tab — confirm MyZenV2 or zs.app is listed. 4. Ask the end user to **logout/login** or **restart**. 5. Verify the endpoint appears online in the **We360.ai dashboard** at `portal.we360.ai`. {% hint style="info" %} Jamf Pro preserves the original PKG filename during distribution. Stealth deployments work without issues. {% endhint %}
Jamf Now **PKG Upload & Deployment** 1. Log in to **Jamf Now** (`your-instance.jamfnow.com`). 2. In the left sidebar, click **Apps**. 3. Click **Add an App** and select the **Upload Your App** tab. 4. Drag and drop the MyZen `.pkg` file, or click **browse** to select it. 5. Jamf Now will process the file and show a **Review Your App** dialog. 6. Verify the **App Name** (e.g., "zs") and the **Bundle ID** are correct. 7. Click **Done** to finish the upload. 8. Navigate to **Blueprints** and select the target Blueprint. 9. Go to the **Apps** section and add the uploaded app. 10. Click **Save Blueprint**. 11. Devices assigned to this Blueprint will receive the app at next check-in. **PPPC Profile Deployment** 1. Navigate to **Blueprints** > target Blueprint. 2. Go to the **Custom Profiles** section. 3. Click **Upload** and select `zs-pppc.mobileconfig`. 4. Click **Save Blueprint**. {% hint style="danger" %} **Jamf Now does not have a built-in PPPC profile builder.** You must upload a pre-built `.mobileconfig` file. The profiles provided in this guide are ready to use. {% endhint %} {% hint style="warning" %} **Filename renaming concern:** Jamf Now may rename the uploaded PKG to `app.pkg` during distribution. This breaks MyZen's **stealth** licensing (which is encoded in the filename). Please request a **custom stealth installer** from our team. If unavailable, request our team for **stealth config zs.json** file, which has to be placed in `/Library/Preferences/zs.json` {% endhint %} **Background Items** Upload `zs-background-items.mobileconfig` via the **Custom Profiles** section (same process as PPPC). **Verification** 1. Navigate to **Blueprints** and select the target Blueprint. 2. Check the **Devices** section — confirm the device appears and app is installed. 3. Ask the end user to **logout/login** or **restart**. 4. Verify the endpoint appears online in the **We360.ai dashboard** at `portal.we360.ai`. **Limitations** * Custom Apps and Custom Profiles require the **Jamf Now Plus** plan. * No Smart Groups or conditional logic — only static Blueprint assignments. * Limited troubleshooting and logging compared to Jamf Pro.
Addigy **PKG Upload & Deployment** 1. Log in to **Addigy** (`app.addigy.com`). 2. Navigate to **Catalog > Software**. 3. Click **New** to create a new software item. 4. Upload the MyZen `.pkg` file. 5. Addigy auto-generates an `_install.sh` script. Review it — typically no changes are needed. 6. Optionally configure a **Condition** to control when the install runs (e.g., only if the app is not already installed). 7. Click **Save**. 8. Navigate to **Policies** and select the target Policy. 9. Add the software item to the Policy's **Catalog**. 10. Devices in that Policy will receive the software. **PPPC Profile Deployment** **Option A — Built-in profile builder:** 1. Navigate to **Catalog > MDM Profiles**. 2. Click **New** to create a new profile. 3. Select **Privacy Preferences Policy Control** payload. 4. Configure the fields as described in the Identifiers section above. 5. Click **Save** and add to target Policy. **Option B — Upload custom profile:** 1. Navigate to **Catalog > MDM Profiles > Custom Profile**. 2. Upload `zs-pppc.mobileconfig`. 3. Add to target Policy. **Background Items** Navigate to **Catalog > MDM Profiles** and use the **Service Management - Managed Background Items** payload, or upload `zs-background-items.mobileconfig` as a custom profile. {% hint style="info" %} Addigy uses an agent-based architecture for software installs and MDM for profiles. Profile deployment may be slightly slower than software deployment. Addigy preserves the original PKG filename. {% endhint %}
Mosyle Business **PKG Upload & Deployment** 1. Log in to **Mosyle Business** (`business.mosyle.com`). 2. Navigate to **Management** (bottom navigation). 3. Select **Install App**. 4. Click **Add new profile** (top-right). 5. Choose **macOS** as the platform. 6. Select **Enterprise App** (not App Store). 7. Choose **Upload a PKG file** as the source. 8. Upload the MyZen `.pkg` file. 9. Configure: * **Installation type:** "Install and keep" or "Install once" * **Assignment:** Scope to specific users, devices, or groups. 10. Click **Save**. **PPPC Profile Deployment** **Option A — Built-in builder:** 1. Navigate to **Management**. 2. Select **Privacy & Security > Privacy Preferences**. 3. Click **Add new profile**. 4. Configure with the identifiers and code requirements above. 5. Scope and **Save**. **Option B — Custom profile upload:** 1. Navigate to **Management > Custom MDM Profiles**. 2. Upload `zs-pppc.mobileconfig`. 3. Scope and **Save**. **Background Items** Use the **Managed Background Items** profile under the macOS 13+ management section, or upload `zs-background-items.mobileconfig` as a custom profile. {% hint style="warning" %} MyZen is a custom app — use the **Enterprise App** path, not "Auto Apps." Ensure the Package Identifier matches exactly to avoid reinstallation loops. {% endhint %}
Kandji **PKG Upload & Deployment** 1. Log in to **Kandji** (`your-tenant.kandji.io`). 2. Navigate to **Library**. 3. Click **Add New** and select **Custom App**. 4. Upload the MyZen `.pkg` file. 5. Configure: * **Install Type:** "Install once per device" or "Continuously enforce" * **Audit Script (optional):** ```bash #!/bin/bash if [ -d "/usr/local/zs/zs.app" ]; then exit 0 # Installed else exit 1 # Not installed, trigger reinstall fi ``` 6. Click **Save**. 7. Navigate to **Blueprints** and add the Custom App to the target Blueprint. **PPPC Profile Deployment** **Option A — Native PPPC builder:** 1. Navigate to **Library**. 2. Click **Add New** and select **Privacy Preferences**. 3. Configure with identifiers and code requirements above. 4. Toggle Accessibility to **Allow**. 5. Click **Save** and add to target Blueprint. **Option B — Custom profile upload:** 1. Navigate to **Library > Add New > Custom Profile**. 2. Upload `zs-pppc.mobileconfig`. 3. Add to target Blueprint. **Background Items** Use the dedicated **Managed Background Items** library item. Kandji provides a UI to configure rules by label, bundle ID, or team ID. Add Team ID `5KPT5U8WVR`. {% hint style="info" %} Kandji's "Continuously enforce" mode will reinstall the app if the audit script fails — useful for ensuring the agent stays installed. Kandji preserves the original PKG filename. {% endhint %}
Hexnode UEM **PKG Upload & Deployment** 1. Log in to **Hexnode UEM** (`your-instance.hexnodemdm.com`). 2. Navigate to **Apps > +Add Apps > Enterprise App**. 3. Select **macOS** as the platform. 4. Upload the MyZen `.pkg` file. 5. Provide a **Name** and optional description. 6. Click **Add**. 7. Navigate to **Policies > New Policy** (or edit an existing one). 8. Go to **macOS > App Management > Mandatory Apps**. 9. Select the uploaded app. 10. Navigate to **Policy Targets** and assign to device groups. 11. Click **Save**. **PPPC Profile Deployment** 1. Navigate to **Policies > New Policy** (or edit existing). 2. Go to **macOS > Security > Privacy Preferences**. 3. Click **Configure**. 4. Add a new app entry: * **Bundle Identifier:** `ai.zs.zs` * **Code Requirement:** paste from `codesign -dr -` output * **Permissions:** Toggle Accessibility to **Grant**. 5. Assign the policy to target devices/groups. 6. Click **Save**. **Background Items** Use **Policies > macOS > Security > Managed Background Items** (Hexnode 7.8+). {% hint style="info" %} Hexnode preserves the original PKG filename. PPPC profiles require the MDM channel (not the agent channel). {% endhint %}
SimpleMDM **PKG Upload & Deployment** 1. Log in to **SimpleMDM** (`a.simplemdm.com`). 2. Navigate to **Apps** in the left sidebar. 3. Click **Add App** and choose **Custom App** (Enterprise App). 4. Upload the MyZen `.pkg` file. 5. Configure: * **Name:** e.g., "MyZenV2" * **Deploy automatically:** Toggle on if desired. 6. Click **Save**. 7. Navigate to **Device Groups** and assign the app. **PPPC Profile Deployment** **Option A — Native PPPC builder:** 1. Navigate to **Profiles** in the left sidebar. 2. Click **Create Profile**. 3. Select **Privacy Preferences** payload. 4. Configure with identifiers and code requirements above. 5. Click **Save** and assign to a Device Group. **Option B — Custom profile upload:** 1. Navigate to **Profiles > Create Profile > Custom**. 2. Upload `zs-pppc.mobileconfig`. 3. Assign to a Device Group. **Background Items** Use **Profiles > Create Profile > Managed Background Items**, or upload `zs-background-items.mobileconfig` as a custom profile. {% hint style="info" %} SimpleMDM preserves the original PKG filename. No Smart Groups — only static Device Group assignments. {% endhint %}
ManageEngine Endpoint Central ManageEngine Endpoint Central (formerly Desktop Central) is part of the Zoho ManageEngine suite and supports macOS MDM enrollment, app deployment, and configuration profiles. **Step 1 — Enroll macOS Devices** Before deploying apps or profiles, devices must be MDM-enrolled: 1. Log in to **ManageEngine Endpoint Central** (cloud: `endpointcentral.manageengine.com`, or your on-premise URL). 2. Navigate to **MDM > Enrollment > Apple Enrollment**. 3. Ensure your **Apple Push Notification (APNs)** certificate is valid and uploaded. 4. Choose an enrollment method: * **Open Enrollment Link** — share a URL with users to self-enroll. * **Apple Business Manager (ABM)** — for zero-touch automated enrollment. * **Email Invitation** — send enrollment invitations to users. 5. Enrolled devices will appear under **MDM > Inventory > Devices**. **Step 2 — Deploy PPPC Profile (Before PKG)** **Option A — Built-in macOS PPPC Policy (recommended):** ManageEngine Endpoint Central has a native **macOS PPPC Policy** builder under its configuration management: 1. Navigate to **Configuration > macOS PPPC Policy**. 2. Click **Create Collection** (or **Add Configuration**). 3. Fill in: * **Collection Name:** e.g., "zen-apps-access-grants" (internal reference) * **Description:** "Allow permissions of Accessibility and per browser grants" * **Category:** macOS PPPC Policy * **Platform:** Mac 4. Under the first app entry, configure the **ZS agent**: * **Identifier:** `ai.zs.zs` * **Code sign requirement:** `identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR"` * **Static code validation:** No * **Allowed permissions:** Accessibility * **Other permissions:** User Controlled 5. Add **browser entries** for AppleEvents (URL reading). Click **Add** for each browser: * **Google Chrome:** * Identifier: `com.google.Chrome` * Code sign requirement: `identifier "com.google.Chrome" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV` * Static code validation: No * **Safari:** * Identifier: `com.apple.Safari` * Code sign requirement: `identifier "com.apple.Safari" and anchor apple` * Static code validation: No 6. Click **Save**. 7. Navigate to **Targets** and select the target scope (Remote Office, custom groups, or individual devices). 8. Click **Deploy** / **Associate**. 9. Check the **Execution Status** — devices should show "Succeeded" after next check-in. **Option B — Custom profile upload:** 1. Navigate to **Configuration > Profiles & Policies > macOS**. 2. Click **Create Profile** and select **Custom Configuration**. 3. Upload `zs-pppc.mobileconfig`. 4. Click **Save** and associate with target groups/devices. **Step 3 — Deploy Background Items Profile** 1. Navigate to **MDM > Configuration > Profiles & Policies**. 2. Click **Create Profile** and select **macOS**. 3. Name: e.g., "ZS Background Items". 4. Select **Custom Configuration** as the payload type. 5. Upload `zs-background-items.mobileconfig`. 6. Click **Save**. 7. Associate with the same target groups/devices as the PPPC profile. **Step 4 — Upload and Deploy the PKG** {% hint style="danger" %} **ManageEngine renames uploaded PKG files internally.** The stealth installer's filename contains the encoded license key, so a rename breaks installation. You **must** use a custom installation command that renames the file back to the original before running `installer`. See the installation command below. {% endhint %} 1. Navigate to **Software Deployment > Packages > Add Package**. 2. Select **Mac** as the platform. 3. Fill in: * **Application Name:** e.g., "zs-mac" (internal reference only) * **Version:** Current version (e.g., "4.x") * **Vendor:** `ai.zs` * **Package License Type:** Commercial * **Path Type:** "This computer (used across multiple remote offices)" 4. Upload **two files**: * The MyZen `.pkg` installer (e.g., `zs.pkg`) * The uninstallation script (`remove_myzenv2_Version3.sh`) — download this from the We360.ai admin portal 5. Set the **Installation Command** to rename the file back to its original name before installing: ```bash mv "./zs.pkg" "./.pkg" && installer -pkg "./.pkg" -target "/" ``` Replace `` with the **exact original filename** of your stealth PKG (without the `.pkg` extension). This is the filename as downloaded from the We360.ai portal. 6. Set the **Uninstallation Command** to: ```bash /bin/sh remove_myzenv2_Version3.sh ``` 7. Click **Save**. 8. Navigate to **Software Deployment > Deploy** and create a new deployment configuration. 9. Select the package and target the same groups/devices as your profiles. 10. Deploy. {% file src="/files/FiA6hwqTgyo7JMJ48Jwn" %} ManageEngine Endpoint Central — Package configuration reference (PDF) {% endfile %} {% file src="/files/HF2nwFjOnS8z8Qv9yYlf" %} ManageEngine Endpoint Central — PPPC policy configuration reference (PDF) {% endfile %} **Step 5 — Verify Deployment** 1. Navigate to **MDM > Inventory > Devices** and select a target device. 2. Check the **Profiles** tab — both PPPC and Background Items profiles should show as **Installed**. 3. Check the **Apps** tab — the MyZen app should show as **Installed**. 4. Ask the end user to **logout/login** or **restart** for the agent to start. 5. Verify the endpoint appears online in the **We360.ai dashboard** at `portal.we360.ai`. {% hint style="info" %} **Cloud vs. on-premise:** ManageEngine Endpoint Central supports both cloud and on-premise deployments. The navigation paths above apply to both. Ensure your instance has the **macOS MDM module** enabled (it is a separately licensed module in some editions). {% endhint %} {% hint style="warning" %} **APNs certificate renewal:** Your Apple Push Notification certificate must be renewed annually. If it expires, MDM communication with all macOS/iOS devices will break. Set a calendar reminder 30 days before expiration. Navigate to **MDM > Enrollment > Apple Enrollment > APNs Certificate** to check the expiry date. {% endhint %}
*** ## Platform Comparison | Feature | Jamf Pro | Jamf Now | Addigy | Mosyle | Kandji | Hexnode | SimpleMDM | ManageEngine | | -------------------------------- | -------- | ------------------ | ------ | ------ | ------ | ------- | --------- | ------------------ | | PKG upload | Yes | Yes (Plus) | Yes | Yes | Yes | Yes | Yes | Yes | | Preserves PKG filename | Yes | Verify | Yes | Yes | Yes | Yes | Yes | Yes | | Native PPPC builder | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | | Custom .mobileconfig upload | Yes | Yes (Plus) | Yes | Yes | Yes | Yes | Yes | Yes | | Background Items Management | Yes | Via custom profile | Yes | Yes | Yes | Yes | Yes | Via custom profile | | Smart Groups / conditional logic | Yes | No | Yes | Yes | Yes | Yes | No | Yes | *** ## Supported Browsers for AppleEvents (URL Reading) The PPPC profile (`zs-pppc.mobileconfig`) includes AppleEvents entries for the following browsers. This allows MyZen to read the active browser URL without triggering an Automation permission prompt for the user. ``` ================================================== Browser Bundle ID & Codesign Report ================================================== App: Google Chrome Bundle ID: com.google.Chrome Team ID: EQHXZ8M8AV App: Safari Bundle ID: com.apple.Safari Signing: Apple system-signed App: Microsoft Edge Bundle ID: com.microsoft.edgemac Team ID: UBF8T346G9 App: Firefox Bundle ID: org.mozilla.firefox Team ID: 43AQ936H96 App: Brave Browser Bundle ID: com.brave.Browser Team ID: KL8N8XSYF4 App: Arc Bundle ID: company.thebrowser.Browser Team ID: S6N382Y83G App: Vivaldi Bundle ID: com.vivaldi.Vivaldi Team ID: 4XF3XNRN6Y App: Opera / Opera GX Bundle ID: com.operasoftware.Opera / com.operasoftware.OperaGX Signing: Certificate leaf hash App: DuckDuckGo Bundle ID: com.duckduckgo.macos.browser Team ID: HKE973VLUW App: Chromium Bundle ID: org.chromium.Chromium Signing: Developer ID (no Team ID constraint) App: Orion (Kagi) Bundle ID: com.kagi.kagimacOS Team ID: TFVG979488 App: Dia Bundle ID: company.thebrowser.dia Team ID: S6N382Y83G App: Aloha Bundle ID: com.alohabrowser.alohabrowser Team ID: DBVBNXAA55 ================================================== ``` {% hint style="info" %} If a browser used in your organization is not listed above, you can add an additional `AppleEvents` entry to the PPPC profile using the browser's bundle ID and code requirement. Run `codesign -dr - /Applications/BrowserName.app` to obtain the values. {% endhint %} *** ## PPPC Profile Contents Below is the full content of the `zs-pppc.mobileconfig` file for reference:
zs-pppc.mobileconfig (click to expand) ```xml PayloadContent PayloadDescription Configures Privacy Preferences for the ZS agent and supported browsers. PayloadDisplayName ZS Privacy Preferences PayloadIdentifier ai.zs.pppc PayloadOrganization Zenstack Private Limited PayloadType com.apple.TCC.configuration-profile-policy PayloadUUID A1B2C3D4-E5F6-7890-ABCD-EF1234567890 PayloadVersion 1 Services Accessibility Authorization Allow Identifier ai.zs.zs IdentifierType bundleID CodeRequirement identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR" ScreenCapture Authorization AllowStandardUserToSetSystemService Identifier ai.zs.zs IdentifierType bundleID CodeRequirement identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR" AppleEvents PayloadDisplayName ZS — Privacy Preferences PayloadIdentifier ai.zs.profile.pppc PayloadOrganization Zenstack Private Limited PayloadScope System PayloadType Configuration PayloadUUID F1E2D3C4-B5A6-9870-FEDC-BA0987654321 PayloadVersion 1 ```
zs-background-items.mobileconfig (click to expand) ```xml PayloadContent PayloadType com.apple.servicemanagement PayloadVersion 1 PayloadIdentifier ai.zs.servicemanagement PayloadUUID B2C3D4E5-F6A7-8901-BCDE-F12345678901 PayloadDisplayName ZS — Managed Background Items Rules RuleType TeamIdentifier RuleValue 5KPT5U8WVR Comment Allow all ZS app background items PayloadDisplayName ZS — Background Items Management PayloadIdentifier ai.zs.profile.servicemanagement PayloadOrganization Zenstack Private Limited PayloadScope System PayloadType Configuration PayloadUUID C3D4E5F6-A7B8-9012-CDEF-123456789012 PayloadVersion 1 ```
zs-screen-capture.mobileconfig (click to expand) ```xml PayloadContent PayloadDescription Screen Capture PPPC entry for the ZS agent. PayloadDisplayName ZS — Screen Recording Permission PayloadIdentifier ai.zs.pppc.screencapture PayloadOrganization Zenstack Private Limited PayloadType com.apple.TCC.configuration-profile-policy PayloadUUID D4E5F6A7-B8C9-0123-DEFA-234567890123 PayloadVersion 1 Services ScreenCapture Authorization AllowStandardUserToSetSystemService Identifier ai.zs.zs IdentifierType bundleID CodeRequirement identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR" PayloadDisplayName ZS — Screen Recording PayloadIdentifier ai.zs.profile.pppc.screencapture PayloadOrganization Zenstack Private Limited PayloadScope System PayloadType Configuration PayloadUUID E5F6A7B8-C9D0-1234-EFAB-345678901234 PayloadVersion 1 ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.we360.ai/deployment-and-it-ops/agent-deployment-hub/mass-deployment/macos-mdm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.