Proofpoint | ObserveIT On-Premises Insider Threat Management

Mac Agent Files

The ObserveIT Mac Agent Installation folder contains the following file:

• observeit-agent-OSX-<version>.dmg

observeit-agent-OSX-<version>.dmg

observeit-agent-OSX-<version>.dmg file contains:

• observeit-agent-OSX-<version>.pkg

• preinstall script

• postinstall script

observeit-agent-OSX-<version>.pkg

This is the package file for installations (remote and local).

preinstall script

This script contains the parameters for installing the Mac Agent using the observeit-agent-OSX-<version>.pkg.

Modify and use this script with:

• Mac Agent Interactive Deployment (optional)

• Mac Agent Mass Deployment

The following is an example of the preinstall script.

 

preinstall script parameters

• SERVER=0.0.0.0> /tmp/oit_remote_install.cfg

  ObserveIT Application Server hostname or IP address.

  Replace 0.0.0.0 with the server IP.

  If the Agent is connected to the ObserveIT Application Server over SSL, first deploy the SSL certificate, and then in the registration address enter the Fully Qualified Domain Name (FQDN) in the format: https://FQDN:PORT/observeitapplicationserver (the default port for SSL is 443). (See Configuring a Mac Agent to use SSL.)

• PASSWORD="" (optional) Application server password.

• POLICY=""

  Policy group ID.

  Link the agent to a specific group policy.

  If not specified, the default MAC policy is used.

• ACCESSIBILITY_PROMPT=""

   This option lets you decide whether you want the user to be prompted.

• ALLOW_SCREENRECORDING_POPUP="" 

  This option lets you decide whether you want a pop-up prompt to display asking the user to allow screen recording access.

  (To enable screen recording without pop-ups, see Enabling Automatic Security and Privacy Update for Mac .)

• LOGGER_NAME=logger

  logger is the derfault. This option lets you assign another name to the process controller for obfuscation.

From version 7.12.4, for proxy server, the following parameters are included:

PROXY_URL=""

PROXY_PORT=""

PROXY_DOMAIN=""

PROXY_USERNAME=""

PROXY_USERPASSWORD=""

Modifying the preinstall script

1. Open the preinstall script.

2. Modify the server parameter, by entering ObserveIT Application Server host name or IP address. For example, 10.1.100.20.

   Change echo 'SERVER=0.0.0.0' >/tmp/oit_remote_install.cfg

   to

   • for http: echo 'SERVER=10.1.100.20' >/tmp/oit_remote_install.cfg

   • for https (default port(443)): echo 'SERVER=https://appserverfqdn/observeitapplicationserver' >/tmp/oit_remote_install.cfg

   • for https (for any other port): echo 'SERVER=https://appserverfqdn:PORT/observeitapplicationserver' >/tmp/oit_remote_install.cfg

3. Modify the ALLOWPOPUP parameter, by selecting one of the following options:

   This option is available from macOS Catalina.

   If you want to enable recording without the pop-ups, leave this parameter as a comment:
   #echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg.
   Enable silent recording in Enabling Automatic Security and Privacy Update for Mac .

   • Change echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg

     to

     echo 'ALLOWPOPUP=allow' >/tmp/oit_remote_install.cfg

     where allow indicates, allow pop-up. Pop-up displays for all users. Screen Recording permission is granted in Security & Privacy configuration.

     or

   • 'ALLOWPOPUP=never' >/tmp/oit_remote_install.cfg

     where never indicates, never display pop-up. There is no screen recording.

     or

   • 'ALLOWPOPUP=<user>' >/tmp/oit_remote_install.cfg

     where <user> is the username of the user for whom you want the pop-up to display. Pop-up displays for the specified user only. This user grants Screen Recording permission in Security & Privacy configuration for the computer.

4. Modify the optional parameters, such as the password, by entering the parameter after "=" and removing "#" to uncomment the line.

   For example, change

   #echo 'PASSWORD=' >> /tmp/oit_remote_install.cfg

   to

   echo 'PASSWORD=<your_password>' >> /tmp/oit_remote_install.cfg

5. Save your changes. Close and double-click to run.

preuninstall script 

This script contains the parameters for uninstalling the Mac Agent.

This script is downloaded from observeit-agent-OSX-<version>.dmg. See Configuring Service Settings.

preuninstall script parameters

• Password: Only if required

Modifying the preuninstall script

1. Copy the preuninstall script to your desktop or another folder that is easily accessible.

2. Modify the password parameter by entering a password if one is required.

3. PASSWORD=

   to

   PASSWORD=<your_ password>

4. Save your changes. Close and double-click to run.

IT Viewer Configuration Profile File

The configuration profile is used with the silent installation solution for mass deployment. Silent installation is supported from macOS Mojave 10.14. (See Mac Agent Mass Deployment using JAMF.)

IT View Configuration Profile Files for ObserveIT version 7.11.0

• IT Viewer macOS 11.x.mobileconfig (not signed, obfuscated)

• IT Viewer macOS 11.x.signed.mobileconfig (signed, not obfuscated and read-only)

IT View Configuration Profile Files for ObserveIT version 7.10.1

• IT Viewer macOS 10.x.mobileconfig (not signed, obfuscated)

• IT Viewer macOS 10.x.signed.mobileconfig (signed, not obfuscated and read-only)

Optionally, you can modify the configuration profile and change the process name from it's default, "logger".

Modifying the IT Viewer Configuration Profile File

Modify the configuration profile for obfuscation.

1. From the JAMF Web Console Dashboard, click the Computer button and select Configuration Profiles from the menu on the left-side. The Configuration Profiles screen displays.

2. Select the IT Viewer Configuration policy and then select Privacy Preferences Policy Control option.

   The Privacy Preferences Control screen displays.

   

3. Click Edit and in App Access area, in the Identifier field, replace "logger" with the name you want. (In the example, "logger" is replaced with "it_monitor".)

   

4. Scroll down to the next App Access area, and in the iIdentifier field, replace "logger" with the name you want.

   

5. Save your changes.

postinstall script

This script is used when deploying Mac Agents in an mTLS client environment.

This script is relevant from version 7.10.x.

Before you run this script, see Securing Mac Agent Certificate for mTLS and Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.

The following are examples of the parameters in the postinstall script:

• INSTALL_DIR: location where the .pem <CLIENT-i01-c01.pem> and .pfx <CLIENT-i01-c01.pfx> files will be created when deployed (for example, <$WORKDIR/install>.
• CLIENTCERT_PFX_FILE:  Name of the client certificate .pfx file. In the example, CLIENT-i01-c01.pfx.
• CLIENTCERT_PEM_FILE: Name of the client certificate .pem file. In the example, CLIENT-i01-c01.pem.
• PEM_PASS: Password for .pem file

For more information, see Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.

For more information about enabling the Mac Securing Mac Agent Certificate for mTLS.

postinstall Script Example

#!/bin/bash
#
# Copyright 2020 ObserveIT Ltd.  All rights reserved.
# Use is subject to license terms.
#
# Postinstall script for OSX MTLS client certificate deployment
#

LOG_FILE=/tmp/it_mtls.install.log
#INSTALL_DIR=<Value of '--install-location' parameter when running the 'pkgbuild' command>
#CLIENTCERT_PFX_FILE=<$INSTALL_DIR/<Client certificate pfx file name>
#CLIENTCERT_PEM_FILE=<$INSTALL_DIR/<Client certificate pem file name>
#PEM_PASS=<pem file password>

cleanup()
{
    echo "Cleaning up..." >> $LOG_FILE
    rm -f $CLIENTCERT_PFX_FILE $CLIENTCERT_PEM_FILE
}

echo "Running $0 - start postinstall client certificate deployment script" > $LOG_FILE 

if [ ! -r $CLIENTCERT_PFX_FILE ]; then
	echo "Error: File $CLIENTCERT_PFX_FILE not found or unreadable" >> $LOG_FILE
	cleanup
	exit 1
fi

if [ ! -r $CLIENTCERT_PEM_FILE ]; then
    echo "Error: File $CLIENTCERT_PEM_FILE not found or unreadable" >> $LOG_FILE
	cleanup
	exit 1
fi

echo "About to execute: security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE" >> $LOG_FILE 2>&1

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE >> $LOG_FILE 2>&1 
if [ $? != 0 ]; then
	echo "Error: Failed to trust certificate $CLIENTCERT_PEM_FILE" >> $LOG_FILE
	cleanup
	exit 1
fi

loggerBinary=logger ### Replace with obfuscated name if required 

echo "About to execute: security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain  -T \"/etc/omonitor/$loggerBinary\" -T \"/etc/omonitor/service\" -T \"/etc/omonitor/oitcons\" -T \"/etc/omonitor/itAppWrapper\" -T \"/etc/omonitor/WarningNotification.app\" -T \"/etc/omonitor/BlockingMessage.app\" -P ****" >> $LOG_FILE 2>&1 

security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain  -T "/etc/omonitor/$loggerBinary" -T "/etc/omonitor/service" -T "/etc/omonitor/oitcons" -T "/etc/omonitor/itAppWrapper" -T "/etc/omonitor/WarningNotification.app" -T "/etc/omonitor/BlockingMessage.app" -P $PEM_PASS >> $LOG_FILE 2>&1

if [ $? != 0 ]; then
    echo "Error: Failed to import certificate $CLIENTCERT_PFX_FILE" >> $LOG_FILE
	cleanup
	exit 1
fi
echo "Successfully installed client certificate" >> $LOG_FILE
cleanup
exit 0
Create pkg destination directory, e.g. $WORKDIR/install

Create the .pkg by running the following command:

/usr/bin/pkgbuild  --identifier com.it.pkg.cert --version 1.0.0.0 --root $WORKDIR/certs --scripts $WORKDIR/scripts --install-location $WORKDIR/install $WORKDIR/install/mtls_cert.pkg