How to Deploy the Cato Client on macOS and Windows Using JumpCloud?
Overview
Deploying the Cato Client involves two critical steps:
Installation: Pushing the software (MSI/PKG) to the device.
Configuration: Pre-populating the "Account Name" (Tenant ID) so users can simply sign in via SSO without technical friction.
Prerequisite: You need your Cato Account Subdomain.
Where to find it: Cato Management Application > Access > Single Sign-On > "Account Subdomain" (e.g., if your URL is mycorp.via.catonetworks.com, your subdomain is mycorp).
Part 1: macOS Deployment (The Zero-Touch Method)
macOS requires strict approval for the Network Extensions (VPN/Proxy). If you just install the app, the user will be blocked until they manually approve it in System Settings.
Step 1: Deploy the Config Profile (Do this FIRST)
You must whitelist the Cato Team ID and Bundle IDs.
Download the MobileConfig:
We recommend creating a custom profile. Copy the XML content below into a file named
Cato_SysExt_Allow.mobileconfig.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Approves Cato Networks System Extensions</string>
<key>PayloadDisplayName</key>
<string>Cato System Extensions</string>
<key>PayloadIdentifier</key>
<string>com.netnxt.cato.sysext</string>
<key>PayloadType</key>
<string>com.apple.system.extension.policy</string>
<key>PayloadUUID</key>
<string>A1B2C3D4-E5F6-7890-1234-567890ABCDEF</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>AllowedSystemExtensions</key>
<dict>
<key>CKGSB8CH43</key>
<array>
<string>com.catonetworks.mac.CatoClient</string>
<string>com.catonetworks.mac.CatoClient.CatoClientSysExtension</string>
</array>
</dict>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Configures Web Content Filter</string>
<key>PayloadDisplayName</key>
<string>Cato Content Filter</string>
<key>PayloadIdentifier</key>
<string>com.netnxt.cato.filter</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>B2C3D4E5-F6G7-8901-2345-678901BCDEFG</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>FilterBrowsers</key>
<true/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>PluginBundleID</key>
<string>com.catonetworks.mac.CatoClient</string>
<key>UserDefinedName</key>
<string>Cato Networks</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>NetNXT - Cato Networks Approvals</string>
<key>PayloadIdentifier</key>
<string>com.netnxt.profile.cato</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>12345678-1111-2222-3333-444455556666</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Upload to JumpCloud:
Go to Device Management > Policy Management > (+) > Mac > MDM Custom Profile.
Upload the file.
Bind to your Mac Group. Save.
Step 2: Install the Application
Use a JumpCloud Command to download and install the latest PKG.
Command Name: Install - Cato Client (macOS)
Run as: Root
Script:
#!/bin/bash
# Install Cato Client
# URL to your hosted PKG (or use the generic link if publicly available)
PKG_URL="https://client-download.catonetworks.com/public/clients/CatoClient.pkg"
TEMP_PATH="/tmp/CatoClient.pkg"
echo "Downloading Cato Client..."
curl -L -o "$TEMP_PATH" "$PKG_URL"
echo "Installing..."
installer -pkg "$TEMP_PATH" -target /
echo "Cleaning up..."
rm "$TEMP_PATH"
exit 0Part 2: Windows Deployment (Registry Method)
For Windows, we install the MSI silently, then use the Registry to inject the "Account Name." This ensures that when the user opens the app, they only need to click "Sign In with SSO."
Command Name: Install - Cato Client (Windows)
Language: PowerShell
Script:
# 1. Configuration
$Subdomain = "YOUR_SUBDOMAIN_HERE" # e.g., "netnxt" if URL is netnxt.via.catonetworks.com
$MsiUrl = "https://client-download.catonetworks.com/public/clients/CatoClient.msi"
$DownloadPath = "C:\Windows\Temp\CatoClient.msi"
# 2. Download MSI
Write-Host "Downloading Cato Client..."
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $MsiUrl -OutFile $DownloadPath
# 3. Install Silent
Write-Host "Installing MSI..."
Start-Process "msiexec.exe" -ArgumentList "/i $DownloadPath /qn /norestart" -Wait
# 4. Configure Registry (Pre-fill Account Name)
# This key allows the user to skip the "Enter Account" step.
$RegPath = "HKLM:\SOFTWARE\CatoNetworksVPN"
if (!(Test-Path $RegPath)) {
New-Item -Path $RegPath -Force | Out-Null
}
# Set Subdomain
New-ItemProperty -Path $RegPath -Name "Subdomain" -Value $Subdomain -PropertyType String -Force | Out-Null
# Optional: Force "Launch on Startup"
New-ItemProperty -Path $RegPath -Name "LaunchAuthPageOnStartup" -Value 1 -PropertyType DWord -Force | Out-Null
# 5. Cleanup
Remove-Item $DownloadPath -Force
Write-Host "Cato Client Installed and Configured."Validation & Testing
macOS: Open System Settings > Network > VPN. You should see "Cato Networks" listed and "Connected" (or ready to connect). The user should NOT see a "System Extension Blocked" popup.
Windows: Launch the Cato Client. It should not ask for an account name. It should immediately prompt for SSO (Microsoft/Okta/Google) login.
FAQ
1) How do you deploy the Cato Client on macOS using JumpCloud?
Deploy a custom MDM profile to approve Cato system extensions first, then install the PKG via JumpCloud command to ensure silent, zero-touch deployment without user prompts.
2) Why is system extension approval required before installing Cato on macOS?
macOS blocks network extensions by default. Pre-approving Cato extensions via MDM prevents “System Extension Blocked” pop-ups and ensures VPN and proxy traffic steering works immediately.
3) How is the Cato tenant automatically configured on Windows devices?
The PowerShell script installs the MSI silently and injects the Cato Account Subdomain into the Windows registry, allowing users to proceed directly to SSO authentication.
4) How can admins verify successful Cato Client deployment?
On macOS, check Network settings for the Cato VPN without prompts. On Windows, launch the client and confirm it skips account entry and opens the SSO login screen.
