Deploying Bitdefender Endpoint Security Tool as a Custom App

By Andrew Merrick

Learn how to deploy Bitdefender to your macOS devices as a custom app

Please note that depending on the specific application and version you have installed, the app path, privacy access, and system extension requirements may vary. As a best practice, we recommend thoroughly testing any Custom Apps before deploying them to a Mac in a production environment.


  • Bitdefender installer package(s) from your Bitdefender admin portal. Ensure that an uninstall password is set in the package settings.
    • If you have a mixed environment of both Intel and Apple Silicon Mac computers, you will need to download both the macOS kit (Intel x86) and macOS kit (Apple Silicon) packages, but you will only need to include one of the install.xml files. The post-install script used in this guide will account for both installer types. 
    • If you are only deploying to one architecture, you will still need that install package and the included install.xml file.
  • Bitdefender PFX Certificate Generator script (GitHub Link)
  • Bitdefender Settings Profile (GitHub Link)

    • This configuration profile enables full disk access for Notifications, System Extensions, Bitdefender SSL CA certificate, Privacy Preferences (PPPC), and a Network content filter.

    • A Legacy System Extension (KEXT) version of the profile for macOS Catalina and below can be downloaded here.

  • Bitdefender Service Management Profile (GitHub Link)

    • This configuration profile allows managed background items for Bitdefender.
  • Bitdefender Audit and Enforce Script (GitHub Link)

  • Bitdefender Postinstall Script (GitHub Link)

Creating a PFX Certificate

This section steps through the creation of a PFX certificate for Bitdefender that can be uploaded to Kandji in a Certificate library item.

Bitdefender requires that a PFX certificate be created and deployed to macOS. This section is based on BitDefender's guide, which you can refer to for more information.
  1. Open the PFX Certificate Generator script in a text editor or IDE such as VScode or BBEdit.

  2. Fill in the certificate information section of the script.


    # Cert info
    COUNTRY="" # US - 2 letter country code
    STATE="" # Georgia - state or province
    LOCAL="" # Atlanta - locality name
    ORG_NAME="Endpoint" # Leave as default
    CERT_NAME="Kandji BitDefender CA SSL" # Leave as default
  3. Save the updated script to your Desktop.

  4. Open

  5. Run the following command in Terminal.

    zsh '/Users/Desktop/bitdefender/bitdefender_cert_generator.zsh'
  6. When prompted, enter and verify the password used in the Bitdefender installer settings you defined in your Bitdefender portal.

  7. When the script is finished, you should see the password hash used to generate the certificate. Copy the generated hash and paste it in the password field when creating the Certificate library item in Kandji.

    Password hash: 626cacdec63355c2680dbd6747c8d755
  8. A window should open on your Desktop, showing the certificate.pfx file.

  9. Upload this certificate to Kandji in a Certificate Library Item.

Add a Custom Settings Profile

  1. In the left-hand menu, click on Library.
  2. Near the top-right, click Add New.
  3. Select Custom Profile.
  4. Click Add & Configure.

Configure the Custom Settings Profile

  1. Give the profile a Name.
  2. Assign your custom profile to a test Blueprint.
  3. For Install on, select Mac.
  4. Upload either the bitdefender_settings.mobileconfig (or KEXT version) file you downloaded previously. 
  5. Click Save.

Configure the Service Management Profile

Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.
  1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure.
  2. Give the profile a Name.
  3. Assign your custom profile to the same test Blueprint as above.
  4. For Install on, select Mac.
  5. When adding this profile, add an Assignment Rule to only apply the profile to computers where the macOS Version is greater than or equal to 13, as shown below.

  6. Upload the profile that you downloaded previously from GitHub. 

  7. Click Save.

Zipping the Installer Files

Before uploading the installer files to Kandji, you will need to zip them up together first.

  1. Go to the Bitdefender installer files that you downloaded from the Bitdefender console earlier. If you downloaded the Intel and Apple ARM DMG files, you might need to mount them first and then pull the installer files out.
  2. Put the installer package(s), installer.xml file, and certificate.pfx file in the same location, such as your Desktop. Only one installer.xml file is needed; either the one from the Intel download or the ARM download will work.
  3. Select all of the files at one time.
  4. Hold the Control(⌃) key and click on the selected files. Then, in the menu, click Compress. You should see a dialog showing the compression progress.

  5. An file should be created in the same directory. Feel free to rename the file to something like This is the file that will be uploaded to Kandji in the next section.

Custom App

  1. Create a Custom App in Kandji by Selecting Library > Add New > Custom App > Add & Configure.
  2. Give the Custom App a name. Optionally, add a custom icon.
  3. Assign to your desired blueprint.
  4. Optionally, configure Assignment Rules.
  5. Change the installation type to Audit and enforce.
  6. Copy the bitdefender_ae_script.zsh script you downloaded in the prerequisites section and paste into the Audit & Enforce text box. No modification needed.

    • The script looks for two profile identifiers and the name of the installed Bitdefender app before attempting an install. Additionally, the script looks for two Launch Deamons on computers where the app is already installed to ensure that the app is running as expected. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.

      Settings Profile prefix: io.kandji.bitdefender.D0DF2C14
      Background Service Management Profile prefix: io.kandji.bitdefender.service-management
      App name: "Endpoint Security for"
      Processes: "com.bitdefender.epsecurity.BDLDaemonApp", "com.epsecurity.bdldaemon"
  7. Select ZIP File (unzip contents into specified directory) as the deployment type.

  8. Set the Unzip Location to /var/tmp

  9. Upload the installer zip file downloaded earlier.

  10. Click Add Postinstall Script.

  11. Copy the post-install script you downloaded in the prerequisites section and paste it into the post-installer text field. Be sure to copy all text, including the #!/bin/sh (shebang) line at the top.

    • Ensure that the package names match the names downloaded from Bitdefender.
    • Ensure that the certificate file name matches the cert file you created using the Bitdefender KB.
  12. Click Save.