DISCLAIMER: These instructions are only for the purpose of guidance when installing the Smoothwall Unified Client. They are NOT instructions how to use another provider's software and should not be used as such.

See the official Jamf documentation, Jamf Pro Administrator's Guide.

This article outlines how to deploy the Smoothwall Unified Client on macOS devices using Jamf Pro. However, you can use another mobile device management (MDM) solution. You should still ensure that you have policies to turn off Chrome developer tools, incognito mode, guest mode and browser sign-in. As well as disabling USB ports so that users can't circumvent the functionality by using another browser.

Prerequisites

Devices

You will need macOS devices meeting the following criteria:

• Devices with macOS Mojave or later.
• Chrome installed for all users in the /Applications folder.
• Devices don't already have the Unified Client installed.

You need to set up browser policies to ensure that your devices are managed, and students can't circumvent the functionality. To do this, you need to deploy the policies using a Jamf configuration profile, to ensure that users can't use Chrome developer tools, incognito mode, guest mode, or download and install another browser. Another way your users could install another browser is via a USB drive, so this needs to be switched off for your users too.

We have created a plist file with details to:

• Force install our Smoothwall Chrome extension.
• Turn off developer tools in Chrome, so that the user can't turn off the functionality.
• Turn off incognito mode in Chrome, so that the user can't hide their browsing.
• Prevent browser sign into Chrome, so that the user can't override their extensions.
• Prevent guest mode in Chrome, so that users can't remove all the extensions.

You can find the plist file attached at the bottom of this article. Click the com.google.Chrome.plist link to download it.

Upload the plist file directly into Jamf Pro. Jamf converts the file into a configuration profile, which you can then deploy to your devices.

If you are using Classroom Manger, you will also need to create a configuration profile that allows your teachers to lock your users' devices.

Create and Apply Policies Using a Configuration Profile

DISCLAIMER: We have provided a guide on how you could deploy these profiles for your devices. You do not have to use this procedure to deploy them, but we strongly advise you to ensure that these profiles are in place.

1. Log into Jamf Pro, click Computers, and then Configuration Profiles, and then + New.
2. On the Options tab, under the General section:
   1. Enter a NAME for your profile. For example, "Chrome".
   2. Optionally, enter a DESCRIPTION.
   3. From the CATEGORY list, select a category to add the profile to.
      • You can create and manage categories under Settings → Global Management → Categories.
   4. From the DISTRIBUTION METHOD list, select a method to distribute the profile. For example, "Install Automatically."
   5. From the LEVEL list, select at which level to apply the profile.
3. Remaining on the Options tab, under the Custom Settings section:
   1. Click Configure and enter the PREFERENCE DOMAIN which the settings will apply to. For example, if applying Chrome profiles, this should be "com.google.Chrome".
   2. Click Upload PLIST File and select the plist file that you downloaded from this article.
4. To continue to deploy the profile immediately continue to the next step. Otherwise, to stop here for now and continue later to specify which computers to deploy it to, click Save.
5. On the Scope tab, under the Targets section:
   1. From either of the TARGET COMPUTERS and TARGET USERS lists, select the specific computers or users that you want to assign or distribute the profile to.
   2. Next to Selected Deployment Targets, click + Add.
   3. Under the Computer, Computer Groups, Buildings and Department tabs, click Add next to the item that you want to apply the profile.
   4. Next to Selected Deployment Targets, click Done.
6. To save and deploy your profile to the selected users and computers, click Save. Deployment can take a few minutes. To view the deployment progress, click Configuration Profiles and expand the relevant category.

Applying Classroom Manager Policies using a Configuration Profile

If you are not using Classroom Manager, you can skip this section.

1. Log into Jamf Pro, click Computers, Configuration Profiles, and then + New.
2. On the Options tab, under the General section:
   1. Enter a NAME for the profile.
   2. Optionally, enter a DESCRIPTION indicating what the profile will do.
   3. From the CATEGORY list, select the one to assign the profile to.
      • You can create and manage categories under Settings → Global Management → Categories.
   4. From the DISTRIBUTION METHOD list, select a method to distribute the profile. For example, "Install Automatically".
   5. From the LEVEL list, select at which level to apply the profile.
3. Remaining on the Options tab, scroll down and click Privacy Preferences Policy Control:
   1. Click Configure and for the IDENTIFIER, enter:
      • com.smoothwall.SWOverlay
   2. From the IDENTIFIER TYPE list, select "Bundle ID".
   3. For the CODE REQUIREMENT, enter:
      • anchor apple generic and identifier "com.smoothwall.SWOverlay" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8S22493YN8")
   4. Under App or Service click + Add. and from the list, select "Accessibility".
   5. From the ACCESS list, select "Allow" and on the row that you're editing, click Save.
   6. Optionally, repeat the last few steps to add other permissions.
4. On the Scope tab, under the Targets section:
   1. From either of the TARGET COMPUTERS and TARGET USERS lists, select the specific computers or users that you want to assign or distribute the profile to.
   2. Next to Selected Deployment Targets, click + Add.
   3. Under the Computer, Computer Groups, Buildings and Department tabs, click Add next to the item that you want to apply the profile.
   4. Next to Selected Deployment Targets, click Done.
5. To save and deploy your profile to the selected users and computers, click Save. Deployment can take a few minutes. To view the deployment progress, click Configuration Profiles and expand the relevant category. 

App Restrictions

We strongly recommend deploying an MDM rule which prevents users from running applications they have downloaded themselves. This is to ensure they cannot download and use another browser to circumvent the Smoothwall restrictions.

We recommend disallowing these folders:

• /Users/

We recommend allowing these folders:

• /Applications/
• /System/Library/
• /Library/
• /bin/
• /usr/bin/

However, be careful to check your own needs before deploying such a rule. You may need to run applications from other locations.

Additionally, you may want to ensure that users cannot run Safari or other browsers installed at system level.

1. Log into Jamf Pro, click Computers, Configuration Profiles, and then + New.
2. On the Options tab, under the General section:
   1. Enter a NAME for the profile.
   2. Optionally, enter a DESCRIPTION indicating what the profile will do.
   3. From the CATEGORY list, select the one to assign the profile to.
      • You can create and manage categories under Settings → Global Management → Categories.
   4. From the DISTRIBUTION METHOD list, select a method to distribute the profile. For example, "Install Automatically".
   5. From the LEVEL list, select at which level to apply the profile. For example, "Computer Level."
3. Remaining on the Options tab, click Restrictions:
   1. Click Configure and click the Applications tab.
   2. Select the apps that are allowed to launch or clear the ones that you don't want to launch. For example, select Restrict App Store to MSM installed apps and software updates .
4. click applications
5. select Which apps are allowed to launch.
6. Click Save and then click Edit.
7. Under the Allow folders section:
   1. Click Add. WARNING MAKE SURE YOU CLICK THE RIGHT ADD BUTTON.
   2. enter the folder for example, /Applications/. Make sure that the case is correct, click save and repeat until all folders have been added.
      • /Applications/
      • /System/Library/
      • /Library/
      • /bin/
      • /usr/bin/
8. Under the Disallow folders section:
   1. Click Add. WARNING MAKE SURE YOU CLICK THE RIGHT ADD BUTTON.
   2. enter the folder for example, /Users/. Make sure that the case is correct, click save and repeat until all folders have been added.
      • /Users/
9. Click Save.

Procedure

To deploy the client, you will need to install the Unified Client onto a device and then use snapshots in Jamf Composer to build a package and deploy to the rest of your devices. Please see their documentation on how to do this: https://www.jamf.com/resources/videos/building-a-package-using-snapshots-in-jamf-composer/

To Install the Unified Client on a Single Device

Before you begin you will need your tenants' IDs and your Smoothwall product's serial number.

1. Go to https://customer.smoothwall.net/download/ and download the unified client file: smoothwall-unified-client.pkg.
2. Run the installation file, on the Welcome screen click Continue and then Install.
3. Enter your administrator password and click Install software.
4. Enter your Serial number and click OK.
   • If you have a multitenant setup, enter your Tenant ID and click OK.
   • If you don't have a multitenant setup, just click OK. 
     Note: The tenant ID isn't validated, so make sure that you enter the ID correctly. However, if you do enter this incorrectly, you can edit the text file after installation.
5. To complete the installation, click Close.

Once you have a snapshot you will need to use it to create a configuration profile in Jamf Pro and deploy it to your managed devices.