What You Need to Know about Mac Agent Setup

With the Mac Agent you can continuously monitor activity on macOS endpoints. This topic describes what you need to know before installing the Mac Agent using mass deployments, via a tool such as JAMF. (See Profile Configuration Files.)

Any Mac Agent upgraded from a version earlier than 7.15.1 to 7.15.1 (or any future versions) requires uninstalling the prior version and Profile (ObserveIT signature) before installing the new version.

For more information about the Mac Agent, see Mac Agent Overview.

From version 7.12.0, before deploying, you must download the script file with authentication details. (See Configuring Service Settings.)

Due to Apple security policy, if your organization uses the “.local” suffix, Apple devices might not resolve your unicast DNS names or bind to your Active Directory domains. (See Apple Support.)

Configuration Profile File

When using the Mac Agent, you must install the configuration profile file that defines the settings and permissions for the ITM On-Prem (ObserveIT) Agent.

Mac configuration profile must be configured and installed.
Do not remove the configuration profile from an endpoint with an installed Agent.
Removing the configuration profile while the Agent is installed may cause the endpoint and the Agent to become unstable.

• To view the installed Mac configuration profiles for a specific endpoint, select Apple menu > System Preferences, then click Profiles.

Configuring Profile Permissions

The Mac configuration profile grants the ITM On-Prem (ObserveIT) Agent permissions to monitor user and file activity. To enable monitoring of all user activity (such as file activity monitoring, key logging and more), the ObserveIT logger must have permissions set. These are included in the configuration profile which is uploaded and deployed remotely to all the endpoints.

From the configuration profile the following permissions can be set for the logger:

• accessibility
• full disk access
• files and folders access
• screen recordings (see Configuring Screen Recording)

Upgrading/Modifying the Configuration Profile

Anytime you upgrade and replace the configuration profile, you must do the following:

1. Uninstall the Mac Agent
2. Remove the current configuration profile
3. Upload the new configuration profile

   When upgrading to macOS Big Sur, upload IT Viewer macOS 11.mobileconfig.
   For macOS Catalina and macOS Mojave, upload IT Viewer macOS 10.x.mobileconfig.

4. Install the new Mac Agent

If you are upgrading to macOS Big, Sur, see macOS Big Sur 11 Solution.

Configuring Screen Recording

Starting from macOS Catalina 10.15, by default screen captures are not recorded, only meta-data is recorded. ITM On-Prem (ObserveIT) allows screen recording by doing one of the following:

• In Mac Recording Policies, you can enable screen recording without a popup by selecting Enable Automatic Security and Privacy Update in Stealth and Privacy Policy section of Recording Policies, after installing the new configuration profile. For details about how to do this, see Enabling Automatic Security and Privacy Update for Mac .
• Prompts the user with a pop-up before screen recording. The user grants permissions manually. For more information, see Configuring the Recording Pop Up.

Configuring a Mac Agent to use SSL

You must obtain and import a trusted internal CA certificate and copy it to your Mac target server.

For more information, see Configuring a Mac Agent to use SSL.

Mac Agent Limitations

The following are currently not supported for Mac Agents:

• Secondary Authentication

• Messaging and Ticketing

• Agent API

• Activity Replay

• Agent Auto Upgrade

URL extraction in Firefox/Tor 71 and 72 is not supported. URL extraction is supported until Firefox/Tor 70.

Mac Agents do not record non-graphical (SSH) sessions. (Non- graphical sessions are disabled by default.)

Excluding Processes for ITM On-Prem (ObserveIT) Agent for Mac OS

Some antivirus programs detect executable files as unknown and block them by default. To avoid this, it is recommended that you exclude these processes:

• /Library/PEA/agent/

• It is also recommended to exclude the logger process from active scans: /Library/PEA/agent/logger