Deploying Bitdefender Endpoint Security Tool as a Custom App

  • hC
  • Katelyn Husvar
  • EF
 Prev Next

Please note that depending on the specific application and version you have installed, the app path, privacy access, and system extension requirements may vary. As a best practice, we recommend thoroughly testing any Custom Apps before deploying them to a Mac in a production environment.

Prerequisites

  • Bitdefender installer package(s) from your Bitdefender admin portal. Ensure that an uninstall password is set in the package settings.

    • If you have a mixed environment of both Intel and Apple Silicon Mac computers, you will need to download both the macOS kit (Intel x86) and macOS kit (Apple Silicon) packages, but you will only need to include one of the install.xml files. The post-install script used in this guide will account for both installer types.

    • If you are only deploying to one architecture, you will still need that install package and the included install.xml file.

  • Bitdefender PFX Certificate Generator script (GitHub Link)

  • Bitdefender Settings Profile (GitHub Link)

    • This configuration profile enables full disk access for Notifications, System Extensions, Bitdefender SSL CA certificate, Privacy Preferences (PPPC), and a Network content filter.

  • Bitdefender macOS 15+ Settings Profile (GitHub Link)

    • This configuration profile includes the NonRemovableFromUISystemExtensions field for macOS 15+ devices.

  • Bitdefender Service Management Profile (GitHub Link)

    • This configuration profile allows managed background items for Bitdefender.

  • Bitdefender Audit and Enforce Script (GitHub Link)

  • Bitdefender Postinstall Script (GitHub Link)

Creating a PFX Certificate

This section steps through the creation of a PFX certificate for Bitdefender that can be uploaded to Kandji in a Certificate Library Item.

Bitdefender requires that a PFX certificate be created and deployed to macOS. This section is based on BitDefender's guide, which you can refer to for more information.

  1. Open the PFX Certificate Generator script in a text editor or IDE such as VScode or BBEdit.

  2. Fill in the certificate information section of the script.

    VARIABLES

# Cert info
COUNTRY=""                               # US - 2 letter country code
STATE=""                                 # Georgia - state or province
LOCAL=""                                 # Atlanta - locality name
ORG_NAME="Endpoint"                      # Leave as default
CERT_NAME=" BitDefender CA SSL"   # Leave as default

  3. Save the updated script to your Desktop.

  4. Open Terminal.app.

  5. Run the following command in Terminal.

    zsh '/Users/Desktop/bitdefender/bitdefender_cert_generator.zsh'

  6. When prompted, enter and verify the password used in the Bitdefender installer settings you defined in your Bitdefender portal.

  7. When the script is finished, you should see the password hash used to generate the certificate. Copy the generated hash and paste it in the password field when creating the Certificate Library Item in Kandji.

    Password hash: 626cacdec63355c2680dbd6747c8d755

  8. A Finder.app window should open on your Desktop, showing the certificate.pfx file.

  9. Upload this certificate to Kandji in a Certificate Library Item.

Add a Custom Profile Library Item

In order to add this Library Item to your Kandji Library, follow the steps outlined in the Library Overview article.

Configure the Bitdefender Profiles

  1. Give the profile a Name.

  2. For Install on, select Mac.

  3. Assign your Custom Profile to a Blueprint.

  4. Upload the bitdefender_settings.mobileconfig file you downloaded previously.

  5. Click Save

  6. Repeat the previous steps for the bitdefender_settings_macOS15.mobileconfig and the bitdefender_service_management.mobileconfig files you downloaded in the prerequisites section.

Zipping the Installer Files

Before uploading the installer files to Kandji, you will need to zip them up together first.

  1. Go to the Bitdefender installer files that you downloaded from the Bitdefender console earlier. If you downloaded the Intel and Apple ARM DMG files, you might need to mount them first and then pull the installer files out.

  2. Put the installer package(s), installer.xml file, and certificate.pfx file in the same location, such as your Desktop. Only one installer.xml file is needed; either the one from the Intel download or the ARM download will work.

  3. Select all of the files at one time.

  4. Hold the Control(⌃) key and click on the selected files. Then, in the menu, click Compress. You should see a dialog showing the compression progress.

  5. An Archive.zip file should be created in the same directory. Feel free to rename the file to something like bitdefender_install.zip. This is the file that will be uploaded to Kandji in the next section.

Custom App

In order to add this Library Item to your Kandji Library, follow the steps outlined in the Library Overview article.

  1. Give the Custom App a name. Optionally, add a custom icon.

  2. Assign to your desired blueprint.

  3. Change the installation type to Audit and enforce.

  4. Copy the bitdefender_ae_script.zsh script you downloaded in the prerequisites section and paste into the Audit & Enforce text box. No modification needed.

    • The script looks for two profile identifiers and the name of the installed Bitdefender app before attempting an install. Additionally, the script looks for two Launch Deamons on computers where the app is already installed to ensure that the app is running as expected. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

      Settings Profile prefix: io.kandji.bitdefender.D0DF2C14
Background Service Management Profile prefix: io.kandji.bitdefender.service-management
App name: "Endpoint Security for Mac.app"
Processes: "com.bitdefender.epsecurity.BDLDaemonApp", "com.epsecurity.bdldaemon"

  5. Select ZIP File (unzip contents into specified directory) as the deployment type.

  6. Set the Unzip Location to /var/tmp

  7. Upload the installer zip file downloaded earlier.

  8. Click Add Postinstall Script.

  9. Copy the post-install script you downloaded in the prerequisites section and paste it into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.

    • Ensure that the package names match the names downloaded from Bitdefender.

    • Ensure that the certificate file name matches the cert file you created using the Bitdefender KB.

  10. Click Save.

Deploying with Assignment Maps

Two of the Bitdefender Custom Profiles need conditional logic to ensure they are deployed to the correct devices. An Assignment Map provides an easy solution for all of your devices in one convenient view.

Please review our Creating a Blueprint and Using Conditional Logic in Assignment Maps articles.

  1. Start with the For All devices on this Blueprint conditional block.

  2. Assign the Bitdefender Custom App to the block.

    • If multiple Custom Apps are needed, create a conditional block with conditions for the different versions of the installer.

  3. Assign the Bitdefender Certificate Library Item to the conditional block.

  4. Assign the bitdefender_settings Custom Profile to the conditional block.

  5. Set the top of the conditional block to If macOS is greater than or equal to 13.0.

  6. Assign the bitdefender_service_management Custom Profile to the conditional block.

  7. Set the top of the conditional block to If macOS is greater than or equal to 15.0.

  8. Assign the bitdefender_settings_macOS15 Custom Profile to the conditional block.