Installing macOS Agents
The macOS agent package .pkg installer and uninstaller package .pkg is delivered as a .dmg file. You can use the installer directly on individual endpoints for testing or for production environments.
Starting with Privilege Managerv11, the agent implements a system extension (SYSEX) to support macOS versions Catalina and higher. If you need to support older versions of macOS that do not support system extensions, refer to the 10.8.2 documentation for installation instruction for the KEXT based agent.
For details about differences regarding KEXT and SYSEX versions, refer to macOS Extensions.
Refer to the Software Downloads for the current versions available.
Agent Components
The agent is made up of several components:
- Privilege Manager.app
- System Extension
- Preference Pane
- sudo Plugin
- Service Agent
macOS Agent System Requirements
| Privilege ManagerVersion | macOS Version | System Extension | Kernel Extension |
|---|---|---|---|
| 10.8 and earlier | 10.11 - 10.15 | N | Y |
| 11.0 and later | 10.15 and later | Y | N |
Installing macOS Agents
If you enter the wrong install code or you need to update an install code for whatever reason, rerun the package installer to provide the correct/new install code. The Install Code field can be left blank when using versions lower than 10.5.
Directly
You can use the macOS agent installer directly on individual endpoints for testing or production environments.
To install the agent software on a single endpoint, follow these steps:
-
Go to Software Downloads - macOS Endpoints to download the Privilege Manager macOS Agent.
-
Mount the DMG and run the PKG installer on the computer you want to manage.
-
During the installation process,
- Enter the Privilege ManagerServer URL.
- Enter the install code.
If you are not using Mobile Device Management (MDM) to manage allowed system extensions, you will see the following dialogs.
Notifications Approval
When presented with the Privilege Manager Notifications dialog, click Options | Allow. This will ensure that you are notified via Notification Center when an approval request is allowed or denied.
System Extension Blocked
When the installation completes, macOS will present the following dialog, prompting you to acknowledge that Privilege Manager tried to load a new system extension. Click Open Security Preferences to allow the system extension.
If you click OK, you will need to open System Preferences | Security & Privacy | General to allow the system extension.
To allow the system extension, click the padlock in the bottom left to ender admin credentials and then click Allow.
Click the Privacy tab and use the scrollbar to select Full Disk Access, then select Privilege Manager Security.
The system extension is now properly configured to enforce policy.
Using an Unattended Install Method
After downloading the latest bundled macOS Agent package onto one of your macOS endpoints, extract the DelineaManagementAgent-n-n-nnnn.pkg installer from inside the DMG and upload it to your MDM's distribution point.
Create a policy to include the newly uploaded installer package, and include the script below to run before the package installation. Replace the values for tmsBaseUrl and installCode as required. loginProcessingDelayS has a default value of 30 (seconds). The validateServerCertificate setting controls whether the endpoint agent validates the Privilege Manager server's certificate when communicating with the server; set the value to 1 to enable validation. The default value is 0 for backward compatibility.
Refer to this video demonstration.
Replace the version placeholders with the real package file version numbers.
#!/bin/bash
# Verify Privilege Manager macOS configuration script to be used with a "vanilla" download of the agent.
# This script should be used as a pre-install payload following the installation of the PKG.
# Replace the tmsBaseUrl with your own server url i.e "https://your.privman.com/TMS"
# Replace installCode with your own details.
/bin/mkdir -p /Library/Application\ Support/Delinea/Agent/
/bin/cat << EOF > /Library/Application\ Support/Delinea/Agent/agentconfig.json
{
"tmsBaseUrl": "",
"installCode": "",
"loginProcessingDelayS": 30,
"validateServerCertificate": 0
}
EOF
It will take 15-30 minutes for newly installed agents to register in Privilege Manager. See the agent registration information in the Terminal Commands topic to speed the process up.
Uninstalling an Agent
In the 11.4.3 agent, instead of using a shell script to uninstall the agent, there is now an uninstaller .pkg file. When you need to uninstall the macOS agent, mount the .dmg file and use the Uninstaller.pkg package.
There will be prompts for admin credentials throughout the process. Once the uninstaller has finished, this screen is displayed.
Uninstall.sh
If the Uninstall.sh script is still needed to add to an existing script-based workflow, it can be run as follows:
sudo <pathToDownloadedUninstallScript>/Uninstall.sh
Verification
Running pkgutil - -files com.delinea.agent should report the following:
No receipt for 'com.delinea.agent' found at '/'.
Deploying Uninstaller.pkg with an MDM
Removing a system extension requires that the end user supply admin credentials, unless the system extension was installed silently using an MDM Configuration Profile with a System Extension whitelist payload. See Using MDM Profiles for your Agent.
If this is the case in your environment, it is possible to uninstall Privilege Manager without end user interaction via Jamf or MDM using these steps.
-
Remove the deployed system extension whitelist profile from the endpoint. This will terminate the system extension.
Unloading the system extension WILL DISABLE THE AGENT.
-
Push out the Uninstaller.pkg via policy to uninstall Privilege Manager.
-
An endpoint reboot is not required, but the terminated system extension will remain installed and inactive until reboot.
