Appendix A: Manually creating the MDM profile

You can manually create the MDM profile if you have issues importing the MDM profile provided by Forcepoint.

Steps

On the Computers tab, select Configuration Profiles, then click New.
On the General tab, enter Forcepoint Neo in the Name field.
On the VPN tab, enter the following:
1. Connection Name: Forcepoint Neo
2. VPN Type: VPN
3. Connection type:Custom SSL
4. Identifier: com.forcepoint.neo.ne-app
5. Server: Forcepoint Neo
6. Provider Bundle Identifier: com.forcepoint.neo.ne
7. Provider Type:App-proxy
8. Select the check box Prohibit users from disabling on-demand VPN settings
On the Privacy Preferences Policy Control tab, define the following components:
1. Enter the information for the first component.
  - Identifier: com.forcepoint.neo.agent
  - Identifier Type: Bundle ID
  - Code Requirement: identifier "com.forcepoint.neo.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4388XWHPGW"
  - From App or Service, select SystemPolicyAllFiles and from Access, select Allow
  - From App or Service, select AppleEvents and from Access, select Allow
  - Receiver Identifier: com.apple.systemevents
  - Receiver Identifier Type: Bundle ID
  - Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple
  - From App or Service, select Accessibility, and from Access, select Allow
2. Press the + button to add a new component, then enter the following information:
  - Identifier: com.forcepoint.neo.es
  - Identifier Type: Bundle ID
  - Code Requirement: identifier "com.forcepoint.neo.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4388XWHPGW"
  - From App or Service, select SystemPolicyAllFiles, and from Access, select Allow
3. Press the + button to add a new component, then enter the following information:
  - Identifier: /Library/Application Support/Forcepoint/Neo/EP/bin/fpneoprotectiond
  - Identifier Type: Path
  - Code Requirement: identifier "com.forcepoint.neo.protectiond" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4388XWHPGW"
  - From App or Service, select SystemPolicyAllFiles, and from Access, select Allow
4. Press the + button to add a new component, then enter the following information:
  - Identifier: /Library/PrivilegedHelperTools/com.forcepoint.neo.privilege-helper
  - Identifier Type: Path
  - Code Requirement: identifier "com.forcepoint.neo.privilege-helper" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4388XWHPGW"
  - From App or Service, select SystemPolicyAllFiles, and from Access, select Allow
On the Certificate tab, define the following components:
- Under Certificate Name, enter Forcepoint Cloud CA.
- Upload the Forcepoint Cloud CA.cer file.
- Select Allow all apps access.
- Make sure Allow export from keychain is not selected.
Click Save.
On the System Extensions tab, enter the following:
1. Select the check box Allow users to approve system extensions
2. Display Name: 4388XWHPGW
3. From System Extension Types, select Allowed System Extensions
4. Team Identifier: 4388XWHPGW
5. Allowed System Extensions: com.forcepoint.neo.ne, com.forcepoint.neo.es
On the Computers tab, select Configuration Profiles, then click New.
On the General tab, enter Forcepoint Neo NC Root CA in the Name field.
On the Certificate tab, define the following components:
- Under Certificate Name, enter Forcepoint Neo NC Root CA.
- Upload the Forcepoint Neo NC Root CA.cer file.
- Select Allow all apps access.
- Make sure Allow export from keychain is not selected.