Skip to main content

Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Description

Need to deploy the latest version of Lightspeed Smart Agent version 2.3.1 along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account in Lightspeed Filter app.

This KB article involves using the new Lightspeed Certificate Manager method. If using the version below v2.3.1 please review KB article here: Lightspeed Smart Agent Deployment (macOS 2023)

The new method involves using LightSpeed Certificate Manager. Certificate Manager leverages a cloud-based system to generate and monitor certificates and expiration, automatically pushing new certificate files to devices in the background (without disruption!) to ensure they always are current. In addition, Lightspeed is also leveraging root certificates for the trusting process, meaning that instead of repeatedly needing to re-trust the certificates every time they update - you now only need to trust the first time.

Note: You must use the MacOS Filter Agent 2.3.1+ to use Certificate Manager

Ingredients

  • FileWave Central

  • Lightspeed Relay Filter Agent PKG installer (version 2.3.1)

  • Lightspeed Root Certificate

  • Supplied Fileset and Profile

Web Content Filter - InThe creatingprofile ashould Webnot Contentbe edited once uploaded.  A bug (FW-12629) exists which prevents the Filter withinOrder FileWavebeing Centralset.  itThe changesprovided profile has this preset, but editing the UDIDFileset andwill isundo unsuccessfulthis inkey/value deployment. The issue can be resolved by re-creating the Web Content Filter in FileWave Anywhere as a workaround. The issue should be resolved in the next release. See Known Issuespair.

Download Lightspeed Relay Filter Agent for macOS

  1. Login to your Lightspeed Filter account

    1. Navigate to Settings > Software

    2. Choose Lightspeed Filter

    3. Select the Mac tab

    4. Select the version of the Relay Filter Agent by clicking on the download icon

    5. Place the downloaded Relay Filter Agent PKG into your Downloads Folder

LightSpeedmacOSFilter.png

Generating the Certificate using Certificate Manager

  1. Navigate to your Settings > Certificates within Lightspeed Filter account
  2. Click Set Up to generate the certificate
  3. Label your Organization name and enter in your number of active days for your certificate
  4. Click Save to continue
  5. Allow several minutes for the Certificate Manager to generate
  6. Click to download and confirm trust certificate
  7. Do not proceed with checking the two Acknowledgements boxes, until the certificate, content filter AND agent have been installed on your devices

Lightspeed has noted the importance of order of operations; until you have downloaded and trusted the certificate AND installed the agent on your devices, then you may proceed to complete the two Acknowledgement boxes in the macOS Certificate Confirmation step.

Filesets

Fileset Group

Create a Fileset Group to hold the Filesets to be included.  At the end it will look something like the below image.

image.png

 

Configuration ProfileProfiles

Network Settings

The provided profile contains 2 payloads: System Extension and Web Content Filter.  

Lightspeed Agent.mobileconfig

  1. OpenDownload the above payload and drag it into the FileWave Central orFileset FileWaveview, Anywhere

    into
the above

Navigate to Filesets > Select New Desktopcreated Fileset > Click on Profile

Enter the name of the Profile: General > Name: Lightspeed Agent ProfileGroup.

FileWaveLightspeed1.png

Web

ImportContent RootFilter

- This entire profile should not be edited once uploaded.  A bug (FW-12629) exists which prevents the Filter Order being set.  The provided profile has this preset, but editing the Fileset will undo this key/value pair.
Certificate from Lightspeed Certificate ManagerPayload
    Create a new Profile within the Fileset Group folder Select Certificates payloadand toConfigure addUpload yourthe Lightspeedabove Rootgenerated Trustedcertificate Certificate.into this Profile

    FileWaveLightspeed2.png

    Configure

    Lightspeed Agent Installer

    The provided Fileset includes a script to instal the Systemabove Extensiondownloaded PayloadPKG

      file.

      NavigateLightspeed toAgent System Extension Policy payload, add and enter in the following:Installer.fileset.zip

      1. ClickDrag +the toFileset addinto Allowedthe TeamFileWave Identifiers:
        TeamCentral Identifier:Fileset ZAGTUU2342Group Folder created above.

      2. Click + to add Allowed System Extensions:

        1st Allowed System Extensions:  com.lightspeedsystems.network-agent

        Enter add 2nd Allowed System Extensions with comma after 1st Allowed System Extensions

        2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension
        Click + to add Allowed System Extension Types and check box for Network:
        Team Identifier:  ZAGTUU2342

      FileWaveLightspeed3.png

      ConfigureEdit the Web Content Filter Payload

        Fileset

        Navigate to Web Content Filter and enter inPlace the following:

        downloaded
          SmartAgent.pkg file

          Filterinto Name:the Lightspeedsame Agent

          location as the .placeholder file The

          Identifier:.placeholder com.lightspeedsystems.network-agentfile

          may be

          Filter Options: Firewall / Filter Socket Traffic

          Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension 
          Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)

          deleted

          LightspeedContentFilterv2.3.1.pngimage.png

          The completedname configuration profile will have three payloads; these include: Certificates, System Extension Policy and Web Content Filter

          FileWaveLightspeed5.png

          Import the Relay Filter Agent PKG into FileWave

            Navigate to Filesets > Create New Desktop Fileset > Select MSI / PKG

            Navigate to your downloaded and select the Relay Filter Agent (version 2.3.1) to upload into the Fileset

            Please wait a few moments forof the PKG installeris toimportant.  uploadThe intoinstallation yourscript FileWaveis serverexpecting a file called SmartAgent.pkg.  Rename if required.

            FileWaveLightspeed13.png

            The

            After successfully uploading, highlight the Fileset > Select Properties

            Under the Requirements tab, check the box Platform and check macOS only, then under System Version and checkboxes only for macOS 12.x and 13.x

            FileWaveLightspeed14.png

            Click OK to save

            Note: If all of your devices are not on macOS 12 or greater, you will want to set the Requirements for the Fileset for macOS 12 and above

            Editing the Relay Filter Agent PKG Fileset with Requirement Script

              Highlight the newly created Fileset with your Smart Agent PKG Click on Script in the menu to open Script dialogue window Highlight Requirement Scripts and click on the Create buttonLightspeedSmartAgentPKG.png Label script, check_LS.check_for_profile.sh Copy and paste the entire check profile script below:

              #!/bin/zsh

found_profile=""

while [ $# -gt 0 ]
do
	found_profile=$(profiles list all | awk -v search=$1  '$0 ~ search {print $NF}')
	if [ ! -z $found_profile ]
	then
		echo "Found installed profile: $found_profile"
		exit 0
	else
		echo "Did not find $1" 
	fi
	shift
done
 
exit 1
              Click OK to saveensures the script Highlight the check_LS.sh and right-click to select Properties

              LightspeedSmartAgentPKG2.png

               Select the Executable tab, under the Launch Arguments tab, click on the + button to add your Lightspeed Agent Profile’s Identifier (found by double-clicking on your Lightspeed Agent Profile)LightspeedSmartAgentPKG3.png Click OK to Apply to save changes Close out Properties of the Requirement Script Click OK to save changes to Smart Agent PKG Fileset

              Note: This Requirement scripts verifies that the Lightspeed Agent Profile is installed successfully BEFORE runningbefore the installationPKG.  This script relies upon the Profile ID of Lightspeed.
              the supplied Profile.

              Assignment

              When all completed,Assign the Fileset contents will include your Relay Filter Agent PKG, Lightspeed Profile and Requirement script.

              LightspeedSmartAgentPKG4.png

              Creating Fileset Group for your Lightspeed Filter Agent Filesets

              Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment. You may create a New Fileset Group, label it Lightspeed Filter Agent (macOS 2024), and move all the Filesets you created into that Fileset Group. Then you may associate the Fileset Group labeled Lightspeed Filter Agent (macOS 2024) to your devices versus individual Filesets.

              LightspeedFilesetGroup2024.png

              Once all the Filesets and Profile have been created, you may associate the Fileset Group labeled Lightspeed Filter Agent macOS 2024 to a few deviceseither as a test.Deployment Thisor isan Association with one or more test devices.  Once satisfied, consider assigning to verifyall andrequired confirm that the filter is installed, and filtering properly based on your configurations. For best practice, always test a few devices before mass deployment.devices.

              Once that you have installed the agent and trusted the root certificate on your devices, go back to your Lightspeed Account and navigate to Settings > Certificates. Check the two acknowledgement boxes and click Save.

              Optional

              The Fileset Script is designed to check for the presence of Profiles prior to installing the PKG.  The provided Profile ID is already of consideration, however the newly generated Certificate Profile cannot be, since the ID cannot be known in advance.  Since both Profiles should instal at the same time, it is arguably not required to be included in this consideration.  However, for completeness, the Generated ID of the Certificate Profile could also be added.

              Bundle ID

              First, the Bundle ID of the newly created needs to be copied.

                Open the Certificate Profile Highlight the Bundle ID and choose to copy

                image.png

                Script Info

                  Open the Lightspeed Agent Installer Fileset Select the 'check_for_profile.sh' and choose Get Info Select the Executable tab Add a Launch Argument and paste the copied Bundle ID

                  image.png

                   

                  Related Content

                  Needing to deploy Lightspeed for iOS devices? Review the KB article here: Lightspeed Smart Filter Deployment (iOS 2023).

                  Needing to deploy Lightspeed for non-Certificate Manager? Review the KB article here: Lightspeed Smart Filter Deployment (macOS 2023)

                  Back to top