How to Deploy Elastic Agent on macOS with Microsoft Endpoint Manager (Intune)

You can also read our companion blog on how to deploy Elastic Agent on Windows.

If you’re using Elastic SIEM to monitor your infrastructure, then you probably know about Elastic Agent.  If you haven’t yet tried it out, there are a lot of great use cases for it including:

  • Full endpoint security (EPP/EDR) solution
  • Easily capture system logs
  • Query systems via osquery

Aside from the endpoint-specific use cases, you can also use it to secure your Microsoft cloud environment.

If you read our Windows version of this guide, then you already know how challenging it is to deploy Elastic Agent via Windows.  It’s no less trivial to do this on macOS.  Fortunately, we’ve worked through these challenges and come up with the following solution that we’ll walk through step by step.

Create and deploy .mobileconfig file

Recent versions of macOS require applications to explicitly request approval for the use of System Extensions.  If we deployed Elastic Agent on macOS without first approving these System Extensions, the end user would receive a prompt requesting approval.  Not a great experience.  To prevent this, we need to first deploy a System Extensions profile that grants this approval prior to installation.

  1. Download the mobile_config_gen.py Python script from Elastic’s endpoint GitHub.
  2. Open a Terminal window and navigate to the folder that you saved the Python script to. Then type the following to run the script:
    python3 mobile_config_gen.py -n <name of your company> -o <name of output file>

    For example, we would specifically type the following command to create a system profile named elastic-agent.mobileconfig:

    python3 mobile_config_gen.py -n “Iron Vine Security” -o elastic-agent
  3. Navigate to https://endpoint.microsoft.com and then click on Devices -> macOS.
  4. Next, click on Configuration profiles.
  5. Click on + Create profile to add a new configuration profile.
  6. In the Create a profile menu that appears on the right, select the following and click Create at the bottom when finished.

    • Profile type
      Templates
    • Template name
      Custom
  7. Complete the Basics section. Only the Name field is required.  Click Next at the bottom when finished.
  8. Complete the Configuration settings section. Click Next at the bottom when finished.

    • Custom configuration profile name
      Elastic Agent Onboarding
    • Note: You must use this name as a subsequent script we will be using depends on this profile name.  If you change the name here, you’ll need to manually update the script to match.
    • Deployment channel
      Device channel
    • Configuration profile file
      Click the blue folder to upload the elastic-agent.mobileconfig system profile that we created in step 2.
  9. Complete the Assignments section. Under the Required section click on one of + Add group, + Add all users, or + Add all devices to assign the application as needed.We recommend creating an Azure AD pilot group that you can use to test this deployment.  Once everything is working as expected, you can then deploy to a broader group.  Click Next at the bottom when finished.
  10. In the Review + create section, look over the configuration settings one more time.  Once you’re ready, click Create at the bottom to create the system profile.As a reminder, the Custom configuration profile name should be Elastic Agent Onboarding as this system profile name is required by a subsequent script we will be using.

Create macOS Elastic Agent Install Script

With our System Extensions profile created, let’s now create a shell script to deploy Elastic Agent to our macOS systems.  Fortunately, you won’t have to do this from scratch, as we’re sharing a script to do the following:

  • Checks for the presence of the System Extensions profile we created above prior to starting installation
  • Downloads Elastic Agent and saves it locally
  • Uncompresses the installation files and runs the install command

Before we can use it, we’ll need to edit the script and set the values of a few variables.

  1. Open the install-elastic-agent-macos.sh script in your favorite text editor.
  2. At the top you’ll see a section titled ## User Defined variables. You’ll need to edit (as in, change what is inside the quotation marks for each) the following variable values with your own:
    • weburl
      This is the download URL for the Elastic Agent that you want to install.
    • fleeturl
      This is your Elastic Fleet server URL.
    • enrolltoken
      This is the enrollment token of the Elastic Agent profile you want to deploy.Note: You can get your Elastic Fleet server URL and enrollment token by navigating in Kibana’s left menu and clicking on Fleet under Management.  Next, click on Add agent and select the Agent policy you want deployed.  This will display a command that shows the URL and enrollment token.
  3. When you’re finished, save the file.

Create macOS Shell Scripts Deployment

With our Elastic Agent install script ready to go, let’s create a shell script deployment to deploy this script and install Elastic on our macOS systems.

  1. Navigate back to https://endpoint.microsoft.com and then click on Devices -> macOS.
  2. Next, click on Shell scripts.

  3. Click on + Add to add a new shell script.
  4. Complete the Basics section. Only the Name field is required. Click Next at the bottom when finished.
  5. Complete the Script settings section. Click Next at the bottom when finished.

    • Upload script
      Click on the blue folder to upload your modified install-elastic-agent-macos.sh that you previously saved.
    • Run script as signed-in user
      No
    • Hide script notifications on devices
      Yes
    • Script frequency
      Every 1 day (or however often you prefer)
    • Max number of times to retry if script fails
      3 times (or however often you prefer)
  6. Complete the Assignments section. Under the Required section click on one of + Add groups, + Add all users, or + Add all devices to assign the application as needed.
    We recommend creating an Azure AD pilot group that you can use to test this deployment.  Once everything is working as expected, you can then deploy to a broader group. Click Next at the bottom when finished.
  7. In the Review + create section, look over the configure settings one more time. Once you’re ready, click Create at the bottom to create the shell script deployment.
  8. You can check the deployment status of the script by clicking on the newly created shell script deployment and then clicking on Device status. Check the Status field and click on the Result field to see more details. Additionally, you can click Show details to show the script’s log output.

That’s it! Once your systems start checking in, you’ll see them appear in Fleet inside of Kibana.  Happy deploying!