New system extensions for Bitdefender

@samuellarsson I got hit by the same thing today after my clients for 4.15 update of Bitdefender, here is my configuration and early testing shows it is working for now.

Got info from this page https://www.bitdefender.com/support/changes-to-bitdefender-endpoint-security-for-mac-in-macos-big-sur-2626.html

export the SSL cert from one of you clients keychain as .cer and add it to your payload.

Hope this helps.

Hi Samuel,
Did you manage to get this working?
Thanks

@greatkemo Thank you for your step-by-step tutorial.
I managed to make it work but, is there a way to avoid having to type in the password for the certificate?
I exported the Bitdefender CA SSL certificate from my test machine and added it to JAMF. The certificate gets pushed from JAMF but then when Bitdefender starts, it ask for credentials to modify The System Certificate Trust……

@remus I am not seeing this issue, did you check the box for Allow all apps to use this certificate?

@greatkemo Ahaaaa! It is checked.

I'm testing on Big Sur 11.1. If you are not seeing the same behaviour then maybe there is bug in 11.1. (Wishful thinking, hehe)
I'll update to 11.2.1 and test again.

@remus and you selected your certificate in the Content Filter payload?

One thing I would also add, when I exported the cert from my laptop, it was already trusted, I did not have an issue with the trust. Not sure if that helps or not.

@greatkemo This is driving me nuts… Still not working! Every time I have to authenticate to make changes to the certificate.
When JAMF pushes the certificate it is "Always Trust"-ed in the keychain.
As soon as Bitdefender installs, it creates another certificate that needs to be authenticated.

Is there a chance I could have your Configuration Profile for Bitdefender?

@remus this is giving me trouble now too. It seems if the client already had BD installed it does not give me a prompt, but if it is a new install, I get the prompt to trust the certificate. I need to work on it a bit more and see what is the deal with it, and maybe even open a case with Bitdefender to provide better documentation for deploying with jamf pro.

I just looked through Bitdefender support site and they have put up new documentation for jamf pro.

Here is the link: Bitdefender Endpoint Security for Mac: How to Configure Jamf Pro for macOS Big Sur 11.0 and later

However, this is nothing in there about the certificate.

@greatkemo Ooooo goody… It's not just me then!
I called Bitdefender and they told me to follow the information on that document that you also linked.
Now I'm writing back to tell them that the information in that documentation is incomplete. There is no mention on how to handle the certificate.
So go ahead and open a case as well! The more the merrier! :)

I suppose this is another way of doing it...
https://www.jamf.com/jamf-nation/discussions/36644/how-to-set-a-self-signed-certificate-to-always-trust

@remus What I think is happening is when BD runs, it is adding the certificate, and it looks like they are not using the updated API through their app to trust it. It is pointless to try and add the cert using a profile because it seems to be ignored and another cert is installed with a different expiry date and all. So this needs to be fixed by the developer in a future update. Hopefully soon.

As for the add-trust using the security command, that has been changed in Big Sur and will prompt for user authentication.
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes#Security

@greatkemo Thank you so much for your feedback.
I also realised that the "add-trust" command thingy is not "silently" working anymore. :(
I'll keep you posted in case I hear back from the Bitdefender people.
I wrote back that the certificate part of their documentation is missing. I haven't heard anything back yet.

Experiencing the same issues and have also gone back and forth with Bitdefender support.

Currently, I'm at a point where I have configured a Configuration Profile using the instructions provided by Bitdefender.
https://www.bitdefender.com/support/bitdefender-endpoint-security-for-mac:-how-to-configure-jamf-pro-for-macos-big-sur-11-0-and-later-2661.html

However, this Configuration Profile is not allowing the System Extension, nor accepting the SSL Certificate (of course nothing in the Configuration Profile that would do so)

For now I am focusing on the System Extension, waiting back on Bitdefender support.

@cmasciarelli-L You should have a working System Extension and Content Filter after following the above article. As for the certificate, we've all been bitten by it, so waiting on a reply from support. But this is something their devs would probably need to fix so could take a while. They should not have put this update out as a fix for the content control not working in Big Sur, and leave us with a whole new problem.

@greatkemo We got our answer from Bitdefender… and the answer is kind of embarrassing. It looks like a half-baked compatibility with Big Sur.
At this time we do not support importing the certificate through Jamf PRO because the certificate is unique for each station.
The certificate is generated locally on each station. For this reason they cannot be imported through Jamf PRO.
We have opened an internal case to find a solution to accept the certificate through JAMF Pro but we do not have a deadline for when it will be implemented.

@remus I also got a lame response from them, which basically said that I was doing it wrong and that I should follow the steps in all the links which I already followed anyway.

I am sure the issue is this....
When you get prompted for a password to trust the certificate do this:

ps aux | grep add-trusted-cert | grep -v grep

You should see...

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Bitdefender/AVP/antivirus.bundle/rootCA.pem

So you can see that the app is trying to add their CA to the trust using the security command, which now in Big Sur requires users to authorize this transaction.

Instead, developers need to use Apple's API for certificates to add items to the keychain
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates

The annoying thing is, this is not new news a surprise from Apple, this was mentioned months ago.

I'm still struggling with the System Extension for some reason.
Here is what my Configuration Profile looks like

@cmasciarelli-L You probably did not checked Network Extension.
Use these screen-grabs as an example!
But you are going to hit a wall when it comes to the SSL Certificate.
In order to avoid that, disable the Content Control module and leave active only the Antimalware module.

@remus @cmasciarelli-L

Use these, they are tidier and working (apart from cert of course), but don't forget these will work on Big Sur and Catalina if you have older clients then add Kernel Extension as well.

General

Notifications (Jamf Pro 10.27.0)

Bundle ID: com.bitdefender.endpointsecurityformac

Privacy Preference Policy Control

Identifier: com.bitdefender.EndpointSecurityforMac
Identifier Type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

Identifier: /Library/Bitdefender/AVP/BDLDaemon
Identifier Type: Path
Code Requirement: identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

Identifier: com.bitdefender.epsecurity.BDLDaemonApp
Identifier Type: Bundle ID
Code Requirement: anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

System Extension

Display Name: Bitdefender
System Extension Types: Allowed System Extensions
Team Identifier: GUNFMW623Y
ALLOWED SYSTEM EXTENSIONS: com.bitdefender.cst.net.dci.dci-network-extension

Content Filter

Filter Name: Bitdefender
Identifier: com.bitdefender.epsecurity.BDLDaemonApp
Network Filter Bundle Identifier: com.bitdefender.cst.net.dci.dci-network-extension
Network Filter Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

Hope this is helpful.

Has anyone tried generating a SSL cert as noted here (notably talking about iOS)?
https://www.bitdefender.com/support/creating-security-certificates-1217.html

Anyone had success with this? After a few rounds of emails back and forth with BitDefender - they've advised that the end-user must manually trust the cert which is frustrating. Certainly, there must be another way?

Anybody is having issues with installing the latest packages from Bitdefender using Jamf Pro? they have now a pkg for intel Macs and another one for M1 Macs.

I've also hit this issue - Thankfully we don't actually make use of Content Control which got me wondering why the hell it was showing as a loaded module even though it's disabled!

I did a reconfigure on the client and it's now not showing the Content Control in the BEST main window.
I then created a new Package for Mac OS deployment without the CC module in there and noticed that the download URL differed from the original one I was using.
I've now updated the installer script in Jamf Pro to use that installer and hope it removes this prompt :)
I know it's not ideal if you do use CC but may provide some help for those who don't use it.