Mac Agent Overview
Mac Agent
The ObserveIT Mac Agent software can be installed on any Mac platform (desktop/laptop) requiring monitoring. As soon as a user logs into a monitored endpoint, the Agent begins recording based on the configured recording policy.
The diagram below shows the Windows Agent architecture.
All the metadata that is collected from the Mac Agent is searchable, reportable, can be alerted on, and can be exported to SIEM systems.
The diagram below shows the Mac Agent architecture.
For details about the Mac Agent components, see Mac Agent Components.
Mac Agent Capabilities
The Mac Agent has full recording capabilities and supports the features described below.
User Actions
Mac Agents monitor the following user actions:
-
Mouse clicks
-
Keystrokes
-
Application changes
In addition, continuous recording is available for Mac Agents. (By default, this feature is turned off.)
Metadata
ObserveIT records metadata and stores it in ObserveIT's database, which is located on a central SQL Server.
Mac Agents record the following metadata:
-
Screenshot (Optional)
-
Window title (for the window in focus)
-
URL (for Safari, Chrome, TOR and Mozilla Firefox)
-
Application name (for the application in focus, including path)
-
Process name (Including process ID)
-
User name (Including domain name)
-
Keylogging (keyword and commands)
-
Data Access (USB connect / File move / File download / File copy / File upload)
Mac Agent Recording
The following are recorded:
-
Keylogging
-
File activity monitoring
-
Alerts
-
Video and metadata recording
-
Configurable recording policies (include/exclude users, applications, or URLs)
-
Recording when Agent is offline
-
Recording notification message
-
Out-of-policy notifications (warning and blocking messages)
-
Log Off and Close Application actions
-
Health monitoring – detect if the Agent is offline or has been tampered with
-
USB detection
-
Email monitoring for Microsoft Outlook and Apple Mail apps
Recorded Session Types
Mac Agents record graphic sessions:
-
Console login
-
Remote/VNC login
-
Fast user switch
-
Screen sharing
Limitations
The following are currently not supported for Mac Agents:
-
Secondary Authentication
-
Messaging and Ticketing
-
Agent API
URL extraction in Firefox/Tor 71 and 72 is not supported. URL extraction is supported until Firefox/Tor 70.
Mac Agents do not record non-graphical (SSH) sessions. (Non- graphical sessions are disabled by default.)
Mac Agent - Getting Started
To get started, you deploy the Mac Agent on the endpoints with one of the following methods:
- Mass deployment is used to deploy to multiple Mac OS endpoints using a deployment tool such as JAMF
- Interactive deployment is used to deploy to a single endpoint
- Offline deployment is used to install the Agent in offline mode
For more information see:
What You Need to Know about Mac Agent Setup
Risky activity that is performed on the Mac Agent is consolidated with other risky activities from the same user, providing a unified risk score for the user and a user-centric view in the User Risk Dashboard.
For large enterprise deployments, the Mac installation package uses the JAMF management tool (and other tools that support the PKG format) to support mass deployments.