Do you folks have any ticket numbers that can be referenced for the SSL cert trust issues? I'm going to log a ticket about this too, and it would be worth adding additional weight.
@remus
Thanks for that . The additional path to the BDLDaemon was what I was missing from my CCCP. Funny how Bitdefender doesn't provide that info but tells you everything else to go into the CCCP. /shrug
Thankfully, we don't seem to be suffering from the SSL cert trust issues some are having.
For anyone experiencing issues on Monterey a couple changes are needed.
Note: I have been able to deploy the SSL cert without Bitdefender reporting errors, though it's not appearing in Keychain access so I am not sure if it's actually present on the machine.
In my PPPC payload I added the following for good measure
Identifier: com.bitdefender.networkinstaller
Identifier Type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
App or Service: SystemPolicyAllFiles - Allowed
And with that I added more to my System Extensions Payload:
System Extensions
Allow users to approve system extensions: True
Display Name: Bitdefender
System Extention Types: Allowed System Extensions
Team Identifier: GUNFMW623Y
Allowed System Extensions: com.bitdefender.cst.net.dci.dci-network-extensions, com.bitdefender.networkinstaller
Allowed Team IDs and System Extensions
Display Name: Bitdefender Extensions
System Extension Types: Allowed System Exception Types
Team Identifier: GUNFMW623Y
Allowed System Extension Types: Driver Extension, Endpoint Security Extension, Network Extension
The rest of the policies such as Content Filter can stay the same as above.
Additionally, if you are on Bitdefender 7.2.4.20013, with Monterey (and presumably with Filevault enabled), you need to upgrade to version 7.2.6.20020 or newer otherwise the app crashes repeatedly.
The only way I was able to uninstall 7.2.4.20013 was by removing my BD Configuration Profiles, rebooting, uninstall, pushing the profiles back, and installing the new version.
After all of these steps I get a happy Bitdefender with all features working and no crashing. It's also 'configless' on install, as in the user doesn't have to accept any sort of prompts whatsoever, nor enter any passwords.
Hi guys,
I'm at Monterey and I followed all the steps mentioned before here and I got a smooth setup without any user prompts (thanks @seraphina )
I exported Bitdefender CA SSL from keychain and deployed to some macs and Bitdefender shows "Your mac is safe" but when I try to access some websites I got an error saying that the site certificate is not trusted... 😕😕
Sites like google.com doesn't give us errors, but some sites like app.feedz.com.br
Hi guys,
I'm at Monterey and I followed all the steps mentioned before here and I got a smooth setup without any user prompts (thanks @seraphina )
I exported Bitdefender CA SSL from keychain and deployed to some macs and Bitdefender shows "Your mac is safe" but when I try to access some websites I got an error saying that the site certificate is not trusted... 😕😕
Sites like google.com doesn't give us errors, but some sites like app.feedz.com.br
I do not get any certificate errors when visiting this site.
I don't think this issue is related to your Bitdefender certificate, but just in case, how are you deploying it?
app.feedz.com.br certificate issuer is from Cloudflare, and the Root CA is Baltimore CyberTrust Root, which is included in the macOS System Certificates.
I do not get any certificate errors when visiting this site.
I don't think this issue is related to your Bitdefender certificate, but just in case, how are you deploying it?
app.feedz.com.br certificate issuer is from Cloudflare, and the Root CA is Baltimore CyberTrust Root, which is included in the macOS System Certificates.
The issue might be related to how the certificate was generated. How have you generated the certificate.pfx, @seraphina?
Hi everyone, just wanted to update this thread, in case anyone was stuck with Bitdefender 7.6.xxxxx.
Bitdefender introduced an app downloader that would install the correct version for you based on your architecture. I have updated my script on GitHub and it seems to be working nicely. Don't forget to set $4 and $5 in your policy.
Also, someone at Bitdefender has finally put all the documentation for deploying BD with Jamf Pro all in one place and can be found here be careful with the cert steps, there is a step missing.
Here is what I did and what worked for me:
openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=Exmple Bitdefender CA SSL' -keyout example_rootca.key -out example_rootca.pem
md5 -s 'creatRandomPassword' # don't forget to set this password as the package uninstall password in Control Center.
MD5 ("creatRandomPassword") = 044dacc2110efade537fce97710af1cd
openssl pkcs12 -export -inkey example_rootca.key -in example_rootca.pem -out example_rootca.pfx
Enter Export Password: 044dacc2110efade537fce97710af1cd
Verifying - Enter Export Password: 044dacc2110efade537fce97710af1cd
I hope this helps.
Best,
Kamal
Hi everyone, just wanted to update this thread, in case anyone was stuck with Bitdefender 7.6.xxxxx.
Bitdefender introduced an app downloader that would install the correct version for you based on your architecture. I have updated my script on GitHub and it seems to be working nicely. Don't forget to set $4 and $5 in your policy.
Also, someone at Bitdefender has finally put all the documentation for deploying BD with Jamf Pro all in one place and can be found here be careful with the cert steps, there is a step missing.
Here is what I did and what worked for me:
openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=Exmple Bitdefender CA SSL' -keyout example_rootca.key -out example_rootca.pem
md5 -s 'creatRandomPassword' # don't forget to set this password as the package uninstall password in Control Center.
MD5 ("creatRandomPassword") = 044dacc2110efade537fce97710af1cd
openssl pkcs12 -export -inkey example_rootca.key -in example_rootca.pem -out example_rootca.pfx
Enter Export Password: 044dacc2110efade537fce97710af1cd
Verifying - Enter Export Password: 044dacc2110efade537fce97710af1cd
I hope this helps.
Best,
Kamal
Hi Kamal. Great work there. I did indeed notice that generating the .pfx file was missing in their steps. But it's sloppy work still. I've also created a package deploying the cert to /Library/DeployCert, but nothing around why we do that?
Mine still doesnt work. I get the SSL warning in BitDefender. The cert is in my Keychain and trusted, but Bitdefender doesn't seem to know how to use it. It tried including it in my Content filer profile and selecting it for use there, but that didn't work either. PPPCs and Sys Extension are working, just missing the SSL. Did you create a separate config for it and do we reference the /Library/DeployCert anywhere else?
All the best, Ulrik
Hi Kamal. Great work there. I did indeed notice that generating the .pfx file was missing in their steps. But it's sloppy work still. I've also created a package deploying the cert to /Library/DeployCert, but nothing around why we do that?
Mine still doesnt work. I get the SSL warning in BitDefender. The cert is in my Keychain and trusted, but Bitdefender doesn't seem to know how to use it. It tried including it in my Content filer profile and selecting it for use there, but that didn't work either. PPPCs and Sys Extension are working, just missing the SSL. Did you create a separate config for it and do we reference the /Library/DeployCert anywhere else?
All the best, Ulrik
Hi Ulrik,
When enforcing the cert via Configuration Profile, did you check the box to allow all apps to use the cert?
I am guessing, that Endpoint Security app will look for /Library/DeployCert as part of its installation instructions in the XML file with the installer. So make sure you deploy the pfx first and be sure the permissions are set correctly in composer.
Kamal
Hi Greatkemo, yes I did allow all apps to access and I did check that all permissions were correct. I haven't tried reinstalling everything. With the Bitdefender Cert it just registers when you add or remove, so didn't think to try from the begenning, will try that. 👍
Hi all,
Any update on the SSL warning in BitDefender? I'm still stuck at this part.
Hi all,
Any update on the SSL warning in BitDefender? I'm still stuck at this part.
Hi Hung_cheng. Well, I have one deployment where this worked as expected. I did everything as described and the cert I had generated in Terminal pushed out fine and was used in stead of the Bitdefender one.
But with another customer, it just won’t work. I don’t have access to this other customers bitdefender portal, so I could only check the xml files and as far as I can tell, the Only major difference is that the one that doesnt work, seems to be pulling something from a local address (172.X.X.X) I don’t know it that applies for you?
I tried following SSL certificate deployment through Jamf Pro steps to deploy the SSL certificate, but still no luck on this. Seems the SSL certificate has different serial number on different users.
I've same issu with ssl certificat if we active the traffic scan ssl network... like this case https://macadmins.slack.com/archives/C0C4X3G3W/p1660243674574319
Any idea ?
Hi everyone, just wanted to update this thread, in case anyone was stuck with Bitdefender 7.6.xxxxx.
Bitdefender introduced an app downloader that would install the correct version for you based on your architecture. I have updated my script on GitHub and it seems to be working nicely. Don't forget to set $4 and $5 in your policy.
Also, someone at Bitdefender has finally put all the documentation for deploying BD with Jamf Pro all in one place and can be found here be careful with the cert steps, there is a step missing.
Here is what I did and what worked for me:
openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=Exmple Bitdefender CA SSL' -keyout example_rootca.key -out example_rootca.pem
md5 -s 'creatRandomPassword' # don't forget to set this password as the package uninstall password in Control Center.
MD5 ("creatRandomPassword") = 044dacc2110efade537fce97710af1cd
openssl pkcs12 -export -inkey example_rootca.key -in example_rootca.pem -out example_rootca.pfx
Enter Export Password: 044dacc2110efade537fce97710af1cd
Verifying - Enter Export Password: 044dacc2110efade537fce97710af1cd
I hope this helps.
Best,
Kamal
@greatkemo
Thanks for sharing your script. I am still stuck with this Bitdefender SSL trusting issue. I have tried everything but no luck. I would like to try your script. Please help me with the script, for $4 I will set it to my Jamfpro URL and what should I set for $5?
Also, should I just attach this script alone in the policy or I should attach the package and the script together in the policy?
Thanks
Joy
@greatkemo
Thanks for sharing your script. I am still stuck with this Bitdefender SSL trusting issue. I have tried everything but no luck. I would like to try your script. Please help me with the script, for $4 I will set it to my Jamfpro URL and what should I set for $5?
Also, should I just attach this script alone in the policy or I should attach the package and the script together in the policy?
Thanks
Joy
@BlackTiger
Hi Joy,
$5 is the ID for the downloader app.
When you configure a package in the Bitdefender Control Center, a unique URL is generated. In the Control Center, find the package download URL, which should look something like this https://bitdefender.example.com/Packages/MAC/0/abcdEf/setup_downloader.dmg, where in this case "abcdEf" is the package ID. The ID is case-sensitive.
Good luck,
Kamal
@BlackTiger
Hi Joy,
$5 is the ID for the downloader app.
When you configure a package in the Bitdefender Control Center, a unique URL is generated. In the Control Center, find the package download URL, which should look something like this https://bitdefender.example.com/Packages/MAC/0/abcdEf/setup_downloader.dmg, where in this case "abcdEf" is the package ID. The ID is case-sensitive.
Good luck,
Kamal
@greatkemo
Hi Kamal,
Thanks for the update.
In the policy, should I include the package as well or just the script?
Thanks
Joy
@greatkemo
Hi Kamal,
Thanks for the update.
In the policy, should I include the package as well or just the script?
Thanks
Joy
@BlackTiger
Hi Joy,
In the policy, you should include two things. The package you should make first contains the certificate, then the script to run after the package. The script downloads the installer package from the server, so there is no need to repackage the installer. Also, this script is for version 7.6x and later.
@BlackTiger
Hi Joy,
In the policy, you should include two things. The package you should make first contains the certificate, then the script to run after the package. The script downloads the installer package from the server, so there is no need to repackage the installer. Also, this script is for version 7.6x and later.
@greatkemo
Hi kamal,
You are more supportive than Bitdefender support, appreciate it. I have read many articles but seems like only you got it working, congrats.
I have tried a lot of ways but couldn't get the SSL installed on BigSur and above. I hope it works this time with your magic script but just want to make sure I am doing it right.
Steps in my head to do:
1. Download the macOS Downloader (which is for both Intel and M series)
2. Star the composer
3. Drag the setup_downloader.dmg and installer.xml in /Users/Shared
4. Copy the certificate.pfx in /Library/DeployCert
5. Close the composer and create a PKG or DMG
6. Add the package to a policy and the script and make the script to run after the package.
So this should install the Bitdefender and the SSL should be enabled, correct?
Incase if I missed anything or if the order of doing it is wrong, could you please help me with it?
Thanks
Joy
@greatkemo
Hi kamal,
You are more supportive than Bitdefender support, appreciate it. I have read many articles but seems like only you got it working, congrats.
I have tried a lot of ways but couldn't get the SSL installed on BigSur and above. I hope it works this time with your magic script but just want to make sure I am doing it right.
Steps in my head to do:
1. Download the macOS Downloader (which is for both Intel and M series)
2. Star the composer
3. Drag the setup_downloader.dmg and installer.xml in /Users/Shared
4. Copy the certificate.pfx in /Library/DeployCert
5. Close the composer and create a PKG or DMG
6. Add the package to a policy and the script and make the script to run after the package.
So this should install the Bitdefender and the SSL should be enabled, correct?
Incase if I missed anything or if the order of doing it is wrong, could you please help me with it?
Thanks
Joy
@BlackTiger
Are you on the MacAdmins Slack? If so, find me on there, I will do my best to help.
Kamal
@greatkemo
Hi kamal,
You are more supportive than Bitdefender support, appreciate it. I have read many articles but seems like only you got it working, congrats.
I have tried a lot of ways but couldn't get the SSL installed on BigSur and above. I hope it works this time with your magic script but just want to make sure I am doing it right.
Steps in my head to do:
1. Download the macOS Downloader (which is for both Intel and M series)
2. Star the composer
3. Drag the setup_downloader.dmg and installer.xml in /Users/Shared
4. Copy the certificate.pfx in /Library/DeployCert
5. Close the composer and create a PKG or DMG
6. Add the package to a policy and the script and make the script to run after the package.
So this should install the Bitdefender and the SSL should be enabled, correct?
Incase if I missed anything or if the order of doing it is wrong, could you please help me with it?
Thanks
Joy
@BlackTiger
Not quite...
- Do not make the downloader app to your package.
- Package JUST the certificate you created in /Library/DeployCert.
- Add the package to your policy.
- Add the script to your policy to run AFTER, and fill $4 and $5.
- Ensure your configuration profile is installed on the device before you push the policy.