# Deploying SafeDNS Endpoint Lite for macOS via MDM

#### <span style="font-weight: 400;">This guide explains how to deploy </span>**SafeDNS Endpoint Lite for macOS**<span style="font-weight: 400;"> to multiple macOS devices using an MDM solution.</span>

##### **The deployment consists of the following stages:**

- <span style="font-weight: 400;"> Create the </span>**Config.plist**<span style="font-weight: 400;"> **script file** on the target devices.</span>
- <span style="font-weight: 400;"> Create and install the required configuration profiles on the target devices using the script and </span><span style="font-weight: 400;">.mobileconfig</span><span style="font-weight: 400;"> files.</span>
- <span style="font-weight: 400;"> Install the SafeDNS daemon on the target devices using the [**safedns-daemon-20260515-1335-signed.pkg**](https://docs.safedns.com/attachments/6)</span><span style="font-weight: 400;"> package.</span>
- <span style="font-weight: 400;"> Install the SafeDNS Endpoint Lite host and filtering module using the </span>**SafeDNSMacProxy\_2026-05-14\_1744.pkg**<span style="font-weight: 400;"> package. (Provided from SafeDNS)</span>

#### **1. Installing the agent on client devices**

##### <span style="font-weight: 400;">Before deploying the agent at scale, complete the preparation steps below.</span>

- <span style="font-weight: 400;"> Ask SafeDNS technical support (support@safedns.com) to enable the required features for your account.</span>
- <span style="font-weight: 400;"> Obtain your </span>**Base64-encoded AuthKey**<span style="font-weight: 400;"> from SafeDNS.</span>
- <span style="font-weight: 400;"> Deploy the </span>**[create-conf.sh](https://docs.safedns.com/attachments/7)**<span style="font-weight: 400;"> script to the target devices according to **[these instructions](https://docs.safedns.com/books/installation-guides/page/creating-the-configplist-file-for-safedns-endpoint-lite-on-macos)**.</span>
- <span style="font-weight: 400;"> Create and install the two required configuration profiles on the target devices according to </span><span style="font-weight: 400;">**[this guide](https://docs.safedns.com/books/installation-guides/page/create-and-deploy-configuration-profiles-for-safedns-endpoint-lite-on-macos).**</span>
- <span style="font-weight: 400;"> Deploy the SafeDNS daemon to the target devices according to the </span>[**SafeDNSDaemon installation guide**](https://docs.safedns.com/books/installation-guides/page/safednsdaemon-installation-via-mdm-on-macos)<span style="font-weight: 400;">.</span>

<span style="font-weight: 400;">After these steps are complete, you can deploy the **SafeDNS Endpoint Lite agent**.</span>

<span style="font-weight: 400;">Install the agent package, which includes the host and filtering module, in the same way as the SafeDNS daemon package, using the attached installer package.</span>

#### **2. Uninstalling the agent**

##### <span style="font-weight: 400;">To remove SafeDNS Endpoint Lite from target devices:</span>

- <span style="font-weight: 400;"> Add the </span>**SafeDNS Uninstaller**<span style="font-weight: 400;"> script to </span>**Scripts**<span style="font-weight: 400;"> in SimpleMDM according to the [Running the SafeDNS Uninstaller script](https://docs.safedns.com/books/installation-guides/page/running-the-safedns-uninstaller-script) guide</span><span style="font-weight: 400;">.</span>
- <span style="font-weight: 400;"> Deploy the uninstaller script to the target devices in the same way as the **[create-conf.sh](https://docs.safedns.com/attachments/7)**</span><span style="font-weight: 400;"> script.</span>
- <span style="font-weight: 400;"> Remove the **SafeDNS configuration profiles**, the **SafeDNS Endpoint Lite agent**, and the **SafeDNS daemon** from the target devices.</span>

<p class="callout warning">**IMPORTANT**<span style="font-weight: 400;">  
</span><span style="font-weight: 400;">After removing the agent and the daemon, **RESTART** each target device.</span><span style="font-weight: 400;">  
</span><span style="font-weight: 400;">The agent operates at the kernel level. After removal, some runtime records remain in the kernel until the device is restarted. If the device is not restarted, reinstalling the agent on the same device may cause errors or unstable behavior.</span></p>

#### **3. Additional information**  


#### Preventing DNS-over-HTTPS bypass in browsers

<span style="font-weight: 400;">Advanced users **may try to bypass** system DNS filtering by configuring a custom DNS-over-HTTPS (DoH) resolver in Chromium-based browsers. The SafeDNS agent works with system DNS, so additional protection is required to reduce this risk.</span>

<p class="callout success">SafeDNS provides two layers of protection against this scenario:</p>

##### **1. Browser DNS policy configuration profile**

<span style="font-weight: 400;">Create and deploy the </span>**Safedns\_browser\_dns\_policy**<span style="font-weight: 400;"> custom configuration profile using the [Safedns\_browser\_dns\_policy.mobileconfig](https://docs.safedns.com/attachments/8)</span><span style="font-weight: 400;"> file.</span>

<span style="font-weight: 400;">This profile is deployed in the same way as the </span>**SafeDNS\_DNS\_Proxy**<span style="font-weight: 400;"> custom configuration profile.</span>

<span style="font-weight: 400;">The profile restricts access to DNS-related settings in major browsers.   
However, it does not cover all browsers. </span>**Firefox is not included**<span style="font-weight: 400;"> in this policy.</span>

##### **2. Built-in DoH bypass detection**

<span style="font-weight: 400;">The SafeDNS filtering module includes a mechanism that detects attempts to bypass filtering through third-party DoH services and blocks those connections.</span>

<p class="callout warning">**Known limitation** <span style="font-weight: 400;">If an advanced user manually configures a **self-hosted DoH resolver** or another non-standard **custom DoH solution** in the browser, DNS filtering may not work as expected.</span></p>

####