Summary
This article outlines the general steps required for deploying Smoothwall Cloud Filter on macOS via MDM. There are several MDM solutions available, such as Jamf. Please refer to your MDM provider's documentation for details of how to perform specific steps.
On macOS, there are two main software components you will need to install:
- Cloud Filter browser extension
- Unified Client (runs as a native daemon)
The majority of the functionality is provided by the browser extension. However, the Unified Client is usually required for effective system integration.
This page outlines the installation process for Unified Client v2.x and later, which was released in May 2023. It is substantially different from the previous version (1.x).
Prerequisites
Before you begin, please ensure you have the following information:
- Your Smoothwall Cloud Filter serial. It looks like this: "UNCLxxxxxxxxxxxx".
- Your Smoothwall tenant ID, if you have one. It looks like this: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".
Your macOS devices must:
- be enrolled in MDM
- be running macOS 10.14 (Mojave) or later
- have Chrome installed for all users in the main Applications folder
Uninstall previous Unified Client
If you have previously installed another version of Smoothwall Cloud Filter, then we recommend uninstalling the native daemon before proceeding. This is essential if upgrading from version 1.x, which was available until May 2023.
If you have Unified Client version 1.x installed, then run this command to uninstall it:
sudo "/Library/Application Support/Smoothwall/uc-desktop.app/Contents/uc-desktopUninstaller"
Note: The exact name and location of the uninstall script may vary depending on which version you have installed.
If you have Unified Client version 2.x installed, then run this command to uninstall it:
sudo "/Library/Application Support/Smoothwall/Unified Client/configure.sh" uninstall --delete-all
Deploy Chrome browser policies
Using your MDM solution, you will need to deploy several enterprise policies to the Chrome browser. This is typically done by creating a Configuration Profile.
The table below outlines our recommended policies. The first one installs the Smoothwall Cloud Filter extension, and the rest restrict user actions which could potentially bypass the extension.
Name | Value |
ExtensionInstallForcelist |
jbldkhfglmgeihlcaeliadhipokhocnm;http://clients2.google.com/service/update2/crx |
DeveloperToolsAvailability | 2 |
IncognitoModeAvailability | 1 |
BrowserGuestModeEnabled | false |
BrowserAddPersonEnabled | false |
TaskManagerEndProcessEnabled | false |
BrowserSignin * | 0 |
* = We recommend that browser sign-in is completely disabled to ensure there are no policy conflicts. However, if sign-in is needed (for instance to allow bookmark sync), we recommend restricting it to the managed domain. This can be done with a policy called "RestrictSigninToPattern".
For documentation about all Chrome policies, please see this link:
App Restrictions
We strongly recommend deploying an MDM rule which prevents users from running applications they have downloaded themselves. This is to ensure they cannot download and use another browser to circumvent the Smoothwall restrictions.
We recommend disallowing running applications from these folders:
- /Users/
We recommend allowing running applications from these folders:
- /Applications/
- /System/Library/
- /Library/
- /bin/
- /usr/bin/
However, be careful to check your own needs before deploying such a rule. You may need to run applications from other locations.
Additionally, please ensure users cannot run Safari or other browsers installed at system level. We currently only support Cloud Filter for Chrome.
Install the Unified Client
The native daemon needs to be installed from a PKG file. You can download it from this page:
Under "Unified Client", click the macOS link to download a zip file containing the PKG. Deploy the PKG to your macOS devices using your MDM solution. It shouldn't require any special settings.
By default, it will install to this path on disk:
-
/Library/Application Support/Smoothwall/Unified Client
Please do not modify the default installation location as this may prevent it from running correctly.
Configure the Unified Client
After the Unified Client has been installed, you will need to run the included configuration script. This is necessary to get the daemon running and connecting to our servers.
Using your MDM solution, execute the script on each device like this, replacing OPTIONS as described below:
sudo "/Library/Application Support/Smoothwall/Unified Client/configure.sh" install OPTIONS
The available OPTIONS are as follows:
--serial SERIAL
Required. Replace SERIAL with your Smoothwall serial, starting "UNCL".
--tenant TENANT
Required if you have a tenant ID. Replace TENANT with your Smoothwall tenant ID.
Please do not specify this option if you do not have a Smoothwall tenant ID.
--username-transformation DOMAIN
Optional. Specify a domain which will be automatically added to usernames when connecting
to the Smoothwall servers. This is useful for simulating a user directory. If the domain
ends with a backslash (e.g. "EXAMPLE\") then it will be prepended to the username. If it
starts with an "at" symbol (@) then it will be appended (e.g. "@example.com").
--ipc-port PORT
Optional. This can be used to change the local port used to communicate between various
components of the Unified Client. Port 38380 is used by default. You only need to specify
this if you are experiencing port conflicts.
Note: The --serial option is always necessary.
For example, if your Smoothwall serial is "UNCL000000000000", and you do not have a tenant ID, then you would run the configuration script like this:
sudo "/Library/Application Support/Smoothwall/Unified Client/configure.sh" install --serial UNCL000000000000
Check that it's working
When the above steps have been deployed, Smoothwall Cloud Filter should be ready to use.
However, we recommended checking that it's working correctly. You can do this by opening Chrome on one of the target macOS devices. In the address bar, type "smoothwall://" followed by a space, then start typing "diagnostics". Select "Smoothwall Diagnostics" from the list of suggestions.
You should see a page which summarises the state of the browser extension. If it's working correctly then it should report that it's connected and in "mode 2". You should also see your macOS username displayed. (The first time it starts up, it may take several moments to get fully initialised.)
If you want to check that the Unified Client is working correctly, you can inspect the log files it generates. These are stored in the following location:
-
/Library/Application Support/Smoothwall/Unified Client/data/logs
You will need admin/sudo privileges to view the files. Each time the daemon starts, it will create a new file. Look for the filename with the highest number to see the current run.
Uninstall
If you no longer want to use Smoothwall Cloud Filter, then we recommend fully uninstalling it. This will ensure it doesn't interfere with any other filtering software you may want to use in future.
To uninstall the browser extension, remove the Chrome policies outlined above. Next time Chrome starts, it should automatically uninstall the extension.
To uninstall the Unified Client, run the following command:
sudo "/Library/Application Support/Smoothwall/Unified Client/configure.sh" uninstall --delete-all
That will stop the daemon from running, and will delete all of its program, configuration, and log files from the system.