Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
slang
Explorer

Network Content Filter settings for 84.30 macos Checkpoint VPN client on Big Sur

Hi all,

the early version 84.30 for macOS on Big Sur works fine for us on both Intel and M1 MacBooks.

But with 84.30 it asks for “Filter Network Content” on Big Sur. See picture below. This window can be suppressed for the user by using an MDM solution. What are the settings for it? 

Can anybody help out here?

Screenshot 2020-12-07 at 12.13.22.png

BR

0 Kudos
15 Replies
duongt
Explorer

Hello slang,

How are you suppressing this pop up with your MDM?

0 Kudos
slang
Explorer

Our MDM solution is Jamf. Here it is described for Microsoft Defender and works fine:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-jamfp...

And the same I want to have for the checkpoint client

0 Kudos
PhoneBoy
Admin
Admin

As this is EA code, we might not have these settings available yet.
Adding @Lior_Arzi @AndreiR 

0 Kudos
slang
Explorer

I tried all possible settings with kernel extensions and system extensions, but I was not able to suppress this window.

So what do you suggest here @PhoneBoy ? I guess all of your clients have this now together with Big Sur and updating to 84.30

BR

0 Kudos
uluss99
Explorer

Hi!  I don't want to use the content filtering so I deleted the Check Point Firewall app in the Applications folder. I don't have a popup and the VPN is working properly.

Have a good day!

 

0 Kudos
PhoneBoy
Admin
Admin

It should be enough to add the team identifier in Kernel Extension Policy MDM payload settings for Apple devices

User Approved Kernel Extension Loading (MDM Deployments)

See Kernel Extension Policy MDM payload settings for Apple devices

https://support.apple.com/en-gb/guide/mdm/mdm88f99b98a/1/web/1.0

Developer ID Application: Check Point Software Technologies (TZ3UEPFYKD)

Full Disk Access Requirements

See Custom MDM payload settings for Apple devices  https://support.apple.com/en-gb/guide/mdm/mdm38df53c2a/1/web/1.0

Agents requiring Full Disk Access

/Library/Application Support/Checkpoint/Capsule Docs/CapsuleDocsAgent.app/Contents/MacOS/CapsuleDocsAgent

Daemons requiring Full Disk Access

/Library/Application Support/Checkpoint/Capsule Docs/CapsuleDocsDaemon
/Library/Application Support/Checkpoint/Threat Emulation/cpted
/Library/Application Support/Checkpoint/Anti Ransomware/cpard
/Library/Application Support/Checkpoint/Forensics/cpefrd
/Library/Application Support/Checkpoint/Endpoint Security/cpmed
/Library/Application Support/Checkpoint/Endpoint Security/cpamd
/Applications/Check Point/cpmedApp.app
/Applications/Check Point/cpamdApp.app
/Applications/Check Point/cpdaApp.app
/Applications/Check Point/efr-mon-epsec.app

0 Kudos
duongt
Explorer

@PhoneBoy Apple is moving away from kernel extensions to system extensions. Is checkpoint doing the same and moving away from kernel extensions? I already have the kernel extension with the team identifier in place for previous versions of macOS. I'm still getting the popup. 

0 Kudos
PhoneBoy
Admin
Admin

I presume we are but don't know the precise timeline here.

0 Kudos
hcohen
Employee
Employee

Yes, for some blades this is already implemented, such as Firewall. On BigSur, the Firewall blade in the latest client uses a system extension.

Also, the EP client has already moved away from the old kexts for most of the blades, using new frameworks instead, such as the Endpoint Security framework.

0 Kudos
duongt
Explorer

Hello,

Endpoint Security VPN for Macs version 84.30 has been release. Does anyone have a way to suppress the "Checkpoint Firewall Filter" Would Like to Filter Network Content prompt besides deleting the Checkpoint Firewall app? 

0 Kudos
PhoneBoy
Admin
Admin

As I've posted previously, the Mac VPN client includes a firewall as a mandatory component.
Pretty sure this is the first time it's even been possible to remove it. 

0 Kudos
duongt
Explorer

Hello @PhoneBoy ,

 

I am not looking to remove it. I'm looking for a way to allow this component to run without requiring the user to click "Allow" when it prompts. Usually with an MDM I can push a configuration profile to allow this without any users interaction. Is there a way to do this?

0 Kudos
rickgmac
Explorer

@PhoneBoy  Can you share where you wrote about removing the Endpoint Security Firewall.

We already deploy a firewall and have it configured. We just use Checkpoint for the VPN

0 Kudos
PhoneBoy
Admin
Admin

I didn't write anything about it.
The comment is made in this thread by uluss99 above.
I have not personally verified his claim.

0 Kudos
jaol
Explorer

If you have Jamf you can put "Check Point Firewall.app" to restricted software and it won't bother you anymore. VPN still works.

And check point please make possible to install only VPN like in Windows machines.

0 Kudos