Following an update to Trend Micro's Apex One SaaS platform to v.3.5.3617, they have moved the iCore service to a new location which will have significant issues for those who need to update their PPPC profiles!
The new location for the iCore service is:
The new Code Requirement is:
identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113622.214.171.124.6] / exists / and certificate leaf[field.1.2.840.1136126.96.36.199.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 SystemPolicyAllFiles = Allow
Good to see that Trend Micro is getting the platform ready for supporting Big Sur from the beginning!
I was only made aware of the change following an overnight update to the Apex One application and being met with the attached image:
So I believe that the PPPC setup for Apex One on all versions up to v.3.5.3617 will be fine, but when the Agent and Console are updated you will need to have the new location added to the PPPC profile
@erichughes Here is a screenshot of the PPPC config that works for us... Hope it helps.
Just in Case...
Identifier: com.trendmicro.tmsm.MainUI Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.1136188.8.131.52.6] / exists / and certificate leaf[field.1.2.840.1136184.108.40.206.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service: SystemPolicyAllFiles Allow
Identifier: com.trendmicro.icore Identifier Type: Bundle ID Code Requirement: identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.1136220.127.116.11.6] / exists / and certificate leaf[field.1.2.840.113618.104.22.168.13] / exists / and certificate leaf[subject.OU] = E8P47U2H32 App or Service: SystemPolicyAllFiles Allow
I stumbled upon this thread while trying to get TMSM upgraded to support Big Sur for my organization. I believe I have created a configuration profile to eliminate all prompts - I found the Trend documentation incomplete so I wanted to share what I put together.
I have three privacy profile settings. Two are based off of the Trend documentation, and the last one is based off the prompt from the application to give the extension full disk access (which is not in their documentation).
Next, I have a Kernel Extension payload. I did not specify the Bundle IDs, but you probably could (in Trend's documentation).
Next is a System Extension payload. This is also not in Trend's documentation, but will suppress the "iCoreService would like to filter network content" message.
Even with this system extension, after Trend starts up, there will be an additional "iCoreService would like to filter network content" message. To suppress that, I had to create a content filter payload. Full disclosure - I am not sure if the Filter Order should be Inspector or Firewall. I went with Inspector as that is what another application we use uses (CrowdStrike).
With all these pieces together, I no longer get any Apple prompts. On Big Sur, Trend will still prompt to approve the system extension (even though it's already approved). When the user opens system preferences, they will get a message that they need to reboot (new behavior with Big Sur that reboots are required for system extensions). After a reboot everything should be fine without any additional prompts.
You are correct mnickels. I have worked with our Trend Support rep and he actually provided me with some "Official" PPPC's. Granted I had to fix one of them and added a few more to the allowed list(Don't forget to restart after install). I can provided if someone has need of them. Also I'd like to point out that if you have M1 computers in your future, they are NOT supported by TrendMicro. Even manually installing the client, it will not function as inteneded. I just learned that support for the Apple M1 chips is planned for Q2 2021.
From TrendMicro (aka Horse's Mouth):
Screenshot was modified to protect the innocent...
Here is a link to my PPPC's: Google Drive Link. There are 5 PPPC's in this .zip file. 4 are from TrendMicro and the 5th one, "Trend Micro - iCoreService v2" was mine that I had to create and test and test and test. I'm sure someone out there could combine these PPPC's and make this a more pleasant experience to upload and manage but this is how I was able to make it work.
Again, this is for INTEL Big Sur computers ONLY and REBOOT IS NEEDED after install. M1 is NOT SUPPORTED. I hope this helps!!
PS- If you are able to combine these PPPC's hit me up with a download link.
I've been able to get all but browser plugin extension for -Mozilla Firefox Extension working. The download to the mobileconfig is here: https://success.trendmicro.com/solution/000277823#
when I upload the mobileconfig, nothing is shown in Custom Settings. Has anyone gotten this to work? FWIW - on the macs that I've tested, I don't even have Firefox installed.
i posted the question about about encrypted, then found this command to use : openssl smime -inform DER -verify -in ~/Settings.mobileconfig -noverify -out ~/Unsigned.mobileconfig
i then stripped out what i needed, but still get the "com.trendmicro.icore" Would like to Filter Network Content - Allow/Dont Allow
more tuning , but ill fix it eventually.
I wrote to the TM Support and got a PDF Manual, titled with"Suggestions for MDM regarding Apex One.pdf". At this time, I try to create a policy that will work and give it a try. I will update this thread with the results.
I had to edit my original posting, because it is not possible to attach files (only pictures) to a post.