One of the management options Jamf Pro now provides with Blueprints is using DDM declarations to manage the extensions which can used by Apple’s Safari web browser. Let’s see how this works using the Internet Archive‘s Wayback Machine Safari extension, which is available in the Mac App Store via the link below:

https://apps.apple.com/us/app/wayback-machine/id1472432422?mt=12

For more details, please see below the jump.

Safari extensions can be managed using DDM declarations at the user level, which like with user-level MDM profiles, means that they can be applied only to MDM-managed users. When dealing with local accounts, this means that only the local user account which installs the MDM enrollment profile becomes the MDM-managed user. For our purposes here, this means that Safari extension management declarations can only be applied to the MDM-managed user and any other local accounts on the Mac cannot have their Safari extensions managed.

The following options are available for Safari extension management:

• Allowed Domains
• Denied Domains
• Private Browsing
• State

• Allowed Domains:
  •  Controls the DNS domain(s) and sub-domain(s) that the extension is allowed to access.
• Denied Domains:
  •  Controls the DNS domain(s) and sub-domain(s) that the extension is blocked from accessing.
• Private Browsing:
  •  Controls whether or not the extension is allowed for use when using private browsing.
    •  Options:
      •   Allowed: The extension can be turned on or off when using private browsing.
      •   AlwaysOn: The extension is always enabled when using private browsing if the extension is also enabled outside of private browsing.
      •   AlwaysOff: The extension is never enabled when using private browsing, even if the extension is enabled outside of private browsing.
• State:
  •  Controls whether an extension is allowed for use in general.
    •  Options:
      •   Allowed: The extension can be turned on or off.
      •   AlwaysOn: The extension is always enabled.
      •   AlwaysOff: The extension is never enabled.

Note:

For Allowed Domains and Denied Domains, the following values are supported:

• Specific domain: Using a specific DNS domain name.
  •  Example: company.com or subdomain.company.com
• Wildcard domain: Using a wildcard domain which uses a single asterix character ( * ) as a prefix for the domain. This wildcard will allow both the top-level domain to be matched, as well as matching any sub-domains, with a wildcard domain entry like *company.com being used to match against company.com as well as subdomain.company.com.
  •  Example: *company.com
• Global wildcard: Uses a single asterix character ( * ). This will match any DNS domain.
  •  Example: *

You can also allow an extension to be specifically used on a specific or wildcarded domain, while blocking it for use on all other domains. For example, if you wanted to allow an extension to be used on the top-level company.com domain and all company.com subdomains, but block it on all others, you could define Allowed Domains and Denied Domains like this:

• Allowed Domains: *company.com
• Denied Domains: * 

For this example, we’re going to set the Wayback Machine Safari extension to use the following settings:

• Allowed Domains: *
• Private Browsing: AlwaysOff
• State: Allowed

This setting will do the following for the Wayback Machine Safari extension:

• Allow the extension to be used.
• Allow the extension to be used with all domains.
• Block the extension from being used with Safari’s private browsing option, even when the extension is enabled outside of private browsing.

I can set up a Blueprint in Jamf Pro to deploy this Safari extension management configuration using the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Manage Safari extensions box.

4. Give it a name when prompted. For this example, I’m using Manage Wayback Machine Extension.

5. Select a Jamf Pro smart or static group. For this example, I’m selecting a static group named Safari Extension Deployment Group.

6. At the following screen, we need to provide the identifier of the extension along with our settings.

To do this, we need to get the code signature of the Safari extension file. To obtain the code signature, once you have the extension’s file location, you will need to use the codesign command line tool to run a command similar to the one below:

In the case of the Wayback Machine extension, the extension’s file is available in the following location:

/Applications/Wayback Machine.app/Contents/PlugIns/Wayback Machine Extension.appex

To get the code signature, you would run the following command:

That should provide output similar to what’s shown below:

From this output, we are looking for the values of the following lines:

• Identifier
• TeamIdentifier

For the Wayback Machine extension, these are the values shown:

• Identifier: archive.org.waybackmachine.mac.extension
• TeamIdentifier: ZSFX78H3ZT

For the Blueprint, this information needs to be formatted as shown below:

Identifier (TeamIdentifier)

For the Wayback Machine extension, this means that the identifier for the Blueprint is the following:

Now that we have the correct identifier, let’s configure the Blueprint settings for the following:

• Identifier: archive.org.waybackmachine.mac.extension (ZSFX78H3ZT)
• Extension state: Allowed
• Private browsing state: Always off
• Allowed domains: *

7. Once all the information has been entered and verified to be correct, click the Save button.

8. Once everything has been configured, click the Deploy button to deploy the changes to the Macs you want to manage.

Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Manage Wayback Machine Extension blueprint as being deployed.

On your managed devices, you can verify that the new Safari extension management configuration has been deployed by clicking on the enrollment profile, then scrolling to the bottom. In the case of this example, you should see a User Declarations section with a listing for Safari Extensions.

If you click on the Safari Extensions listing, it should report the following extension is allowed:

archive.org.waybackmachine.mac.extension

For additional information on the configuration, you would need to open Safari and access the extension information for the Wayback Machine extension. There, you should see the following:

• The Allow in Private Browsing checkbox is unchecked and grayed out.
• A notification that the extension works on all websites

There should also be notifications that these settings have been configured by device management.

You should also be able to confirm that the Wayback Machine extension is available in regular Safari browser windows, but not available in private browsing windows.