Configuration profile for Kaspersky Endpoint Security for Mac
Show applications and versions that this article concerns
- Kaspersky Endpoint Security 12.1 for Mac (version 12.1.0.553)
- Kaspersky Endpoint Security 12 for Mac (version 12.0.0.325)
- Kaspersky Endpoint Security 11.3.0 for Mac (version 11.3.0.320)
- Kaspersky Endpoint Security 11.2.1 for Mac (version 11.2.1.145)
- Kaspersky Endpoint Security 11.2.0 for Mac (version 11.2.0.185)
- Kaspersky Endpoint Security 11.1.0 for Mac (version 11.1.0.210)
- Kaspersky Endpoint Security 11.0.1 for Mac (version 11.0.1.753)
The guide below is only applicable to JAMF- and macOS servers. For other servers, use this guide.
Before remote installation of Kaspersky Endpoint Security for Mac:
- For versions 12.1, 12 and 11.3.0, download the KES_11.3_profile.zip archive. Extract and apply the Configuration Profile for Kaspersky Endpoint Security for macOS11+.mobileconfig using the JAMF remote administration tool.
- For version 11.2.0:
- Download the KES_11.2_ARM_profile.zip archive for devices with ARM architecture (M1). Extract and apply the configuration profile KES_11.2_ARM_profile.mobileconfig.
- Download the KES_11_profile.zip archive for devices with 64-bit systems. Extract and apply the configuration profile KES_11_profile.mobileconfig using the JAMF remote administration tool.
- For version 11.1.0, download the KES_11_profile.zip archive. Extract and apply the configuration profile KES_11_profile.mobileconfig using the JAMF remote administration tool.
This will allow the application to get:
- Permissions to install System Extensions and Network Content Filtering for successful application installation.
- Full Disk Access for the correct work of File Threat Protection.
A configuration profile does not give permissions to install the root certificate which is required to intercept HTTPS traffic. This permission can only be obtained locally on the device.
A configuration profile has settings that can be performed only via User Approved Mobile Device Management (UAMDM). When you apply the configuration profile locally on the device, the following error occurs: "Profile installation failed. The profile must be a system profile. User profiles are not supported.” To avoid the error, use the remote administration tool.
How to create a configuration profile for Kaspersky Endpoint Security for Mac versions 12.1, 12 and 11.3.0 by yourself
If you want to create a configuration profile for Kaspersky Endpoint Security for Mac by yourself on a 64-bit device, set the following settings:
Privacy Preferences Policy Control
com.kaspersky.kav
Identifier Type
Bundle ID
Code Requirement
identifier "com.kaspersky.kav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
App or Service
SystemPolicyAllFiles
Allow
Identifier
com.kaspersky.kav.sysext
Identifier Type
Bundle ID
Code Requirement
identifier "com.kaspersky.kav.sysext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
App or Service
SystemPolicyAllFiles
Allow
System Extensions
Allowed Team Identifiers
Team Identifier
2Y8XE5CQ94
VPN
Kaspersky Filter
VPN Type
VPN
Connection Type
Custom SSL
Identifier
com.kaspersky.kav.kavd
Server
localhost
Provider Bundle Identifier
com.kaspersky.kav.sysext
User Authentication
Password
Password
Empty
Provider Type
App-proxy
Include All Networks
Unset
Exclude Local Networks
Unset
Provider Designated Requirement
identifier "com.kaspersky.kav.sysext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
Enable VPN on Demand
Unset
Prohibit users from disabling on-demand VPN settings
Unset
Idle Timer
Do not disconnect
Proxy Setup
None
How to create a configuration profile for Kaspersky Endpoint Security for Mac version 11.2.1 and earlier by yourself
If you want to create a configuration profile for Kaspersky Endpoint Security for Mac by yourself on a 64-bit device, set the following settings:
Privacy Preferences Policy Control
/Library/Application Support/Kaspersky Lab/KAV/Binaries/kav
Identifier Type
Path
Code Requirement
identifier kav and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
App or Service
SystemPolicyAllFiles
Allow
Identifier
com.kaspersky.kav
Identifier Type
Bundle ID
Code Requirement
identifier "com.kaspersky.kav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
App or Service
SystemPolicyAllFiles
Allow
Identifier
com.kaspersky.kav.sysext
Identifier Type
Bundle ID
Code Requirement
identifier "com.kaspersky.kav.sysext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
App or Service
SystemPolicyAllFiles
Allow
Approved Kernel Extensions
2Y8XE5CQ94
System Extensions
Allowed System Extensions
Team Identifier
2Y8XE5CQ94
Allowed System Extensions
com.kaspersky.kav.sysext
VPN
Kaspersky Filter
VPN Type
VPN
Connection Type
Custom SSL
Identifier
com.kaspersky.sysextctrld
Server
localhost
Provider Bundle Identifier
com.kaspersky.kav.sysext
User Authentication
Password
Password
Empty
Provider Type
App-proxy
Include All Networks
Unset
Exclude Local Networks
Unset
Provider Designated Requirement
identifier "com.kaspersky.kav.sysext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2Y8XE5CQ94"
Enable VPN on Demand
Unset
Prohibit users from disabling on-demand VPN settings
Unset
Idle Timer
Do not disconnect
Proxy Setup
None
What to do if the issue persists
If you experience any issues with the configuration profile, use these recommendations and submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount.