Deploying OTG for Mac Using Intune

This information describes deploying WebTitan OTG for Mac to multiple users using Microsoft Intune, which is part of the Microsoft Endpoint Manager platform.

Important

As a best practice, consider the following:

Test your deployment using a limited test group with just one or two users first before full deployment.
Create an OTG uninstall group. Add this uninstall group as an Excluded Group when assigning groups in the configuration steps below. You only need to add users to the uninstall group if you are uninstalling OTG.
Depending on your environment and how long it takes for clients to synchronize, you may need to wait for a period of time after deploying your certificate and extensions (Steps 1 - 5 below) before deploying the OTG script in Step 8.

Step 1: Download the OTG install file.

To complete these steps, you first need to click here and download the OTG for Mac install file (otg_setup.pkg). Save this file to a location accessible via HTTPS where the OTG deployment script can grab it. For example, https://www.example.com/downloads/setup.pkg.

The current OTG for Mac version is 2.0.3 (2).

Step 2: Download and rename your WebTitan 4K certificate.

In WebTitan, go to Settings > Certificates and download your 4K WebTitan SSL certificate.
The certificate downloads as a .der file. You must change this to .cer before uploading it to Intune. For example, if you download your-webtitan-cert.der you must rename it to your-webtitan-cert.cer.
Tip
If you can not see the certificate extension, go to View > Options in the Downloads folder and select the View tab from the Folder Options window.
Uncheck Hide extensions for known file types.

Step 3: Create a configuration profile to upload and push the .cer certificate

Go to your Microsoft Intune admin center (Microsoft Endpoint Manager).
Choose Devices from the sidebar menu.
Go to macOS > Configuration profiles and select + Create profile.
In the Create a profile window on the right select the following:
- Platform: select macOS.
- Profile type: select Templates.
- Select Trusted Certificate.
- Click Create.
On the Trusted certificate page, go through each tab and select the following:
- Basics: Enter a name for the certificate and click Next.
- Configuration Settings: upload your .cer certificate and click Next.
- Assignments: Select Included groups and add the groups you want to deploy this cert to.
- Assignments (optional): Select Excluded groups and add any group you want to exclude. For example, an OTG Uninstall group. Click Next.
- Review + create: Review what you have added and click Create.

Step 4: Create a configuration profile to push a kernel extension before deploying OTG

This profile is needed for macOS 10.15 (Catalina) or earlier. It will be ignored on newer macOS.

Note

Apple Silicon (M1 and M2) devices do not support KEXT. Therefore, installing a configuration profile consisting of KEXT policies will fail on these devices -- this is expected.

In Intune, choose Devices from the sidebar menu.
Go to macOS > Configuration profiles and select + Create profile.
In the Create a profile window on the right select the following:
- Platform: select macOS.
- Profile type: select Templates.
- Select Extensions.
- Click Create.
In the Extensions window, go through each tab and select the following:
- Basics: Enter a name for the kernal extension and an optional description, and click Next.
- Configuration settings: Select Kernel extensions.
- Configuration settings: Enter Team identifier WLJQG3X39C and click Next.
- Assignments: Select Included groups, and add the groups you want to deploy this kernel extension to.
- Assignments (optional): Select Excluded groups and add any group you want to exclude. For example, an OTG Uninstall group. Click Next.
- Review + create: Review what you have added and click Create.

Step 5: Create a configuration profile to push a system extension before deploying OTG

In Intune, choose Devices from the sidebar menu.
Go to macOS > Configuration profiles and select + Create profile.
In the Create a profile window on the right select the following:
- Platform: select macOS.
- Profile type: select Templates.
- Select Extensions.
- Click Create.
On the Extensions page, go through each tab and select the following:
- Basics: Enter a name for this system extension and an optional description, and click Next.
- Configuration settings: Select System extensions.
- Configuration settings: Enter Team identifier WLJQG3X39C and click Next.
- Assignments: Select Included groups, and add the groups you want to deploy this system extension to.
- Assignments (optional): Select Excluded groups and add any group you want to exclude. For example, an OTG Uninstall group. Click Next.
- Review + create: Review what you have added and click Create.

Step 6: Create a configuration profile to push a network extension before deploying OTG.

Copy the save the OTG.mobileconfig below to your local machine as a .mobileconfig file. This config is used to silence prompts during OTG installation.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>HasRemovalPasscode</key>
	<false/>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AppBundleIdentifier</key>
			<string>com.otg.titanHQ</string>
			<key>PayloadDescription</key>
			<string>Configures DNS proxy network extension</string>
			<key>PayloadDisplayName</key>
			<string>DNS Proxy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.dnsProxy.managed.857466D6-128D-4E74-9F47-2235EC7E3D1D</string>
			<key>PayloadType</key>
			<string>com.apple.dnsProxy.managed</string>
			<key>PayloadUUID</key>
			<string>857466D6-128D-4E74-9F47-2235EC7E3D1D</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>ProviderBundleIdentifier</key>
			<string>com.otg.titahHQ.OTGDNSProxy</string>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>This profile is used to install the TitanHQ proxy</string>
	<key>PayloadDisplayName</key>
	<string>TitanHQ DNS Proxy Profile</string>
	<key>PayloadIdentifier</key>
	<string>com.titanhq.dnsproxy.profile</string>
	<key>PayloadOrganization</key>
	<string>TitanHQ</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>0CE25607-A591-4DC0-8120-857DD10E98B8</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Choose Devices from the sidebar menu.
Go to macOS > Configuration profiles and select + Create profile.
In the Create a profile window on the right select the following:
- Platform: select macOS.
- Profile type: select Templates.
- Select Custom.
- Click Create.
On the Extensions page, go through each tab and select the following:
- Basics: Enter a name for the profile (for example, OTG Network extension) and click Next.
- Configuration settings: Give a custom configuration profile name, for example, OTG DNS Proxy.
- Configuration settings: Ensure the Deployment channel is Device channel.
- Configuration settings: Browse and select the OTG.mobileconfig file you saved in Step 1 of this section.
- Assignments: Select Included groups, and add the groups you want to deploy this network extension to.
- Assignments: Select Excluded groups and add any group you want to exclude. For example, an OTG Uninstall group. Click Next.
- Review + create: Review what you have added and click Create.

Step 7: Copy, save and edit your install script.

Copy and save the sample-macOS-install-script below to your local machine as a .sh file.

#!/bin/bash
#set -x

###########################################################
## Script to install the latest WebTitancloud OTG DNS Proxy
###########################################################


### Customer defined variables
# PKG file download link
webURL="https://www.example.com/downloads/otg_setup.pkg"                                           # URL to .pkg setup file

# PKG file local install
localInstall="false"                                                                        # If "false", .pkg file will be downloaded from $webURL. 
localInstallPath="/example/otg_setup.pkg"                                                   # Used when $localInstall is "true"

# WTC Configuration (required)
rpc_url="https://mycloud.webtitancloud.com"                                                 # Required: The URL (and optional port) of your WebTitan Cloud instance in FQDN format.
install_key="00000z0z-0zz0-0000-zz0z-0zz000z0zz0z"                                          # Required: The OTG install key used to register an OTG 2 device on WebTitan Cloud.
location_name="OTG_Mac_Prod"                                                                # Optional: A virtual location is automatically created on WebTitan with a default name. Use location_name to specify a custom location name instead.


###########################################################
### Application variables
appname="WebTitanCloud"
app="WebTitanCloud.app"
logandmetadir="/Library/Logs/Microsoft/IntuneScripts/installWebTitan"
processpath="/Applications/WebTitanCloud.app/Contents/MacOS/WebTitanCloud"
terminateprocess="true"
otgPath="/Library/LaunchAgents/com.titanhq.otg.plist"
tempdir=$(mktemp -d)
log="$logandmetadir/$appname.log"
loggedInUser=$(stat -f '%Su' /dev/console)
loggedInUserId=$(stat -f '%u' /dev/console)

### Functions
waitForProcess () {

    processName=$1
    fixedDelay=$2
    terminate=$3

    echo "$(date) | Waiting for other [$processName] processes to end"
    while ps aux | grep "$processName" | grep -v grep &>/dev/null; do

        if [[ $terminate == "true" ]]; then
            echo "$(date) | + [$appname] running, terminating [$processpath]..."
            pkill -f "$processName"
            bootOutApp
            return
        fi

        # Randomize delay if argument not passed
        if [[ ! $fixedDelay ]]; then
            delay=$(( $RANDOM % 50 + 10 ))
        else
            delay=$fixedDelay
        fi

        echo "$(date) |  + Another instance of $processName is running, waiting [$delay] seconds"
        sleep $delay
    done
    
    echo "$(date) | No instances of [$processName] found, safe to proceed"

}

function downloadApp () {

    echo "$(date) | Starting downlading of [$appname]"

    # Wait for other downloads to complete
    waitForProcess "curl -f"

    # Download the file
    echo "$(date) | Downloading $appname"

    tempfile="$tempdir/otg_setup.pkg"
    curl -L -f -s --connect-timeout 30 --retry 5 --retry-delay 60 --output "$tempfile" "$webURL"

    if [[ -f "$tempfile" ]]; then
        echo "$(date) | Successfully downloaded [$tempfile]"
    else
        echo "$(date) | Failed to download [$webURL] to [$tempfile]"
    fi

}

## Install PKG Function
function installPKG () {

    # Wait if app is running
    waitForProcess "$processpath" "300" "$terminateprocess"
    
    echo "$(date) | Installing $appname"

    # Remove existing files if present
    if [[ -d "/Applications/$app" ]]; then
        rm -rf "/Applications/$app"
    fi
    
    if [[ $localInstall == "true" ]]; then
        installer -pkg "$localInstallPath" -target /
    else
        installer -pkg "$tempfile" -target /
    fi
    
    # Checking if the app was installed successfully
    if [ "$?" = "0" ]; then

        echo "$(date) | $appname Installed"
        echo "$(date) | Cleaning Up"
        rm -rf "$tempdir"
    else
        echo "$(date) | Failed to install $appname"
        rm -rf "$tempdir"
    fi

}

function runOTGProxy() {

    # Params array for WebTitanCloud binary
    PARAMS=(RPC_URL="$rpc_url")
    PARAMS+=(INSTALL_KEY="$install_key")
    
    # Check if parameter null or empty
    if [[ ! -z $location_name ]]; then 
        PARAMS+=(LOCATION_NAME="$location_name")
    fi

    echo "$(date) | Configuring [$appname] for [$loggedInUser]"
    echo "$(date) | Configuring  $processpath ${PARAMS[@]}"
    sudo -u $loggedInUser $processpath "${PARAMS[@]}"

}

function startLog() {

    echo ""
    echo "# $(date) | Logging install of [$appname] to [$log]"
    echo "############################################################"
    echo ""

    if [[ ! -d "$logandmetadir" ]]; then
        echo "$(date) | Creating [$logandmetadir] to store logs"
        mkdir -p "$logandmetadir"
    fi

    exec &> >(tee -a "$log")
    
}

### Main script
# Initiate logging
startLog

# Download app
if [[ $localInstall == "false" ]]; then
    downloadApp
fi

# Kick OTG out of launchCTL
echo "$(date) Booting out app with /bin/launchctl bootout gui/$loggedInUserId $otgPath"
/bin/launchctl bootout gui/$loggedInUserId $otgPath &> /dev/null

# Install WebTitan OTG
if [[ -d "/Applications/$app" ]]; then 
    ### Application health checks
    OTGDNSProxy=$(ps aux | grep -v grep | grep -ci OTGDNSProxy)
    WebTitanCloud=$(ps aux | grep -v grep | grep -ci WebTitanCloud)
    otgHelper=$(ps aux | grep -v grep | grep -ci otgHelper)

    echo "$(date) Existing installation of $appname found, upgrading..."
    installPKG

    if [ ! $OTGDNSProxy -gt 0 ] || [ ! $WebTitanCloud -gt 0 ] || [ ! $otgHelper -gt 0 ]; then
        echo "$(date) Issues detected with previous installation, re-running configuration"
        runOTGProxy
    fi

else 
    echo "$(date) Starting fresh installation of $appname"
    installPKG
    runOTGProxy
fi

Open the install script you saved to your local machine and edit the following:

webURL="https://www.example.com/downloads/otg_setup.pkg": change this URL to the location you saved otg_setup.pkg to in Step 1.
Edit the two required parameters described in the table below, RPC_URL and INSTALL_KEY with your own details.
There is also an optional LOCATION_NAME parameter described below, but it is not necessary.
Important
If you do not use the LOCATION_NAME parameter, you must remove location_name="OTG_Mac_Prod" under Customer Defined Variables from your script.

Required Parameter	Description	Example
RPC_URL	Your WebTitan OTG URL and (optional) port number. See WebTitan OTG URLs to determine your OTG URL. The RPC port is always port 7771 and is automatically added if not included in the RPC_URL parameter. The example(s) show the accepted formats.	https://your-otg-url.webtitancloud.com
INSTALL_KEY	This is the OTG install key used to register an OTG device on WebTitan. You can get this in WebTitan from Settings > Device Configuration and noting the OTG Install Key.	00000z0z-0zz0-0000-zz0z-0zz000z0zz0z

Required Parameter

Description

Example

RPC_URL

Your WebTitan OTG URL and (optional) port number. See WebTitan OTG URLs to determine your OTG URL.

The RPC port is always port 7771 and is automatically added if not included in the RPC_URL parameter. The example(s) show the accepted formats.

https://your-otg-url.webtitancloud.com

INSTALL_KEY

This is the OTG install key used to register an OTG device on WebTitan. You can get this in WebTitan from Settings > Device Configuration and noting the OTG Install Key.

00000z0z-0zz0-0000-zz0z-0zz000z0zz0z

Optional Parameter(s)	Description	Example
LOCATION_NAME	When OTG 2 is installed, a virtual location is automatically created for a device on WebTitan and given a default name. However, you can specify a location name to use with the LOCATION_NAME parameter on install. A virtual location can either be created on WebTitan before installation and then the name can be used in this parameter, or, if not already created, the virtual location is created and assigned the name given in this parameter on install.	`LOCATION_NAME=Training-PC`

Optional Parameter(s)

Description

Example

LOCATION_NAME

When OTG 2 is installed, a virtual location is automatically created for a device on WebTitan and given a default name. However, you can specify a location name to use with the LOCATION_NAME parameter on install.

A virtual location can either be created on WebTitan before installation and then the name can be used in this parameter, or, if not already created, the virtual location is created and assigned the name given in this parameter on install.

LOCATION_NAME=Training-PC

Save the changes you have made and close the install script.

Step 8: Add your script and deploy OTG to your devices.

Choose Devices from the sidebar menu.
Go to macOS devices > Shell scripts and select + Add.
In the Add script window, go through each tab as follows:
- Basics: Enter a name for your script and click Next.
- Script settings: Use Upload script to upload the install script you created in Step 6 above.
- Script settings: Set Max number of times to retry if script fails to 3 times and click Next.
- Assignments: Select the users you want to deploy to and click Next.
- Review + create: Review what you have added and click Add.
Once you have added your script, WebTitan OTG for Mac will start rolling out to the assigned users.

You can click Monitor in the sidebar menu and Device install status to view the progress of your deployment. However, the best way to validate the rollout is to check if devices have been added to your WebTitan.

For more information on refresh cycles in Intune see https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned .

In this section:

WebTitan