macOS & iOS

Distribution & Configuration via MDM

The Twingate Client application can be distributed to managed devices and configured via an MDM solution such as Kandji or Jamf. Both the App Store Client and Standalone Client applications can be deployed this way. However, we recommend deploying the Standalone Client application where possible to take full advantage of all available features.

The macOS Twingate Client is available as a Standalone App or for free on the Mac App Store. The iOS Twingate Client is available for free on the App Store.

MDM Configuration Guides

The following guides are available for specific MDM applications:

Configuring Twingate with Custom Configuration Profiles

When deploying the Twingate app via an MDM on a managed device, you have the option to configure the application using Custom Configuration Profiles. A Custom Configuration Profile is an XML file ending in .mobileconfig that consists of payloads with settings and authorization information for Apple devices. Deploying configuration profiles allows you to accomplish tasks such as pre-populating the Twingate network name, check for updates, and completing a silent install.

Most MDM solutions allow you simply upload the XML file and deploy it to your devices, while others can assist you in creating the configuration profile from scratch. You can also use 3rd party Apps such as iMazing Profile Editor or ProfileCreator to assist you with building you configuration profiles. Apple has a great tutorial on the subject should you wish to find out more.

Below is an example of an XML configuration profile that allows a silent install when deployed alongside the Standalone App and pre-populates the Twingate network name to acme. It includes the following payloads and application-specific keys (scroll further down for a detailed list of all available key/value pairs) :

  • Twingate VPN. This payload configures the required macOS VPN settings, bypassing the need to manually configure during setup.
  • Notifcations. This payload allows notifications from Twingate, bypassing the need to manually allow during setup.
  • Background Items. This payload allows Twingate to be added as a background item, and prevents it from being changed by the end user.
  • System Extension Policy. This payload allows the Twingate system extension to be installed, bypassing the need to allow during setup.
  • Twingate. This payload incorporates the following application specific keys:
    • automaticallyInstallSystemExtension This key triggers the installation of the system extension.
    • SUEnableAutomaticChecks Set to false, this will disable automatic checks for software updates.
    • PresentedDataPrivacy Set to true, this will bypass the data privacy screen during setup.
    • PresentedEducation Set to true, this will bypass the education screen during setup.
    • network This should be set to your Twingate network name. For example, if your network is acme.twingate.com, then you would set the value of this key to acme. If you wish to utilize this example in your own environment, please ensure you change acme to your network name.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Twingate VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.F5473AE0-B40B-4518-A060-4D6922142916</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>F5473AE0-B40B-4518-A060-4D6922142916</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>Twingate</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ProviderBundleIdentifier</key>
<string>com.twingate.macos.tunnelprovider</string>
<key>ProviderDesignatedRequirement</key>
<string>anchor apple generic and identifier "com.twingate.macos.tunnelprovider" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6GX8KVTR9H")</string>
<key>RemoteAddress</key>
<string>null</string>
</dict>
<key>VPNSubType</key>
<string>com.twingate.macos</string>
<key>VPNType</key>
<string>VPN</string>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>Twingate</string>
<key>PayloadIdentifier</key>
<string>com.twingate.macos.E5640205-1048-4E95-82C0-13FF9D7168CB</string>
<key>PayloadType</key>
<string>com.twingate.macos</string>
<key>PayloadUUID</key>
<string>E5640205-1048-4E95-82C0-13FF9D7168CB</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>automaticallyInstallSystemExtension</key>
<true/>
<key>SUEnableAutomaticChecks</key>
<false/>
<key>PresentedDataPrivacy</key>
<true/>
<key>PresentedEducation</key>
<true/>
<key>network</key>
<string>acme</string>
</dict>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>BundleIdentifier</key>
<string>com.twingate.macos</string>
<key>NotificationsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Notifications</string>
<key>PayloadIdentifier</key>
<string>com.apple.notificationsettings.23668A72-3BD2-458F-9A90-D91A332985DF</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>23668A72-3BD2-458F-9A90-D91A332985DF</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>Background Items</string>
<key>PayloadIdentifier</key>
<string>com.apple.servicemanagement.634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
<key>PayloadType</key>
<string>com.apple.servicemanagement</string>
<key>PayloadUUID</key>
<string>634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Rules</key>
<array>
<dict>
<key>RuleType</key>
<string>TeamIdentifier</string>
<key>RuleValue</key>
<string>6GX8KVTR9H</string>
</dict>
</array>
</dict>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>6GX8KVTR9H</key>
<array><string>com.twingate.macos.tunnelprovider</string></array>
</dict>
<key>PayloadDisplayName</key>
<string>System Extension Policy</string>
<key>PayloadIdentifier</key>
<string>com.apple.system-extension-policy.60145087-607E-428B-9B3E-831856156D78</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>60145087-607E-428B-9B3E-831856156D78</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>This Payload is used to allow a full silent install of the Twingate client.</string>
<key>PayloadDisplayName</key>
<string>Twingate Full Silent Install</string>
<key>PayloadIdentifier</key>
<string>com.twingate.macos.52104CA3-6289-47D7-A852-635A78CA69B5</string>
<key>PayloadOrganization</key>
<string>Twingate</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>044B0908-E76F-4B15-BADD-2547C290781D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Profile Manifest (Standalone App)

Twingate maintains a profile manifest for all available application specific configuration options for the Twingate Standalone App. Below is the schema in JSON format. This is particularly useful for creating a custom configuration profile with Jamf.

{
"title": "Twingate (com.twingate.macos)",
"description": "Preference settings for Twingate",
"properties": {
"PresentedDataPrivacy": {
"title": "Suppress Data Privacy Screen",
"description": "Select true if you wish to bypass the data privacy screen after installation.",
"property_order": 5,
"type": "boolean"
},
"PresentedEducation": {
"title": "Suppress Education Screen",
"description": "Select true if you wish to bypass the education screen after installation.",
"property_order": 10,
"type": "boolean"
},
"automaticallyInstallSystemExtension": {
"title": "Install System Extension",
"description": "Select true if you wish to automatically install the system extension during installation.",
"property_order": 15,
"type": "boolean"
},
"network": {
"title": "Define Twingate Network",
"description": "Enter the name of your Twingate network if you would like it prepopulated during installation.",
"property_order": 20,
"type": "string"
},
"LaunchApp": {
"title": "Start At Login",
"description": "Select true if you wish to have Twingate start when a user logs in. Please set to false if deploying with the Twingate Launch Agent",
"property_order": 25,
"type": "boolean"
},
"SUEnableAutomaticChecks": {
"title": "Enable Automatic Update Checks",
"description": "Select true if you wish to automatically check for updates to the Twingate client. It also bypasses the user notification after install asking if they would like to automatically check for new updates.",
"property_order": 30,
"type": "boolean"
},
"SUAutomaticallyUpdate": {
"title": "Enable Automatic Updates",
"description": "Select true if you wish to automatically update the Twingate client.",
"property_order": 35,
"type": "boolean"
}
}
}

Available key/value Pairs

Below are the key/value pairs that are available to use when creating a custom configuration profile to deploy alongside the Twingate Client (these are all included in the profile manifest above).

KeyTypeValueDescription
PresentedDataPrivacyBooleantrue or falseIf set to true, bypasses the Privacy screen on first launch
PresentedEducationBooleantrue or falseIf set to true, bypasses the education screen on first launch
automaticallyInstallSystemExtensionBooleantrue or falseIf set to true, automatically installs the system extension (standalone only)
networkStringyour Twingate networkPre-populates the App with your Twingate network name if set
LaunchAppBooleantrue or falseIf set to true, launches App on login (if utilising the keep alive launch daemon, set to false to avoid conflict)
SUEnableAutomaticChecksBooleantrue or falseIf set to true, the App will automatically check for updates (standalone only)
SUAutomaticallyUpdateBooleantrue or falseIf set to true, the App will automatically update (standalone only)

Distribute Twingate using Apple Business Manager

Formerly known as VPP (Volume Purchasing Program), Apple Business Manager (ABM) allows companies to distribute App Store and Mac App Store apps to managed devices without required employees to sign in using their own Apple ID.

Twingate is a free app available on the Mac App Store and App Store, however in order to distribute it via an MDM solution, you must “purchase” seats for the Twingate app before they can be distributed via your company’s MDM solution. You’ll need to go through the following steps:

  • Sign in to Apple Business Manager (user guide) with your company’s central Apple ID account.

  • Search for “Twingate”, and select the number of seats you wish to provision. There is no cost involved.

  • The Twingate app and the number of unallocated seats will be visible in your MDM solution, allowing you to install the app on managed devices without users needing to sign in using their personal Apple ID.

Last updated 18 days ago