Skip to main content

Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Description

Need to deploy the latest version of Lightspeed Smart Agent version 2.3.1 along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account in Lightspeed Filter app.

This KB article involves using the new Lightspeed Certificate Manager method. If using the version below v2.3.1 please review KB article here: Lightspeed Smart Agent Deployment (macOS 2023)

The new method involves using LightSpeed Certificate Manager. Certificate Manager leverages a cloud-based system to generate and monitor certificates and expiration, automatically pushing new certificate files to devices in the background (without disruption!) to ensure they always are current. In addition, Lightspeed is also leveraging root certificates for the trusting process, meaning that instead of repeatedly needing to re-trust the certificates every time they update - you now only need to trust the first time.

Note: You must use the MacOS Filter Agent 2.3.1+ to use Certificate Manager

Ingredients

  • FileWave Central

  • Lightspeed Relay Filter Agent PKG installer (version 2.3.1)

  • Lightspeed Root Certificate

  • Supplied Fileset and Profile

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set. 

Download Lightspeed Relay Filter Agent for macOS

  1. Login to your Lightspeed Filter account

    1. Navigate to Settings > Software

    2. Choose Lightspeed Filter

    3. Select the Mac tab

    4. Select the version of the Relay Filter Agent by clicking on the download icon

    5. Place the downloaded Relay Filter Agent PKG into your Downloads Folder

LightSpeedmacOSFilter.png

Generating the Certificate using Certificate Manager

  1. Navigate to your Settings > Certificates within Lightspeed Filter account
  2. Click Set Up to generate the certificate
  3. Label your Organization name and enter in your number of active days for your certificate
  4. Click Save to continue
  5. Allow several minutes for the Certificate Manager to generate
  6. Click to download and confirm trust certificate
  7. Do not proceed with checking the two Acknowledgements boxes, until the certificate, content filter AND agent have been installed on your devices

Lightspeed has noted the importance of order of operations; until you have downloaded and trusted the certificate AND installed the agent on your devices, then you may proceed to complete the two Acknowledgement boxes in the macOS Certificate Confirmation step.

Filesets

Fileset Group

Create a Fileset Group to hold the Filesets to be included.  At the end it will look something like the below image.

image.png

Configuration Profiles

Network Settings

The profile contains 2 payloads: System Extension and Web Content Filter.  

System Extension
  1. Click + to add Allowed Team Identifiers:
    Team Identifier:  ZAGTUU2342

  2. Click + to add Allowed System Extensions:

    1st Allowed System Extensions:  com.lightspeedsystems.network-agent

    Enter add 2nd Allowed System Extensions with comma after 1st Allowed System Extensions

    2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension

  3. Click + to add Allowed System Extension Types and check box for Network:

    Team Identifier:  ZAGTUU2342

Network Web Content Filter
  1. Filter Name: Lightspeed Agent

  2. Identifier: com.lightspeedsystems.network-agent 

  3. Filter Order: Firewall

  4. Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension 

  5. Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)

  6. Username/Password: Sometimes the Username and Password fields are ‘included” automatically. Do not include them.

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set. 

Certificate Payload
  1. Create a new Profile within the Fileset Group folder
  2. Select Certificates and Configure
  3. Upload the above generated certificate into this Profile

FileWaveLightspeed2.png

Lightspeed Agent Installer

The provided Fileset includes a script to instal the above downloaded PKG file.

Lightspeed Agent Installer.fileset.zip

  1. Drag the Fileset into the FileWave Central Fileset Group Folder created above.

  2. Edit the Fileset
  3. Place the downloaded SmartAgent.pkg file into the same location as the .placeholder file
  4. The .placeholder file may be deleted

image.png

The name of the PKG is important.  The installation script is expecting a file called SmartAgent.pkg.  Rename if required.

The check_for_profile.sh script ensures the Profile is installed before the PKG.  This script relies upon the Profile ID of the supplied Profile.

The Fileset has a Reboot setting configured to allow the Filter Network Content applied.

Assignment

Assign the Fileset Group, either as a Deployment or an Association with one or more test devices.  Once satisfied, consider assigning to all required devices.

Once that you have installed the agent and trusted the root certificate on your devices, go back to your Lightspeed Account and navigate to Settings > Certificates. Check the two acknowledgement boxes and click Save.

Optional

The Fileset Script is designed to check for the presence of Profiles prior to installing the PKG.  The provided Profile ID is already of consideration, however the newly generated Certificate Profile cannot be, since the ID cannot be known in advance.  Both Profiles should instal at the same time, it is therefore arguably not required to be included in this consideration.  However, for completeness, the Generated ID of the Certificate Profile could also be added.

Bundle ID

First, the Bundle ID of the newly created Profile needs to be copied.

  1. Open the Certificate Profile
  2. Highlight the Bundle ID and choose to copy

image.png

Script Info

  1. Open the Lightspeed Agent Installer Fileset
  2. Select the 'check_for_profile.sh' and choose Get Info
  3. Select the Executable tab
  4. Add a Launch Argument and paste the copied Bundle ID

image.png

Related Content

Needing to deploy Lightspeed for iOS devices? Review the KB article here: Lightspeed Smart Filter Deployment (iOS 2023).

Needing to deploy Lightspeed for non-Certificate Manager? Review the KB article here: Lightspeed Smart Filter Deployment (macOS 2023)