Mac Agent Files
The ITM On-Prem (ObserveIT) Mac Agent Installation folder contains the following file:
observeit-agent-OSX-<version>.dmg
observeit-agent-OSX-<version>.dmg
file contains:
observeit-agent-OSX-<version>.pkg
This is the package file for installations (remote and local).
preinstall script
This script contains the parameters for installing the Mac Agent using the observeit-agent-OSX-<version>.pkg
.
Modify and use this script with:
The following is an example of the preinstall
script.
preinstall script parameters
-
SERVER
=0.0.0.0> /tmp/oit_remote_install.cfgITM On-Prem (ObserveIT) Application Server hostname or IP address.
Replace 0.0.0.0 with the server IP.
If the Agent is connected to the ITM On-Prem (ObserveIT) Application Server over SSL, first deploy the SSL certificate, and then in the registration address enter the Fully Qualified Domain Name (FQDN) in the format: https://FQDN:PORT/observeitapplicationserver (the default port for SSL is 443). (See Configuring a Mac Agent to use SSL.)
-
PASSWORD
="" (optional) Application server password. -
POLICY
=""Policy group ID.
Link the agent to a specific group policy.
If not specified, the default MAC policy is used.
-
ACCESSIBILITY_PROMPT
=""This option lets you decide whether you want the user to be prompted.
-
ALLOW_SCREENRECORDING_POPUP
=""This option lets you decide whether you want a pop-up prompt to display asking the user to allow screen recording access.
(To enable screen recording without pop-ups, see Enabling Automatic Security and Privacy Update for Mac .)
-
LOGGER_NAME
=loggerlogger is the default. This option lets you assign another name to the process controller.
From version 7.12.4, for proxy server, the following parameters are included:
PROXY_URL
=""
PROXY_PORT
=""
PROXY_DOMAIN
=""
PROXY_USERNAME
=""
PROXY_USERPASSWORD
=""
Modifying the preinstall script
-
Open the
preinstall
script. -
Modify the server parameter, by entering ITM On-Prem (ObserveIT) Application Server host name or IP address. For example, 10.1.100.20.
Change
echo 'SERVER=0.0.0.0' >/tmp/oit_remote_install.cfg
to
-
for http:
echo 'SERVER=10.1.100.20' >/tmp/oit_remote_install.cfg
-
for https (default port(443)):
echo 'SERVER=https://appserverfqdn/observeitapplicationserver' >/tmp/oit_remote_install.cfg
-
for https (for any other port):
echo 'SERVER=https://appserverfqdn:PORT/observeitapplicationserver' >/tmp/oit_remote_install.cfg
-
-
Modify the ALLOWPOPUP parameter, by selecting one of the following options:
If you want to enable recording without the pop-ups, leave this parameter as a comment:
#echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg
.
Enable silent recording in Enabling Automatic Security and Privacy Update for Mac .-
Change
echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg
to
echo 'ALLOWPOPUP=allow' >/tmp/oit_remote_install.cfg
where allow indicates, allow pop-up. Pop-up displays for all users. Screen Recording permission is granted in Security & Privacy configuration.
or
-
'ALLOWPOPUP=never' >/tmp/oit_remote_install.cfg
where never indicates, never display pop-up. There is no screen recording.
or
'ALLOWPOPUP=<user>' >/tmp/oit_remote_install.cfg
where <user> is the username of the user for whom you want the pop-up to display. Pop-up displays for the specified user only. This user grants Screen Recording permission in Security & Privacy configuration for the computer.
-
-
Modify the optional parameters, such as the password, by entering the parameter after "=" and removing "#" to uncomment the line.
For example, change
#echo 'PASSWORD=' >> /tmp/oit_remote_install.cfg
to
echo 'PASSWORD=<your_password>' >> /tmp/oit_remote_install.cfg
-
Save your changes. Close and double-click to run.
preuninstall script
This script contains the parameters for uninstalling the Mac Agent.
This script is downloaded from observeit-agent-OSX-<version>.dmg. See Configuring Service Settings.
preuninstall script parameters
-
Password: Only if required
Modifying the preuninstall script
-
Copy the
preuninstall
script to your desktop or another folder that is easily accessible. -
Modify the password parameter by entering a password if one is required.
-
PASSWORD=
to
PASSWORD=<your_ password>
-
Save your changes. Close and double-click to run.
IT Viewer Configuration Profile File
The configuration profile is used with the silent installation solution for mass deployment. (See Profile Configuration Files.)
IT View Configuration Profile Files for ObserveIT version 7.11.0
-
IT Viewer macOS 11.x.mobileconfig (not signed, obfuscated)
-
IT Viewer macOS 11.x.signed.mobileconfig (signed, not obfuscated and read-only)
IT View Configuration Profile Files for ObserveIT version 7.10.1
-
IT Viewer macOS 10.x.mobileconfig (not signed, obfuscated)
-
IT Viewer macOS 10.x.signed.mobileconfig (signed, not obfuscated and read-only)
Optionally, you can modify the configuration profile and change the process name from it's default, "logger".
From version 7.14.0. macOS Ventura is supported and the following Configuration Profiles are available:
You can use a signed configuration profile as is. A Signed configuration profile is signed by Proofpoint and "Proofpoint" will display when users open the configuration profile. If you want to make changes to the Configuration Profile, use the version that is not signed. After making changes you must sign the configuration profile before deploying it
-
For macOS 11 (Big Sur) and higher (including Ventura)
-
IT Viewer macOS 11.signed.mobileconfig: Configuration Profile signed by Proofpoint
-
IT Viewer macOS 11.mobileconfig: Unsigned Configuration Profile, to be signed by customer
-
-
For macOS Ventura 13
-
Ventura Disable Login Items Notifications Sample Profile.mobileconfig: This is a sample configuration profile showing you how to disable all background task management notifications introduced in macOS Ventura (Login Items notifications). You can entirely disable all such notifications by creating a Configuration Profile based on this sample profile. This is a system-wide profile, so if you use it, notifications that were already triggered and that exist within the Notification Center will not display.
-
-
For macOS versions prior to macOS 11 (Big Sur):
-
IT Viewer macOS 10.x.signed.mobileconfig: Configuration Profile signed by Proofpoint
-
IT Viewer macOS 10.x.mobileconfig: Unsigned Configuration Profile, to be signed by customer
-
Modifying the IT Viewer Configuration Profile File
logger is the default. This option lets you assign another name to the logger process name.
-
From the JAMF Web Console Dashboard, click the Computer button and select Configuration Profiles from the menu on the left-side. The Configuration Profiles screen displays.
-
Select the IT Viewer Configuration policy and then select Privacy Preferences Policy Control option.
The Privacy Preferences Control screen displays.
-
Click Edit and in App Access area, in the Identifier field, replace "logger" with the name you want. (In the example, "logger" is replaced with "it_monitor".)
-
Scroll down to the next App Access area, and in the iIdentifier field, replace "logger" with the name you want.
-
Save your changes.
postinstall script
This script is used when deploying Mac Agents in an mTLS client environment.
This script is relevant from version 7.10.x.
Before you run this script, see Securing Mac Agent Certificate for mTLS and Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.
The following are examples of the parameters in the postinstall script:
- INSTALL_DIR: location where the .pem <
CLIENT-i01-c01.pem
> and .pfx <CLIENT-i01-c01.pfx
> files will be created when deployed (for example, <$WORKDIR/install
>. - CLIENTCERT_PFX_FILE: Name of the client certificate .pfx file. In the example,
CLIENT-i01-c01.pfx
. - CLIENTCERT_PEM_FILE: Name of the client certificate .pem file. In the example,
CLIENT-i01-c01.pem
. - PEM_PASS: Password for .pem file
For more information, see Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.
For more information about enabling the Mac Securing Mac Agent Certificate for mTLS.
postinstall Script Example
#!/bin/bash # # Copyright 2020 ObserveIT Ltd. All rights reserved. # Use is subject to license terms. # # Postinstall script for OSX MTLS client certificate deployment # LOG_FILE=/tmp/it_mtls.install.log #INSTALL_DIR=<Value of '--install-location' parameter when running the 'pkgbuild' command> #CLIENTCERT_PFX_FILE=<$INSTALL_DIR/<Client certificate pfx file name> #CLIENTCERT_PEM_FILE=<$INSTALL_DIR/<Client certificate pem file name> #PEM_PASS=<pem file password> cleanup() { echo "Cleaning up..." >> $LOG_FILE rm -f $CLIENTCERT_PFX_FILE $CLIENTCERT_PEM_FILE } echo "Running $0 - start postinstall client certificate deployment script" > $LOG_FILE if [ ! -r $CLIENTCERT_PFX_FILE ]; then echo "Error: File $CLIENTCERT_PFX_FILE not found or unreadable" >> $LOG_FILE cleanup exit 1 fi if [ ! -r $CLIENTCERT_PEM_FILE ]; then echo "Error: File $CLIENTCERT_PEM_FILE not found or unreadable" >> $LOG_FILE cleanup exit 1 fi echo "About to execute: security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE" >> $LOG_FILE 2>&1 security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE >> $LOG_FILE 2>&1 if [ $? != 0 ]; then echo "Error: Failed to trust certificate $CLIENTCERT_PEM_FILE" >> $LOG_FILE cleanup exit 1 fi loggerBinary=logger ### Replace with obfuscated name if required echo "About to execute: security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain -T \"/etc/omonitor/$loggerBinary\" -T \"/etc/omonitor/service\" -T \"/etc/omonitor/oitcons\" -T \"/etc/omonitor/itAppWrapper\" -T \"/etc/omonitor/WarningNotification.app\" -T \"/etc/omonitor/BlockingMessage.app\" -P ****" >> $LOG_FILE 2>&1 security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain -T "/etc/omonitor/$loggerBinary" -T "/etc/omonitor/service" -T "/etc/omonitor/oitcons" -T "/etc/omonitor/itAppWrapper" -T "/etc/omonitor/WarningNotification.app" -T "/etc/omonitor/BlockingMessage.app" -P $PEM_PASS >> $LOG_FILE 2>&1 if [ $? != 0 ]; then echo "Error: Failed to import certificate $CLIENTCERT_PFX_FILE" >> $LOG_FILE cleanup exit 1 fi echo "Successfully installed client certificate" >> $LOG_FILE cleanup exit 0 Create pkg destination directory, e.g. $WORKDIR/install Create the .pkg by running the following command: /usr/bin/pkgbuild --identifier com.it.pkg.cert --version 1.0.0.0 --root $WORKDIR/certs --scripts $WORKDIR/scripts --install-location $WORKDIR/install $WORKDIR/install/mtls_cert.pkg