Mac Agent Overview

Mac Agent

The ObserveIT Mac Agent software can be installed on any Mac platform (desktop/laptop) requiring monitoring. As soon as a user logs into a monitored endpoint, the Agent begins recording based on the configured recording policy.

The diagram below shows the Windows Agent architecture.

All the metadata that is collected from the Mac Agent is searchable, reportable, can be alerted on, and can be exported to SIEM systems.

The diagram below shows the Mac Agent architecture.

For details about the Mac Agent components, see Mac Agent Components.

Mac Agent Capabilities

The Mac Agent has full recording capabilities and supports the features described below.

User Actions

Mac Agents monitor the following user actions:

  • Mouse clicks

  • Keystrokes

  • Application changes

In addition, continuous recording is available for Mac Agents. (By default, this feature is turned off.)

Metadata

ObserveIT records metadata and stores it in ObserveIT's database, which is located on a central SQL Server.

Mac Agents record the following metadata:

  • Screenshot (Optional)

  • Window title (for the window in focus)

  • URL (for Safari, Chrome, TOR and Mozilla Firefox)

  • Application name (for the application in focus, including path)

  • Process name (Including process ID)

  • User name (Including domain name)

  • Keylogging (keyword and commands)

  • Data Access (USB connect / File move / File download / File copy / File upload)

Mac Agent Recording

The following are recorded:

  • Keylogging

  • File activity monitoring

  • Alerts

  • Video and metadata recording

  • Configurable recording policies (include/exclude users, applications, or URLs)

  • Recording when Agent is offline

  • Recording notification message

  • Out-of-policy notifications (warning and blocking messages)

  • Log Off and Close Application actions

  • Health monitoring – detect if the Agent is offline or has been tampered with

  • USB detection

  • Email monitoring for Microsoft Outlook and Apple Mail apps

Recorded Session Types

Mac Agents record graphic sessions:

  • Console login

  • Remote/VNC login

  • Fast user switch

  • Screen sharing

Limitations

The following are currently not supported for Mac Agents:

  • Secondary Authentication

  • Messaging and Ticketing

  • Agent API

    URL extraction in Firefox/Tor 71 and 72 is not supported. URL extraction is supported until Firefox/Tor 70.

Mac Agents do not record non-graphical (SSH) sessions. (Non- graphical sessions are disabled by default.)

Mac Agent - Getting Started

To get started, you deploy the Mac Agent on the endpoints with one of the following methods:

  • Mass deployment is used to deploy to multiple Mac OS endpoints using a deployment tool such as JAMF
  • Interactive deployment is used to deploy to a single endpoint
  • Offline deployment is used to install the Agent in offline mode

For more information see:

What You Need to Know about Mac Agent Setup

Mac Agent Deployment Overview

Risky activity that is performed on the Mac Agent is consolidated with other risky activities from the same user, providing a unified risk score for the user and a user-centric view in the User Risk Dashboard.

For large enterprise deployments, the Mac installation package uses the JAMF management tool (and other tools that support the PKG format) to support mass deployments.