macOS & iOS

Distribution & Configuration via MDM

The Twingate Client application can be distributed to managed devices and configured via an MDM solution such as Kandji or Jamf. Both the App Store Client and Standalone Client applications can be deployed this way. However, we recommend deploying the Standalone Client application where possible to take full advantage of all available features.

The macOS Twingate Client is available as a Standalone App or for free on the Mac App Store. The iOS Twingate Client is available for free on the App Store.

Remember, Clients older than 12 months are not supported and will not be able to connect to the Twingate service. If you fully manage user devices, you should disable automatic update checks and ensure that you have a process in place to update the Client on a regular basis.

MDM Configuration Guides

The following guides are available for specific MDM applications:

Configuring Twingate with Custom Configuration Profiles

When deploying the Twingate app via an MDM on a managed device, you have the option to configure the application using custom configuration profiles. A custom configuration profile is an XML file ending in .mobileconfig that consists of payloads with settings and authorization information for Apple devices. Deploying configuration profiles allows you to accomplish tasks such as pre-populating the Twingate network name, check for updates, and completing a silent install.

Most MDM solutions allow you simply upload the XML file and deploy it to your devices, while others can assist you in creating the configuration profile from scratch. You can also use 3rd party Apps such as iMazing Profile Editor or ProfileCreator to assist you with building you configuration profiles. Apple has a great tutorial on the subject should you wish to find out more.

Below is an example of a custom configuration profile that allows a silent install when deployed alongside the Standalone App and pre-populates the Twingate network name to acme.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Twingate VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.F5473AE0-B40B-4518-A060-4D6922142916</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>F5473AE0-B40B-4518-A060-4D6922142916</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>Twingate</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>com.twingate.macos.tunnelprovider</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "com.twingate.macos.tunnelprovider" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6GX8KVTR9H")</string>
				<key>RemoteAddress</key>
				<string>null</string>
			</dict>
			<key>VPNSubType</key>
			<string>com.twingate.macos</string>
			<key>VPNType</key>
			<string>VPN</string>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Twingate</string>
			<key>PayloadIdentifier</key>
			<string>com.twingate.macos.E5640205-1048-4E95-82C0-13FF9D7168CB</string>
			<key>PayloadType</key>
			<string>com.twingate.macos</string>
			<key>PayloadUUID</key>
			<string>E5640205-1048-4E95-82C0-13FF9D7168CB</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>automaticallyInstallSystemExtension</key>
			<true/>
			<key>SUEnableAutomaticChecks</key>
			<false/>
			<key>PresentedDataPrivacy</key>
			<true/>
			<key>PresentedEducation</key>
			<true/>
			<key>network</key>
			<string>acme</string>
		</dict>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.twingate.macos</string>
					<key>NotificationsEnabled</key>
					<true/>
				</dict>
			</array>
			<key>PayloadDisplayName</key>
			<string>Notifications</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.23668A72-3BD2-458F-9A90-D91A332985DF</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>23668A72-3BD2-458F-9A90-D91A332985DF</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Background Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.servicemanagement.634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
			<key>PayloadType</key>
			<string>com.apple.servicemanagement</string>
			<key>PayloadUUID</key>
			<string>634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Rules</key>
			<array>
				<dict>
					<key>RuleType</key>
					<string>TeamIdentifier</string>
					<key>RuleValue</key>
					<string>6GX8KVTR9H</string>
				</dict>
			</array>
		</dict>
		<dict>
			<key>AllowUserOverrides</key>
			<true/>
			<key>AllowedSystemExtensions</key>
			<dict>
				<key>6GX8KVTR9H</key>
				<array><string>com.twingate.macos.tunnelprovider</string></array>
			</dict>
			<key>PayloadDisplayName</key>
			<string>System Extension Policy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.system-extension-policy.60145087-607E-428B-9B3E-831856156D78</string>
			<key>PayloadType</key>
			<string>com.apple.system-extension-policy</string>
			<key>PayloadUUID</key>
			<string>60145087-607E-428B-9B3E-831856156D78</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>This Payload is used to allow a full silent install of the Twingate client.</string>
	<key>PayloadDisplayName</key>
	<string>Twingate Full Silent Install</string>
	<key>PayloadIdentifier</key>
	<string>com.twingate.macos.52104CA3-6289-47D7-A852-635A78CA69B5</string>
	<key>PayloadOrganization</key>
	<string>Twingate</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>044B0908-E76F-4B15-BADD-2547C290781D</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Profile Manifest (Standalone App)

Twingate maintains a profile manifest for all available application specific configuration options for the Twingate Standalone App. Below is the schema in JSON format. This is particularly useful for creating a custom configuration profile with Jamf.

{
    "title": "Twingate (com.twingate.macos)",  
    "description": "Preference settings for Twingate",
    "properties": {
        "PresentedDataPrivacy": {
            "title": "Suppress Data Privacy Screen",
            "description": "Select true if you wish to bypass the data privacy screen after installation.",
            "property_order": 5,
            "type": "boolean"
        },
        "PresentedEducation": {
            "title": "Suppress Education Screen",
            "description": "Select true if you wish to bypass the education screen after installation.",
            "property_order": 10,
            "type": "boolean"
        },
        "automaticallyInstallSystemExtension": {
            "title": "Install System Extension",
            "description": "Select true if you wish to automatically install the system extension during installation.",
            "property_order": 15,
            "type": "boolean"
        },
        "network": {
            "title": "Define Twingate Network",
            "description": "Enter the name of your Twingate network if you would like it prepopulated when logging in.",
            "property_order": 20,
            "type": "string"
        },
        "LaunchApp": {
            "title": "Start At Login",
            "description": "Select true if you wish to have Twingate start when a user logs in. Please set to false if deploying with the Twingate Launch Agent",
            "property_order": 25,
            "type": "boolean"
        },
        "SUEnableAutomaticChecks": {
            "title": "Enable Automatic Update Checks",
            "description": "Select true if you wish to automatically check for updates to the Twingate Client. The user notification after install asking if they would like to automatically check for new updates will not be presented.",
            "property_order": 30,
            "type": "boolean"
        },
        "SUAutomaticallyUpdate": {
            "title": "Enable Automatic Updates",
            "description": "Select true if you wish to automatically download available updates and be promtped to update.",
            "property_order": 35,
            "type": "boolean"
        }
    }
}

Available key/value Pairs

Below are the key/value pairs that are available to use when creating a custom configuration profile to deploy alongside the Twingate Client (these are all included in the profile manifest above).

Key	Type	Value	Description
PresentedDataPrivacy	Boolean	true or false	If set to true, bypasses the Privacy screen on first launch
PresentedEducation	Boolean	true or false	If set to true, bypasses the education screen on first launch
automaticallyInstallSystemExtension	Boolean	true or false	If set to true, automatically installs the system extension (standalone only)
network	String	your Twingate network	Pre-populates the App with your Twingate network name if set
LaunchApp	Boolean	true or false	If set to true, launches App on login (if utilising the keep alive launch daemon, set to false to avoid conflict)
SUEnableAutomaticChecks	Boolean	true or false	If set to true, the App will automatically check for updates (standalone only)
SUAutomaticallyUpdate	Boolean	true or false	If set to true, the App will automatically download updates and prompt to install (standalone only)

Distribute Twingate using Apple Business Manager

Formerly known as VPP (Volume Purchasing Program), Apple Business Manager (ABM) allows companies to distribute App Store and Mac App Store apps to managed devices without required employees to sign in using their own Apple ID.

Twingate is a free app available on the Mac App Store and App Store, however in order to distribute it via an MDM solution, you must “purchase” seats for the Twingate app before they can be distributed via your company’s MDM solution. You’ll need to go through the following steps:

Sign in to Apple Business Manager (user guide) with your company’s central Apple ID account.
Search for “Twingate”, and select the number of seats you wish to provision. There is no cost involved.
The Twingate app and the number of unallocated seats will be visible in your MDM solution, allowing you to install the app on managed devices without users needing to sign in using their personal Apple ID.

Last updated 5 days ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls