Skip to main content
This guide applies to Mac computers
Please note that depending on the specific application and version you have installed, the app path, privacy access, and system extension requirements may vary. As a best practice, we recommend thoroughly testing any Custom Apps before deploying them to a Mac in a production environment.

Prerequisites

  • Bitdefender installer package(s) from your Bitdefender admin portal. Ensure that an uninstall password is set in the package settings
    • If you have a mixed environment of both Intel and Apple Silicon Mac computers, you will need to download both the macOS kit (Intel x86) and macOS kit (Apple Silicon) packages, but you will only need to include one of the install.xml files. The post-install script used in this guide will account for both installer types
    • If you are only deploying to one architecture, you will still need that install package and the included install.xml file
  • Bitdefender PFX Certificate Generator script (GitHub Link)
  • Bitdefender Settings Profile (GitHub Link)
    • This configuration profile enables full disk access for Notifications, System Extensions, Bitdefender SSL CA certificate, Privacy Preferences (PPPC), and a Network content filter
  • Bitdefender macOS 15+ Settings Profile (GitHub Link)
    • This configuration profile includes the NonRemovableFromUISystemExtensions field for macOS 15+ devices
  • Bitdefender Service Management Profile (GitHub Link)
    • This configuration profile allows managed background items for Bitdefender
  • Bitdefender Audit and Enforce Script (GitHub Link)
  • Bitdefender Postinstall Script (GitHub Link)

Creating a PFX Certificate

This section steps through the creation of a PFX certificate for Bitdefender that can be uploaded to Iru Endpoint in a Certificate Library Item.
Bitdefender requires that a PFX certificate be created and deployed to macOS. This section is based on BitDefender’s guide, which you can refer to for more information.
1

Open Certificate Generator Script

Open the PFX Certificate Generator script in a text editor or IDE such as VScode or BBEdit.
2

Configure Certificate Information

Fill in the certificate information section of the script:
VARIABLES
# Cert info
COUNTRY=""                               # US - 2 letter country code
STATE=""                                 # Georgia - state or province
LOCAL=""                                 # Atlanta - locality name
ORG_NAME="Endpoint"                      # Leave as default
CERT_NAME=" BitDefender CA SSL"   # Leave as default
3

Save Script

Save the updated script to your Desktop.
4

Open Terminal

Open Terminal.app.
5

Run Certificate Generator

Run the following command in Terminal:
zsh '/Users/<username>/Desktop/bitdefender/bitdefender_cert_generator.zsh'
6

Enter Password

When prompted, enter and verify the password used in the Bitdefender installer settings you defined in your Bitdefender portal.
7

Copy Password Hash

When the script is finished, you should see the password hash used to generate the certificate. Copy the generated hash and paste it in the password field when creating the Certificate Library Item in Iru Endpoint:
Password hash: 626cacdec63355c2680dbd6747c8d755
8

Locate Certificate File

A Finder.app window should open on your Desktop, showing the certificate.pfx file.
9

Upload Certificate

Upload this certificate to Iru Endpoint in a Certificate Library Item.
Certificate Library Item configuration showing PFX certificate upload

Add a Custom Profile Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Configure the Bitdefender Profiles

1

Create Profile

Give the profile a Name.
2

Select Platform

For Install on, select Mac.
3

Assign to Blueprint

Assign your Custom Profile to a Blueprint.
4

Upload Configuration File

Upload the bitdefender_settings.mobileconfig file you downloaded previously.
5

Save Profile

Click Save.
6

Create Additional Profiles

Repeat the previous steps for the bitdefender_settings_macOS15.mobileconfig and the bitdefender_service_management.mobileconfig files you downloaded in the prerequisites section.
Custom Profile configuration showing Bitdefender settings profile upload

Zipping the Installer Files

Before uploading the installer files to Iru Endpoint, you will need to zip them up together first.
1

Locate Installer Files

Go to the Bitdefender installer files that you downloaded from the Bitdefender console earlier. If you downloaded the Intel and Apple ARM DMG files, you might need to mount them first and then pull the installer files out.
2

Organize Files

Put the installer package(s), installer.xml file, and certificate.pfx file in the same location, such as your Desktop. Only one installer.xml file is needed; either the one from the Intel download or the ARM download will work.
3

Select All Files

Select all of the files at one time.
4

Compress Files

Hold the Control(⌃) key and click on the selected files. Then, in the menu, click Compress. You should see a dialog showing the compression progress.
5

Rename Archive

An Archive.zip file should be created in the same directory. Feel free to rename the file to something like bitdefender_install.zip. This is the file that will be uploaded to Iru Endpoint in the next section.

Custom App

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Custom App

Give the Custom App a name. Optionally, add a custom icon.
2

Assign to Blueprint

Assign to your desired blueprint.
3

Set Installation Type

Change the installation type to Audit and enforce.
4

Configure Audit Script

Copy the bitdefender_ae_script.zsh script you downloaded in the prerequisites section and paste into the Audit & Enforce text box. No modification needed. The script looks for two profile identifiers and the name of the installed Bitdefender app before attempting an install. Additionally, the script looks for two Launch Daemons on computers where the app is already installed to ensure that the app is running as expected. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile:
Settings Profile prefix: io.kandji.bitdefender.D0DF2C14
Background Service Management Profile prefix: io.kandji.bitdefender.service-management
App name: "Endpoint Security for Mac.app"
Processes: "com.bitdefender.epsecurity.BDLDaemonApp", "com.epsecurity.bdldaemon"
Custom App audit and enforce script configuration
5

Set Deployment Type

Select ZIP File (unzip contents into specified directory) as the deployment type.
6

Configure Unzip Location

Set the Unzip Location to /var/tmp.
7

Upload Installer

Upload the installer zip file downloaded earlier.
8

Add Postinstall Script

Click Add Postinstall Script.
9

Configure Postinstall Script

Copy the post-install script you downloaded in the prerequisites section and paste it into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.
  • Ensure that the package names match the names downloaded from Bitdefender
  • Ensure that the certificate file name matches the cert file you created using the Bitdefender KB
10

Save Custom App

Click Save.
Custom App postinstall script configuration

Deploying with Assignment Maps

Two of the Bitdefender Custom Profiles need conditional logic to ensure they are deployed to the correct devices. An Assignment Map provides an easy solution for all of your devices in one convenient view. Please review our Creating a Blueprint and Using Conditional Logic in Assignment Maps articles.
1

Create Base Conditional Block

Start with the For All devices on this Blueprint conditional block.
2

Assign Custom App

Assign the Bitdefender Custom App to the block. If multiple Custom Apps are needed, create a conditional block with conditions for the different versions of the installer.
3

Assign Certificate

Assign the Bitdefender Certificate Library Item to the conditional block.
4

Assign Settings Profile

Assign the bitdefender_settings Custom Profile to the conditional block.
5

Set macOS 13+ Condition

Set the top of the conditional block to If macOS is greater than or equal to 13.0.
6

Assign Service Management Profile

Assign the bitdefender_service_management Custom Profile to the conditional block.
7

Set macOS 15+ Condition

Set the top of the conditional block to If macOS is greater than or equal to 15.0.
8

Assign macOS 15+ Settings Profile

Assign the bitdefender_settings_macOS15 Custom Profile to the conditional block.
Assignment Map configuration showing Bitdefender deployment with conditional logic