Deploy Bitdefender Endpoint Security Tool as a Custom App

By Andrew Merrick

Learn how to deploy Bitdefender to your macOS devices as a custom app

Depending on the App product and version installed, the app path, privacy access, and kernel or system extension requirements may change. As with all Custom Apps, we urge you to test this thoroughly before deploying it to a Mac in production.


  • Create and download the Bitdefender installer package(s) from your Bitdefender admin portal. Ensure that an uninstall password is set in the package settings.

    If you have a mixed environment of both Intel and Apple Silicon Mac computers, you will need to download both the macOS kit (Intel x86) and  macOS kit (Apple Silicon) packages, but you will only need to include one of the install.xml files. 
    The post-install script used in this guide will account for both installer types.
    If you are only deploying to one architecture, you will still need that install package and the included install.xml file.

  • Create a PFX certificate. The Creating a PFX certificate section below steps through this process.
  • Download the bitdefender_settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

    • This configuration profile enables Notifications, System Extensions, Bitdefender SSL CA certificate, Privacy Preferences (PPPC) to have Full Disk Access, and a Network content filter.

    • A Legacy System Extension (KEXT) version of the profile for macOS Catalina and below can be downloaded here.

  • Download the bitdefender service management mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as… to download the mobileconfig file directly.

    • This configuration profile allows managed background items for Bitdefender.
  • Copy the bitdefender_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link).

  • Copy the Bitdefender post-install.zsh script from the Kandji support GitHub repository (GitHub Link).

Creating a PFX Certificate

This section steps through the creation of a PFX certificate for Bitdefender that can be uploaded to Kandji in a Certificate library item.

Bitdefender requires that a PFX certificate be created and deployed to macOS. This section is based on this  Bitdefender KB. Please see the KB article for more information.
  1. Copy the bitdefender cert generator script in the Kandji support repo to generate the required PFX certificate and password hash.

    • The certificate generated from this script can be uploaded to Kandji in a Certificate Library item as a PKCS #12-formatted Certificate, and the password hash should be used in the password field within the library item.
  2. Open the script in a text editor or IDE like VScode, BBEdit, or Nova.

  3. Fill in the certificate information section of the script.


    # Cert info
    COUNTRY="" # US - 2 letter country code
    STATE="" # Georgia - state or province
    LOCAL="" # Atlanta - locality name
    ORG_NAME="Endpoint" # Leave as default
    CERT_NAME="Kandji Bitdenfender CA SSL" # Leave as default
  4. Save the updated script to your Desktop.

  5. Open

  6. Enter zsh and then drag the script file into the window.

    It should look something like this.

    zsh '/Users/Desktop/bitdefender/bitdefender_cert_generator.zsh'
  7. When prompted, enter and verify the password used in the Bitdefender installer settings you defined in your Bitdefender portal.

  8. When the script is finished, you should see the password hash used to generate the certificate. Copy this hash and paste it in the password field when creating the Certificate library item in Kandji.

    Password hash: 626cacdec63355c2680dbd6747c8d755
  9. A window should open on your Desktop, showing the certificate.pfx file.

  10. Upload this certificate to Kandji in a Certificate profile library item.

Add a Custom Settings Profile

  1. In the left-hand menu, click on Library.
  2. Near the top-right, click Add New.
  3. Select Custom Profile.
  4. Click Add & Configure.

Configure the Custom Settings Profile

  1. Give the profile a Name.
  2. Assign your custom profile to a test Blueprint.
  3. For Install on, select Mac.
  4. Upload either the bitdefender_settings.mobileconfig (or KEXT version) file you downloaded previously. 
  5. Click Save.

Configure the Service Management Profile

  1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure.
  2. Give the profile a Name.
  3. Assign your custom profile to the same test Blueprint as above.
  4. For Install on, select Mac.
  5. When adding this profile, add an Assignment Rule to only apply the profile to computers where the macOS Version is greater than or equal to 13, as shown below.

  6. Upload the profile that you downloaded previously from GitHub. 

  7. Click Save.

    Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.

Zipping the Installer Files

Before uploading the installer files to Kandji, you will need to zip them up together first.

  1. Go to the Bitdefender installer files that you downloaded from the Bitdefender console earlier. If you downloaded the Intel and Apple ARM DMG files, you might need to mount them first and then pull the installer files out.
  2. Put the installer package(s), installer.xml file, and certificate.pfx file in the same location, such as your Desktop. Only one installer.xml file is needed; either the one from the Intel download or the ARM download will work.
  3. Select all of the files at one time.
  4. Hold the Control(⌃) key and click on the selected files. Then, in the menu, click Compress. You should see a dialog showing the compression progress.

  5. An file should be created in the same directory. Feel free to rename the file to something like This is the file that will be uploaded to Kandji in the next section.

Custom App

  1. Create a Custom App in Kandji by Selecting Library > Add New > Custom App > Add & Configure.
  2. Give the Custom App a name. Example: Bitdefender. Optionally, add a custom icon.
  3. Assign to a test blueprint.
  4. (optional) Configure Assignment Rules if you would like to limit the devices that received the custom app.
  5. Change the installation type to Audit and enforce.
  6. Copy the bitdefender_ae_script.zsh script from the Kandji support repo into the Audit & Enforce text box. No modification needed.

    • The script looks for two profile identifiers and the name of the installed Bitdender app before attempting an install. Additionally, the script looks for two Launch Deamons on computers where the app is already installed to ensure that the app is running as expected. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

      Settings Profile prefix: io.kandji.bitdefender.D0DF2C14
      Background Service Management Profile prefix: io.kandji.bitdefender.service-management
      App name: "Endpoint Security for"
      Processes: "com.bitdefender.epsecurity.BDLDaemonApp", "com.epsecurity.bdldaemon"
  7. Select ZIP File (unzip contents into specified directory) as the deployment type.

  8. Set the Unzip Location to: /var/tmp

  9. Upload the installer zip file downloaded earlier.

  10. Click Add Postinstall Script.

  11. Copy the post-install script from the Kandji support repo) and paste it into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.

    • Ensure that the package names match the names downloaded from Bitdefender.
    • Ensure that the certificate file name matches the cert file you created using the Bitdefender KB.
  12. Click Save.