Jamf Nation Community

Hi Samuel,
Did you manage to get this working?
Thanks

@greatkemo Thank you for your step-by-step tutorial.
I managed to make it work but, is there a way to avoid having to type in the password for the certificate?
I exported the Bitdefender CA SSL certificate from my test machine and added it to JAMF. The certificate gets pushed from JAMF but then when Bitdefender starts, it ask for credentials to modify The System Certificate Trust……

@remus I am not seeing this issue, did you check the box for Allow all apps to use this certificate?

@greatkemo Ahaaaa! It is checked.

I'm testing on Big Sur 11.1. If you are not seeing the same behaviour then maybe there is bug in 11.1. (Wishful thinking, hehe)
I'll update to 11.2.1 and test again.

@remus and you selected your certificate in the Content Filter payload?

One thing I would also add, when I exported the cert from my laptop, it was already trusted, I did not have an issue with the trust. Not sure if that helps or not.

@greatkemo This is driving me nuts… Still not working! Every time I have to authenticate to make changes to the certificate.
When JAMF pushes the certificate it is "Always Trust"-ed in the keychain.
As soon as Bitdefender installs, it creates another certificate that needs to be authenticated.

Is there a chance I could have your Configuration Profile for Bitdefender?

@remus this is giving me trouble now too. It seems if the client already had BD installed it does not give me a prompt, but if it is a new install, I get the prompt to trust the certificate. I need to work on it a bit more and see what is the deal with it, and maybe even open a case with Bitdefender to provide better documentation for deploying with jamf pro.

I just looked through Bitdefender support site and they have put up new documentation for jamf pro.

Here is the link: Bitdefender Endpoint Security for Mac: How to Configure Jamf Pro for macOS Big Sur 11.0 and later

However, this is nothing in there about the certificate.

@greatkemo Ooooo goody… It's not just me then!
I called Bitdefender and they told me to follow the information on that document that you also linked.
Now I'm writing back to tell them that the information in that documentation is incomplete. There is no mention on how to handle the certificate.
So go ahead and open a case as well! The more the merrier! :)

I suppose this is another way of doing it...
https://www.jamf.com/jamf-nation/discussions/36644/how-to-set-a-self-signed-certificate-to-always-tr...

@remus What I think is happening is when BD runs, it is adding the certificate, and it looks like they are not using the updated API through their app to trust it. It is pointless to try and add the cert using a profile because it seems to be ignored and another cert is installed with a different expiry date and all. So this needs to be fixed by the developer in a future update. Hopefully soon.

As for the add-trust using the security command, that has been changed in Big Sur and will prompt for user authentication.
https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes#Sec...

@greatkemo Thank you so much for your feedback.
I also realised that the "add-trust" command thingy is not "silently" working anymore. :(
I'll keep you posted in case I hear back from the Bitdefender people.
I wrote back that the certificate part of their documentation is missing. I haven't heard anything back yet.

Experiencing the same issues and have also gone back and forth with Bitdefender support.

Currently, I'm at a point where I have configured a Configuration Profile using the instructions provided by Bitdefender.
https://www.bitdefender.com/support/bitdefender-endpoint-security-for-mac:-how-to-configure-jamf-pro-for-macos-big-sur-11-0-and-later-2661.html

However, this Configuration Profile is not allowing the System Extension, nor accepting the SSL Certificate (of course nothing in the Configuration Profile that would do so)

For now I am focusing on the System Extension, waiting back on Bitdefender support.

@cmasciarelli-L You should have a working System Extension and Content Filter after following the above article. As for the certificate, we've all been bitten by it, so waiting on a reply from support. But this is something their devs would probably need to fix so could take a while. They should not have put this update out as a fix for the content control not working in Big Sur, and leave us with a whole new problem.

@greatkemo We got our answer from Bitdefender… and the answer is kind of embarrassing. It looks like a half-baked compatibility with Big Sur.
At this time we do not support importing the certificate through Jamf PRO because the certificate is unique for each station.
The certificate is generated locally on each station. For this reason they cannot be imported through Jamf PRO.
We have opened an internal case to find a solution to accept the certificate through JAMF Pro but we do not have a deadline for when it will be implemented.

@remus I also got a lame response from them, which basically said that I was doing it wrong and that I should follow the steps in all the links which I already followed anyway.

I am sure the issue is this....
When you get prompted for a password to trust the certificate do this:

ps aux | grep add-trusted-cert | grep -v grep

You should see...

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Bitdefender/AVP/antivirus.bundle/rootCA.pem

So you can see that the app is trying to add their CA to the trust using the security command, which now in Big Sur requires users to authorize this transaction.

Instead, developers need to use Apple's API for certificates to add items to the keychain
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates

The annoying thing is, this is not new news a surprise from Apple, this was mentioned months ago.

I'm still struggling with the System Extension for some reason.
Here is what my Configuration Profile looks like

@cmasciarelli-L You probably did not checked Network Extension.
Use these screen-grabs as an example!
But you are going to hit a wall when it comes to the SSL Certificate.
In order to avoid that, disable the Content Control module and leave active only the Antimalware module.

@remus @cmasciarelli-L

Use these, they are tidier and working (apart from cert of course), but don't forget these will work on Big Sur and Catalina if you have older clients then add Kernel Extension as well.

General

Notifications (Jamf Pro 10.27.0)

Bundle ID: com.bitdefender.endpointsecurityformac

Privacy Preference Policy Control

Identifier: com.bitdefender.EndpointSecurityforMac
Identifier Type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

Identifier: /Library/Bitdefender/AVP/BDLDaemon
Identifier Type: Path
Code Requirement: identifier BDLDaemon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

Identifier: com.bitdefender.epsecurity.BDLDaemonApp
Identifier Type: Bundle ID
Code Requirement: anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)
APP OR SERVICE: SystemPolicyAllFiles
ACCESS: Allow

System Extension

Display Name: Bitdefender
System Extension Types: Allowed System Extensions
Team Identifier: GUNFMW623Y
ALLOWED SYSTEM EXTENSIONS: com.bitdefender.cst.net.dci.dci-network-extension

Content Filter

Filter Name: Bitdefender
Identifier: com.bitdefender.epsecurity.BDLDaemonApp
Network Filter Bundle Identifier: com.bitdefender.cst.net.dci.dci-network-extension
Network Filter Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

Hope this is helpful.

Has anyone tried generating a SSL cert as noted here (notably talking about iOS)?
https://www.bitdefender.com/support/creating-security-certificates-1217.html

Anyone had success with this? After a few rounds of emails back and forth with BitDefender - they've advised that the end-user must manually trust the cert which is frustrating. Certainly, there must be another way?

Anybody is having issues with installing the latest packages from Bitdefender using Jamf Pro? they have now a pkg for intel Macs and another one for M1 Macs.

I've also hit this issue - Thankfully we don't actually make use of Content Control which got me wondering why the hell it was showing as a loaded module even though it's disabled!

I did a reconfigure on the client and it's now not showing the Content Control in the BEST main window.
I then created a new Package for Mac OS deployment without the CC module in there and noticed that the download URL differed from the original one I was using.
I've now updated the installer script in Jamf Pro to use that installer and hope it removes this prompt :)
I know it's not ideal if you do use CC but may provide some help for those who don't use it.

Do you folks have any ticket numbers that can be referenced for the SSL cert trust issues? I'm going to log a ticket about this too, and it would be worth adding additional weight.

@remus 

Thanks for that . The additional path to the BDLDaemon was what I was missing from my CCCP. Funny how Bitdefender doesn't provide that info but tells you everything else to go into the CCCP. /shrug

Thankfully, we don't seem to be suffering from the SSL cert trust issues some are having.

For anyone experiencing issues on Monterey a couple changes are needed.

Note: I have been able to deploy the SSL cert without Bitdefender reporting errors, though it's not appearing in Keychain access so I am not sure if it's actually present on the machine.

In my PPPC payload I added the following for good measure

Identifier: com.bitdefender.networkinstaller
Identifier Type: Bundle ID
Code Requirement: identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y
App or Service: SystemPolicyAllFiles - Allowed

And with that I added more to my System Extensions Payload:

System Extensions
Allow users to approve system extensions: True
Display Name: Bitdefender
System Extention Types: Allowed System Extensions
Team Identifier: GUNFMW623Y
Allowed System Extensions: com.bitdefender.cst.net.dci.dci-network-extensions, com.bitdefender.networkinstaller

Allowed Team IDs and System Extensions
Display Name: Bitdefender Extensions
System Extension Types: Allowed System Exception Types
Team Identifier: GUNFMW623Y
Allowed System Extension Types: Driver Extension, Endpoint Security Extension, Network Extension

The rest of the policies such as Content Filter can stay the same as above.

Additionally, if you are on Bitdefender 7.2.4.20013, with Monterey (and presumably with Filevault enabled), you need to upgrade to version 7.2.6.20020 or newer otherwise the app crashes repeatedly.

The only way I was able to uninstall 7.2.4.20013 was by removing my BD Configuration Profiles, rebooting, uninstall, pushing the profiles back, and installing the new version.

After all of these steps I get a happy Bitdefender with all features working and no crashing. It's also 'configless' on install, as in the user doesn't have to accept any sort of prompts whatsoever, nor enter any passwords.

Hi guys,

I'm at Monterey and I followed all the steps mentioned before here and I got a smooth setup without any user prompts (thanks @seraphina )

I exported Bitdefender CA SSL from keychain and deployed to some macs and Bitdefender shows "Your mac is safe" but when I try to access some websites I got an error saying that the site certificate is not trusted... 😕 

Sites like google.com doesn't give us errors, but some sites like app.feedz.com.br 

Hi everyone, just wanted to update this thread, in case anyone was stuck with Bitdefender 7.6.xxxxx.

Bitdefender introduced an app downloader that would install the correct version for you based on your architecture.  I have updated my script on GitHub and it seems to be working nicely.  Don't forget to set $4 and $5 in your policy.

Also, someone at Bitdefender has finally put all the documentation for deploying BD with Jamf Pro all in one place and can be found here be careful with the cert steps, there is a step missing.

Here is what I did and what worked for me:

openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=Exmple Bitdefender CA SSL' -keyout example_rootca.key -out example_rootca.pem
md5 -s 'creatRandomPassword' # don't forget to set this password as the package uninstall password in Control Center.
MD5 ("creatRandomPassword") = 044dacc2110efade537fce97710af1cd

openssl pkcs12 -export -inkey example_rootca.key -in example_rootca.pem -out example_rootca.pfx
Enter Export Password: 044dacc2110efade537fce97710af1cd
Verifying - Enter Export Password: 044dacc2110efade537fce97710af1cd

I hope this helps.

Best,

Kamal

Hi everyone, just wanted to update this thread, in case anyone was stuck with Bitdefender 7.6.xxxxx.

Bitdefender introduced an app downloader that would install the correct version for you based on your architecture.  I have updated my script on GitHub and it seems to be working nicely.  Don't forget to set $4 and $5 in your policy.

Also, someone at Bitdefender has finally put all the documentation for deploying BD with Jamf Pro all in one place and can be found here be careful with the cert steps, there is a step missing.

Here is what I did and what worked for me:

openssl req -new -days 1825 -nodes -x509 -subj '/C=RO/ST=Bucharest/L=Bucharest/O=Endpoint/CN=Exmple Bitdefender CA SSL' -keyout example_rootca.key -out example_rootca.pem
md5 -s 'creatRandomPassword' # don't forget to set this password as the package uninstall password in Control Center.
MD5 ("creatRandomPassword") = 044dacc2110efade537fce97710af1cd

openssl pkcs12 -export -inkey example_rootca.key -in example_rootca.pem -out example_rootca.pfx
Enter Export Password: 044dacc2110efade537fce97710af1cd
Verifying - Enter Export Password: 044dacc2110efade537fce97710af1cd

I hope this helps.

Best,

Kamal