Mac Agent Files

The ITM On-Prem (ObserveIT) Mac Agent Installation folder contains the following file:

observeit-agent-OSX-<version>.dmg

observeit-agent-OSX-<version>.dmg file contains:

observeit-agent-OSX-<version>.pkg

This is the package file for installations (remote and local).

preinstall script

This script contains the parameters for installing the Mac Agent using the observeit-agent-OSX-<version>.pkg.

Modify and use this script with:

The following is an example of the preinstall script.

 

preinstall script parameters

  • SERVER=0.0.0.0> /tmp/oit_remote_install.cfg

    ITM On-Prem (ObserveIT) Application Server hostname or IP address.

    Replace 0.0.0.0 with the server IP.

    If the Agent is connected to the ITM On-Prem (ObserveIT) Application Server over SSL, first deploy the SSL certificate, and then in the registration address enter the Fully Qualified Domain Name (FQDN) in the format: https://FQDN:PORT/observeitapplicationserver (the default port for SSL is 443). (See Configuring a Mac Agent to use SSL.)

  • PASSWORD="" (optional) Application server password.

  • POLICY=""

    Policy group ID.

    Link the agent to a specific group policy.

    If not specified, the default MAC policy is used.

  • ACCESSIBILITY_PROMPT=""

     This option lets you decide whether you want the user to be prompted.

  • ALLOW_SCREENRECORDING_POPUP="" 

    This option lets you decide whether you want a pop-up prompt to display asking the user to allow screen recording access.

    (To enable screen recording without pop-ups, see Enabling Automatic Security and Privacy Update for Mac .)

  • LOGGER_NAME=logger

    logger is the default. This option lets you assign another name to the process controller.

From version 7.12.4, for proxy server, the following parameters are included:

PROXY_URL=""

PROXY_PORT=""

PROXY_DOMAIN=""

PROXY_USERNAME=""

PROXY_USERPASSWORD=""

Modifying the preinstall script

  1. Open the preinstall script.

  2. Modify the server parameter, by entering ITM On-Prem (ObserveIT) Application Server host name or IP address. For example, 10.1.100.20.

    Change echo 'SERVER=0.0.0.0' >/tmp/oit_remote_install.cfg

    to

    • for http: echo 'SERVER=10.1.100.20' >/tmp/oit_remote_install.cfg

    • for https (default port(443)): echo 'SERVER=https://appserverfqdn/observeitapplicationserver' >/tmp/oit_remote_install.cfg

    • for https (for any other port): echo 'SERVER=https://appserverfqdn:PORT/observeitapplicationserver' >/tmp/oit_remote_install.cfg

  3. Modify the ALLOWPOPUP parameter, by selecting one of the following options:

    If you want to enable recording without the pop-ups, leave this parameter as a comment:
    #echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg.
    Enable silent recording in Enabling Automatic Security and Privacy Update for Mac .

    • Change echo 'ALLOWPOPUP=' >/tmp/oit_remote_install.cfg

      to

      echo 'ALLOWPOPUP=allow' >/tmp/oit_remote_install.cfg

      where allow indicates, allow pop-up. Pop-up displays for all users. Screen Recording permission is granted in Security & Privacy configuration.

      or

    • 'ALLOWPOPUP=never' >/tmp/oit_remote_install.cfg

      where never indicates, never display pop-up. There is no screen recording.

      or

    • 'ALLOWPOPUP=<user>' >/tmp/oit_remote_install.cfg

      where <user> is the username of the user for whom you want the pop-up to display. Pop-up displays for the specified user only. This user grants Screen Recording permission in Security & Privacy configuration for the computer.

  4. Modify the optional parameters, such as the password, by entering the parameter after "=" and removing "#" to uncomment the line.

    For example, change

    #echo 'PASSWORD=' >> /tmp/oit_remote_install.cfg

    to

    echo 'PASSWORD=<your_password>' >> /tmp/oit_remote_install.cfg

  5. Save your changes. Close and double-click to run.

preuninstall script 

This script contains the parameters for uninstalling the Mac Agent.

This script is downloaded from observeit-agent-OSX-<version>.dmg. See Configuring Service Settings.

preuninstall script parameters

  • Password: Only if required

Modifying the preuninstall script

  1. Copy the preuninstall script to your desktop or another folder that is easily accessible.

  2. Modify the password parameter by entering a password if one is required.

  3. PASSWORD=

    to

    PASSWORD=<your_ password>

  4. Save your changes. Close and double-click to run.

IT Viewer Configuration Profile File

The configuration profile is used with the silent installation solution for mass deployment. (See Profile Configuration Files.)

IT View Configuration Profile Files for ObserveIT version 7.11.0

  • IT Viewer macOS 11.x.mobileconfig (not signed, obfuscated)

  • IT Viewer macOS 11.x.signed.mobileconfig (signed, not obfuscated and read-only)

IT View Configuration Profile Files for ObserveIT version 7.10.1

  • IT Viewer macOS 10.x.mobileconfig (not signed, obfuscated)

  • IT Viewer macOS 10.x.signed.mobileconfig (signed, not obfuscated and read-only)

Optionally, you can modify the configuration profile and change the process name from it's default, "logger".

From version 7.14.0. macOS Ventura is supported and the following Configuration Profiles are available:

You can use a signed configuration profile as is. A Signed configuration profile is signed by Proofpoint and "Proofpoint" will display when users open the configuration profile. If you want to make changes to the Configuration Profile, use the version that is not signed. After making changes you must sign the configuration profile before deploying it

  • For macOS 11 (Big Sur) and higher (including Ventura)

    • IT Viewer macOS 11.signed.mobileconfig: Configuration Profile signed by Proofpoint

    • IT Viewer macOS 11.mobileconfig: Unsigned Configuration Profile, to be signed by customer

  • For macOS Ventura 13

    • Ventura Disable Login Items Notifications Sample Profile.mobileconfig: This is a sample configuration profile showing you how to disable all background task management notifications introduced in macOS Ventura (Login Items notifications). You can entirely disable all such notifications by creating a Configuration Profile based on this sample profile. This is a system-wide profile, so if you use it, notifications that were already triggered and that exist within the Notification Center will not display.

  • For macOS versions prior to macOS 11 (Big Sur):

    • IT Viewer macOS 10.x.signed.mobileconfig: Configuration Profile signed by Proofpoint

    • IT Viewer macOS 10.x.mobileconfig: Unsigned Configuration Profile, to be signed by customer

Modifying the IT Viewer Configuration Profile File

logger is the default. This option lets you assign another name to the logger process name.

  1. From the JAMF Web Console Dashboard, click the Computer button and select Configuration Profiles from the menu on the left-side. The Configuration Profiles screen displays.

  2. Select the IT Viewer Configuration policy and then select Privacy Preferences Policy Control option.

    The Privacy Preferences Control screen displays.

  3. Click Edit and in App Access area, in the Identifier field, replace "logger" with the name you want. (In the example, "logger" is replaced with "it_monitor".)

  4. Scroll down to the next App Access area, and in the iIdentifier field, replace "logger" with the name you want.

  5. Save your changes.

postinstall script

This script is used when deploying Mac Agents in an mTLS client environment.

This script is relevant from version 7.10.x.

Before you run this script, see Securing Mac Agent Certificate for mTLS and Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.

The following are examples of the parameters in the postinstall script:

  • INSTALL_DIR: location where the .pem <CLIENT-i01-c01.pem> and .pfx <CLIENT-i01-c01.pfx> files will be created when deployed (for example, <$WORKDIR/install>.
  • CLIENTCERT_PFX_FILE:  Name of the client certificate .pfx file. In the example, CLIENT-i01-c01.pfx.
  • CLIENTCERT_PEM_FILE: Name of the client certificate .pem file. In the example, CLIENT-i01-c01.pem.
  • PEM_PASS: Password for .pem file

For more information, see Preparing the Client (Agent) Certificate for Mac in an mTLS Environment.

For more information about enabling the Mac Securing Mac Agent Certificate for mTLS.

postinstall Script Example

#!/bin/bash
#
# Copyright 2020 ObserveIT Ltd.  All rights reserved.
# Use is subject to license terms.
#
# Postinstall script for OSX MTLS client certificate deployment
#

LOG_FILE=/tmp/it_mtls.install.log
#INSTALL_DIR=<Value of '--install-location' parameter when running the 'pkgbuild' command>
#CLIENTCERT_PFX_FILE=<$INSTALL_DIR/<Client certificate pfx file name>
#CLIENTCERT_PEM_FILE=<$INSTALL_DIR/<Client certificate pem file name>
#PEM_PASS=<pem file password>

cleanup()
{
    echo "Cleaning up..." >> $LOG_FILE
    rm -f $CLIENTCERT_PFX_FILE $CLIENTCERT_PEM_FILE
}

echo "Running $0 - start postinstall client certificate deployment script" > $LOG_FILE 

if [ ! -r $CLIENTCERT_PFX_FILE ]; then
	echo "Error: File $CLIENTCERT_PFX_FILE not found or unreadable" >> $LOG_FILE
	cleanup
	exit 1
fi

if [ ! -r $CLIENTCERT_PEM_FILE ]; then
    echo "Error: File $CLIENTCERT_PEM_FILE not found or unreadable" >> $LOG_FILE
	cleanup
	exit 1
fi

echo "About to execute: security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE" >> $LOG_FILE 2>&1

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain $CLIENTCERT_PEM_FILE >> $LOG_FILE 2>&1 
if [ $? != 0 ]; then
	echo "Error: Failed to trust certificate $CLIENTCERT_PEM_FILE" >> $LOG_FILE
	cleanup
	exit 1
fi

loggerBinary=logger ### Replace with obfuscated name if required 

echo "About to execute: security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain  -T \"/etc/omonitor/$loggerBinary\" -T \"/etc/omonitor/service\" -T \"/etc/omonitor/oitcons\" -T \"/etc/omonitor/itAppWrapper\" -T \"/etc/omonitor/WarningNotification.app\" -T \"/etc/omonitor/BlockingMessage.app\" -P ****" >> $LOG_FILE 2>&1 

security import $CLIENTCERT_PFX_FILE -k /Library/Keychains/System.keychain  -T "/etc/omonitor/$loggerBinary" -T "/etc/omonitor/service" -T "/etc/omonitor/oitcons" -T "/etc/omonitor/itAppWrapper" -T "/etc/omonitor/WarningNotification.app" -T "/etc/omonitor/BlockingMessage.app" -P $PEM_PASS >> $LOG_FILE 2>&1

if [ $? != 0 ]; then
    echo "Error: Failed to import certificate $CLIENTCERT_PFX_FILE" >> $LOG_FILE
	cleanup
	exit 1
fi
echo "Successfully installed client certificate" >> $LOG_FILE
cleanup
exit 0
Create pkg destination directory, e.g. $WORKDIR/install

Create the .pkg by running the following command:

/usr/bin/pkgbuild  --identifier com.it.pkg.cert --version 1.0.0.0 --root $WORKDIR/certs --scripts $WORKDIR/scripts --install-location $WORKDIR/install $WORKDIR/install/mtls_cert.pkg