macOS & iOS

Distribution & Configuration via MDM

The Twingate Client application can be distributed to managed devices and configured via an MDM solution such as Kandji or Jamf. Both the App Store Client and Standalone Client applications can be deployed this way. However, we recommend deploying the Standalone Client application where possible to take full advantage of all available features.

The macOS Twingate Client is available as a Standalone App or for free on the Mac App Store. The iOS Twingate Client is available for free on the App Store.

MDM Configuration Guides

The following guides are available for specific MDM applications:

Configuring Twingate with Custom Configuration Profiles

When deploying the Twingate app via an MDM on a managed device, you have the option to configure the application using Custom Configuration Profiles. A Custom Configuration Profile is an XML file ending in .mobileconfig that consists of payloads with settings and authorization information for Apple devices. Deploying configuration profiles allows you to accomplish tasks such as pre-populating the Twingate network name, check for updates, and completing a silent install.

Most MDM solutions allow you simply upload the XML file and deploy it to your devices, while others can assist you in creating the configuration profile from scratch. You can also use 3rd party Apps such as iMazing Profile Editor or ProfileCreator to assist you with building you configuration profiles. Apple has a great tutorial on the subject should you wish to find out more.

Below is an example of an XML configuration profile that allows a silent install when deployed alongside the Standalone App and prepopulates the Twingate network name to acme. It inlcudes the following payloads and application specific keys (scroll further down for a detailed list of all available key/value pairs) :

Twingate VPN. This payload configures the required macOS VPN settings, bypassing the need to manually configure during setup.
Notifcations. This payload allows notifications from Twingate, bypassing the need to manually allow during setup.
Background Items. This payload allows Twingate to be added as a background item, and prevents it from being changed by the end user.
System Extension Policy. This payload allows the Twingate system extension to be installed, bypassing the need to allow during setup.
Twingate. This payload incorporates the following application specific keys:
- automaticallyInstallSystemExtension This key triggers the installation of the system extension.
- SUEnableAutomaticChecks Set to false, this will disable automatic checks for software updates.
- PresentedDataPrivacy Set to true, this will bypass the data privacy screen during setup.
- PresentedEducation Set to true, this will bypass the education screen during setup.
- network This should be set to your Twingate netork name. For example, if your netowrk is acme.twingate.com, then you would set the value of this key to acme. If you wish to utilise this example in your own environment, please ensure you change acme to your network name.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Twingate VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.F5473AE0-B40B-4518-A060-4D6922142916</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>F5473AE0-B40B-4518-A060-4D6922142916</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>Twingate</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>ProviderBundleIdentifier</key>
				<string>com.twingate.macos.tunnelprovider</string>
				<key>ProviderDesignatedRequirement</key>
				<string>anchor apple generic and identifier "com.twingate.macos.tunnelprovider" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "6GX8KVTR9H")</string>
				<key>RemoteAddress</key>
				<string>null</string>
			</dict>
			<key>VPNSubType</key>
			<string>com.twingate.macos</string>
			<key>VPNType</key>
			<string>VPN</string>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Twingate</string>
			<key>PayloadIdentifier</key>
			<string>com.twingate.macos.E5640205-1048-4E95-82C0-13FF9D7168CB</string>
			<key>PayloadType</key>
			<string>com.twingate.macos</string>
			<key>PayloadUUID</key>
			<string>E5640205-1048-4E95-82C0-13FF9D7168CB</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>automaticallyInstallSystemExtension</key>
			<true/>
			<key>SUEnableAutomaticChecks</key>
			<false/>
			<key>PresentedDataPrivacy</key>
			<true/>
			<key>PresentedEducation</key>
			<true/>
			<key>network</key>
			<string>acme</string>
		</dict>
		<dict>
			<key>NotificationSettings</key>
			<array>
				<dict>
					<key>BundleIdentifier</key>
					<string>com.twingate.macos</string>
					<key>NotificationsEnabled</key>
					<true/>
				</dict>
			</array>
			<key>PayloadDisplayName</key>
			<string>Notifications</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.notificationsettings.23668A72-3BD2-458F-9A90-D91A332985DF</string>
			<key>PayloadType</key>
			<string>com.apple.notificationsettings</string>
			<key>PayloadUUID</key>
			<string>23668A72-3BD2-458F-9A90-D91A332985DF</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Background Items</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.servicemanagement.634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
			<key>PayloadType</key>
			<string>com.apple.servicemanagement</string>
			<key>PayloadUUID</key>
			<string>634A0CE2-4A0B-49CB-B73E-9337DC6F5E69</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Rules</key>
			<array>
				<dict>
					<key>RuleType</key>
					<string>TeamIdentifier</string>
					<key>RuleValue</key>
					<string>6GX8KVTR9H</string>
				</dict>
			</array>
		</dict>
		<dict>
			<key>AllowUserOverrides</key>
			<true/>
			<key>AllowedSystemExtensions</key>
			<dict>
				<key>6GX8KVTR9H</key>
				<array><string>com.twingate.macos.tunnelprovider</string></array>
			</dict>
			<key>PayloadDisplayName</key>
			<string>System Extension Policy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.system-extension-policy.60145087-607E-428B-9B3E-831856156D78</string>
			<key>PayloadType</key>
			<string>com.apple.system-extension-policy</string>
			<key>PayloadUUID</key>
			<string>60145087-607E-428B-9B3E-831856156D78</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>This Payload is used to allow a full silent install of the Twingate client.</string>
	<key>PayloadDisplayName</key>
	<string>Twingate Full Silent Install</string>
	<key>PayloadIdentifier</key>
	<string>com.twingate.macos.52104CA3-6289-47D7-A852-635A78CA69B5</string>
	<key>PayloadOrganization</key>
	<string>Twingate</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>044B0908-E76F-4B15-BADD-2547C290781D</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Profile Manifest (Standalone App)

Twingate maintains a profile manifest for all available application specific configuration options for the Twingate Standalone App. Below is the schema in JSON format. This is particularly useful for creating a custom confriguration profile with Jamf.

{
    "title": "Twingate (com.twingate.macos)",  
    "description": "Preference settings for Twingate",
    "properties": {
        "PresentedDataPrivacy": {
            "title": "Suppress Data Privacy Screen",
            "description": "Select true if you wish to bypass the data privacy screen after installation.",
            "property_order": 5,
            "type": "boolean"
        },
        "PresentedEducation": {
            "title": "Suppress Education Screen",
            "description": "Select true if you wish to bypass the education screen after installation.",
            "property_order": 10,
            "type": "boolean"
        },
        "automaticallyInstallSystemExtension": {
            "title": "Install System Extension",
            "description": "Select true if you wish to automatically install the system extension during installation.",
            "property_order": 15,
            "type": "boolean"
        },
        "network": {
            "title": "Define Twingate Network",
            "description": "Enter the name of your Twingate network if you would like it prepopulated during installation.",
            "property_order": 20,
            "type": "string"
        },
        "LaunchApp": {
            "title": "Start At Login",
            "description": "Select true if you wish to have Twingate start when a user logs in. Please set to false if deploying with the Twingate Launch Agent",
            "property_order": 25,
            "type": "boolean"
        },
        "SUEnableAutomaticChecks": {
            "title": "Enable Automatic Update Checks",
            "description": "Select true if you wish to automatically check for updates to the Twingate client. It also bypasses the user notification after install asking if they would like to automatically check for new updates.",
            "property_order": 30,
            "type": "boolean"
        },
        "SUAutomaticallyUpdate": {
            "title": "Enable Automatic Updates",
            "description": "Select true if you wish to automatically update the Twingate client.",
            "property_order": 35,
            "type": "boolean"
        }
    }
}

Available key/value Pairs

Below are the key/value pairs that are available to use when creating a custom configuration profile to deploy alongside the Twingate Client (these are all included in the profile manifest above).

Key	Type	Value	Description
PresentedDataPrivacy	Boolean	true or false	If set to true, bypasses the Privacy screen on first launch
PresentedEducation	Boolean	true or false	If set to true, bypasses the education screen on first launch
automaticallyInstallSystemExtension	Boolean	true or false	If set to true, automatically installs the system extension (standalone only)
network	String	your twingate network	Prepopulates the App with your Twingate network name if set
LaunchApp	Boolean	true or false	If set to true, launches App on login (if utilising the keep alive launch daemon, set to false to avoid conflict)
SUEnableAutomaticChecks	Boolean	true or false	If set to true, the App will automatically check for updates (standalone only)
SUAutomaticallyUpdate	Boolean	true or false	If set to true, the App will automatically update (standalone only)

Distribute Twingate using Apple Business Manager

Formerly known as VPP (Volume Purchasing Program), Apple Business Manager (ABM) allows companies to distribute App Store and Mac App Store apps to managed devices without required employees to sign in using their own Apple ID.

Twingate is a free app available on the Mac App Store and App Store, however in order to distribute it via an MDM solution, you must “purchase” seats for the Twingate app before they can be distributed via your company’s MDM solution. You’ll need to go through the following steps:

Sign in to Apple Business Manager (user guide) with your company’s central Apple ID account.
Search for “Twingate”, and select the number of seats you wish to provision. There is no cost involved.
The Twingate app and the number of unallocated seats will be visible in your MDM solution, allowing you to install the app on managed devices without users needing to sign in using their personal Apple ID.

Last updated 9 minutes ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating