Updates
2024-05-20: The WithSecure Elements and Countercept clients for Mac have now been released to all customers. Please note that it might take a day or so before all endpoints receive this update.
2024-05-15: Added information related to security posture when used as part of VPN authorization.
2024-04-16: Article revised to make it clearer which parts are for Elements and which for Countercept. Additionally clarified some aspects of controlling the software updates with MDMs, and providing a script to handle situations where old and new clients are installed.
2024-04-08: Include instructions for JAMF configuration
2024-04-03: Updated WithSecure System Extension sample profile
2024-02-15: Documented changes in product activation.
Background
We have now released a new version of our Mac software for WithSecure Elements, WithSecure Countercept.
As part of these releases, it is important to note that several things have changed.
Changes in network server addresses
For system and network administrators who tightly control their infrastructure’s ability to contact external servers, we strongly advise that they review the list of Server address changes at the WithSecure Community
Changes in Browser Extensions
Clients will also use WithSecure browser extensions. These can be found at:
Chrome Webstore
Firefox Browser Add-ons
If you use MDM or group policies to manage browser extensions it is recommended to allow or preinstall these extensions in advance.
You can use following IDs for MDM profiles:
- Google Chrome: imdndkajeppdomiimjkcbhkafeeooghd
- Mozilla Firefox:
- Extensions to install: https://download.withsecure.com/online-safety/ws_firefox_https.xpi
- Prevent extensions from being disabled or removed: ols_main@withsecure.com
The older F-Secure extension IDs can be removed from MDM later in May after the product upgrade to version 24.1.
Changes in Product Activation
To activate the product using the activator tool, enter the following command:
/Library/WithSecure/bin/activator --subscription-key "<subscription key>"
VPN posture check
If your organization implements VPN posture check to ensure that the agent is running before allowing a connection, please adjust the rule to follow the new process name 'wssensord' (instead of 'fssensord' used in older product versions) located at:
- Elements: '/Library/WithSecure/ultralight/bin/com.withsecure.ultralight.wssensord.xpc/Contents/MacOS/wssensord'
- MDR: '/Library/WithSecure-mdr/ultralight/bin/com.withsecure.ultralight.wssensord.xpc/Contents/MacOS/wssensord'
Changes in MDM configurations
For customers who use MDM systems to control their IT environments, the following information is required in order to correctly manage the new clients.
Update Team ID / Bundle IDs
Replace the current Team ID from 6KALSAFZJC with V928P8X763.
Change the Elements Agent Bundle ID from com.f-secure.fsmac.gui to com.withsecure.wsagent.
Update the previous System Extension Bundle ID from com.f-secure.fsmac.gui.FSCSystemExtension to com.withsecure.wsagent.wssystemextension.
If you are using MDR, change the MDR Agent Bundle ID from com.f-secure.mdr.fsmac.gui to com.withsecure.mdr.wsagent
New installation locations
The installation location of the Elements Agent client binaries has been changed from /Library/F-Secure to /Library/WithSecure/bin.
The path within the Applications folder has now changed to /Applications/WithSecure.
For Countercept Agent, paths are now changed to /Library/WithSecure-mdr and /Applications/WithSecure-mdr correspondingly.
Important Notes
We strongly recommend creating two sets of MDM profiles. Maintain the old profiles until all devices update to the latest version. Once all devices have been updated to the new client software, the old MDM profile can be removed.
Alternatively, you can rely on the built-in product upgrade mechanism to get latest version automatically. For that, if your MDM enforces the installation when the product is detected as missing, please update the rule which detects the software so that it considers the identifier of the product taking both old and new bundle IDs and installation locations from the paragraphs above. Another option is to remove this enforcement, as upgraded product will stop using current bundle ID and will be detected by the MDM as a new product.This ensures uninterrupted security coverage during the transition.
If you do not use an MDM system, permissions for the system extension, content filtering, full disk access and user notifications must be given manually as done when you first install the product.
If you did not adjust the MDM profiles, and the current enforcement policies installed the old product version together with the newly upgraded version 24.1, you can run the following script to uninstall the old product version manually.
#!/bin/sh
uninstall_fs_system_extension() {
if ! systemextensionsctl list | grep "com.f-secure.fsmac.gui.FSCSystemExtension" | grep "activated" ; then
echo "F-Secure's system extension not detected"
return
fi
local app_bundle="/Applications/F-Secure/F-Secure Mac Protection.app"
if ! [[ -d "$app_bundle" ]]; then
return
fi
local app_plist="$app_bundle/Contents/Info.plist"
local app_version=$(/usr/libexec/PlistBuddy -c "Print :CFBundleShortVersionString" "$app_plist")
local system_extension_version=$(systemextensionsctl list | grep "com.f-secure.fsmac.gui.FSCSystemExtension" | grep "activated" | cut -d "(" -f2 | cut -d ")" -f1)
if [[ "$system_extension_version" == "$app_version/1" ]]; then
echo "Uninstalling F-Secure's system extension"
local app_binary="$app_bundle/Contents/Macos/F-Secure Mac Protection"
"$app_binary" --deactivate-system-extension
local result="$?"
if [[ "$result" -eq "0" ]]; then
echo "System extension uninstalled successfully"
else
echo "Failed to uninstall system extension with error $result"
fi
else
echo "App's and system extension's versions don't match, can't uninstall"
fi
}
uninstall_fs_system_extension
/Library/F-Secure/bin/uninstall_MacProtection
Sample Profiles
For your convenience, we've included sample profiles containing the updated information. Use these as a guide while configuring your environments.
Elements Agent
Allow the WithSecure System Extension
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist
PUBLIC '-//Apple//DTD PLIST 1.0//EN'
'http://www.apple.com/DTDs/PropertyList-1.0.dtd'>
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>V928P8X763</string>
</array>
<key>RemovableSystemExtensions</key>
<dict>
<key>V928P8X763</key>
<array>
<string>com.withsecure.wsagent.wssystemextension</string>
</array>
<key>6KALSAFZJC</key>
<array>
<string>com.f-secure.fsmac.gui.FSCSystemExtension</string>
</array>
</dict>
<key>PayloadDescription</key>
<string>Allows WithSecure System Extension</string>
<key>PayloadDisplayName</key>
<string>WithSecure System Extension</string>
<key>PayloadIdentifier</key>
<string>com.apple.system-extension-policy.213E79BF-4F5E-430D-AFED-D76EC62ACE96</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>213E79BF-4F5E-430D-AFED-D76EC62ACE96</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>WithSecure Oyj</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>WithSecure Agent Profile</string>
<key>PayloadIdentifier</key>
<string>SAMPLE.00000000-0000-0000-0000-000000000001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>00000000-0000-0000-0000-000000000001</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Allowing content filtering
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>UserDefinedName</key>
<string>WithSecure Firewall</string>
<key>PluginBundleID</key>
<string>com.withsecure.wsagent</string>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.withsecure.wsagent.wssystemextension</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.withsecure.wsagent.wssystemextension" and anchor apple generic and certificate leaf[subject.OU] = "V928P8X763"</string>
<key>FilterSockets</key>
<true/>
<key>FilterPackets</key>
<false/>
<key>FilterBrowsers</key>
<false/>
<key>FilterType</key>
<string>Plugin</string>
<key>PayloadDescription</key>
<string>Allow WithSecure Firewall to filter network traffic</string>
<key>PayloadDisplayName</key>
<string>WithSecure Firewall</string>
<key>PayloadIdentifier</key>
<string>com.apple.webcontent-filter.9FF6DE99-59E2-47A1-8918-CE259D92E785</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>9FF6DE99-59E2-47A1-8918-CE259D92E785</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>WithSecure Oyj</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>WithSecure Agent Profile</string>
<key>PayloadIdentifier</key>
<string>SAMPLE.00000000-0000-0000-0000-000000000001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>00000000-0000-0000-0000-000000000001</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Allowing Full Disk Access
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Grant Full Disk Access to WithSecure processes</string>
<key>PayloadDisplayName</key>
<string>Grant Full Disk Access to WithSecure processes</string>
<key>PayloadIdentifier</key>
<string>com.apple.TCC.configuration-profile-policy.F8432F17-1ECD-420D-B3D0-2A35F0BB144E</string>
<key>PayloadUUID</key>
<string>F8432F17-1ECD-420D-B3D0-2A35F0BB144E</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>
<string>WithSecure Oyj</string>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>com.withsecure.wsagent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.withsecure.wsagent" and anchor apple generic and certificate leaf[subject.OU] = "V928P8X763"</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Grant Full Disk Access to WithSecure processes</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.withsecure.wsagent.wssystemextension</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.withsecure.wsagent.wssystemextension" and anchor apple generic and certificate leaf[subject.OU] = "V928P8X763"</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Grant Full Disk Access to WithSecure's System Extension'</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>WithSecure Agent Profile</string>
<key>PayloadIdentifier</key>
<string>SAMPLE.00000000-0000-0000-0000-000000000001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>00000000-0000-0000-0000-000000000001</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Allow user Notification for WithSecure Processes
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.withsecure.wsagent</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<true/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDescription</key>
<string>Allow notifications for WithSecure products</string>
<key>PayloadDisplayName</key>
<string>Allow notifications for WithSecure products</string>
<key>PayloadIdentifier</key>
<string>com.apple.notificationsettings.A134E8B3-AE82-4AE9-8D39-F9976B5BEEE1</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>A134E8B3-AE82-4AE9-8D39-F9976B5BEEE1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>WithSecure Corporation</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>WithSecure Agent Profile</string>
<key>PayloadIdentifier</key>
<string>SAMPLE.00000000-0000-0000-0000-000000000001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>00000000-0000-0000-0000-000000000001</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Countercept Agent
Allowing Full Disk Access
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Grant Full Disk Access to WithSecure processes</string>
<key>PayloadDisplayName</key>
<string>Grant Full Disk Access to WithSecure processes</string>
<key>PayloadIdentifier</key>
<string>com.apple.TCC.configuration-profile-policy.F8432F17-1ECD-420D-B3D0-2A35F0BB144E</string>
<key>PayloadUUID</key>
<string>F8432F17-1ECD-420D-B3D0-2A35F0BB144E</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>
<string>WithSecure Corporation</string>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>com.withsecure.mdr.wsagent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.withsecure.mdr.wsagent" and anchor apple generic and certificate leaf[subject.OU] = "V928P8X763"</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Grant Full Disk Access to MDR processes</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>WithSecure Elements Agent Profile</string>
<key>PayloadIdentifier</key>
<string>SAMPLE.00000000-0000-0000-0000-000000000001</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>00000000-0000-0000-0000-000000000001</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Configuring JAMF
First, Log in to the jamf portal
- Select Computers > Configuration Profiles. The Configuration Profiles page opens.
To create a new profile, first select New.
- On the New macOS configuration profile page, select Options > General.
Do the following:
- Enter a name for the new profile.
- From the Level drop-down menu, select Computer level.
- From the Distribution method drop-down menu, select Install Automatically.
To configure the system extensions, do the following:
- Under Options, select System Extensions.
- In the Display Name box, enter
Allow WithSecure’s extension
- From the System Extension Types drop-down menu, select Allowed System Extensions.
- In the Team Identifier box, enter
V928P8X763
- Under Allowed System Extension, enter
com.withsecure.wsagent.wssystemextension
- Under Removable System Extensions section, add
com.withsecure.wsagent.wssystemextension
- Select + to add a new Allowed System Extension and Teams IDs.
- In the Display Name field, enter
F-Secure System Extension Allow Removal.
- From the System Extension types drop-down menu, select Removable System Extensions.
- In the Team Identifier field, enter
6KALSAFZJC
- Under Removable System Extensions, add
com.f-secure.fsmac.gui.FSCSystemExtension