Installing macOS Agents

The macOS agent package .pkg installer and uninstaller package .pkg is delivered as a .dmg file. You can use the installer directly on individual endpoints for testing or for production environments.

Refer to the Software Downloads for the current versions available.

Agent Components

The agent is made up of several components:

  • Privilege Manager.app
  • System Extension
  • Preference Pane
  • sudo Plugin
  • Service Agent

Installing macOS Agents

Examples below are using version placeholders instead of the actual install package versions. If you copy the example, make sure to switch n.n.nnnn with the actual version numbers as listed on the Software Downloads page.
If you enter the wrong install code or you need to update an install code for whatever reason, rerun the package installer to provide the correct/new install code. The Install Code field can be left blank when using versions lower than 10.5.

Directly

You can use the macOS agent installer directly on individual endpoints for testing or production environments.

To install the agent software on a single endpoint, follow these steps:

  1. Go to Software Downloads - macOS Endpoints to download the Privilege Manager macOS Agent.

  2. Mount the DMG and run the PKG installer on the computer you want to manage.

  3. During the installation process,

    1. Enter the Privilege ManagerServer URL.
    2. Enter the install code.​

    alt

If you are not using Mobile Device Management (MDM) to manage allowed system extensions, you will see the following dialogs.

Notifications Approval

When presented with the Privilege Manager Notifications dialog, click Options | Allow. This will ensure that you are notified via Notification Center when an approval request is allowed or denied.

alt

System Extension Blocked

When the installation completes, macOS will present the following dialog, prompting you to acknowledge that Privilege Manager tried to load a new system extension. Click Open Security Preferences to enable the system extension to load.

alt

(If you click OK, the alet will be dismissed and you will need to open System Preferences | Security & Privacy | General to enable the system extension later.)

To enable the system extension to load, scroll down to the Security section until you see the notice that the system extension was blocked, and click Allow. (If prompted, enter the credentials of the administrator account.)

alt

Scroll back to the Privacy section and select Full Disk Access, then enable Privilege Manager Security.

alt

The system extension is now properly configured to enforce policy.

Using an Unattended Install Method

After downloading the latest bundled macOS Agent package onto one of your macOS endpoints, extract the DelineaManagementAgent-n-n-nnnn.pkg installer from inside the DMG and upload it to your MDM's distribution point.

Create a policy to include the newly uploaded installer package, and include the script below to run before the package installation. Replace the values for tmsBaseUrl and installCode as required. loginProcessingDelayS has a default value of 30 (seconds). The validateServerCertificate setting controls whether the endpoint agent validates the Privilege Manager server's certificate when communicating with the server; set the value to 1 to enable validation. The default value is 0 for backward compatibility.

Refer to this video demonstration.

Replace the version placeholders with the real package file version numbers.

Copy
#!/bin/zsh
# Verify Privilege Manager macOS configuration script to be used with a "vanilla" download of the agent.
# This script should be used as a pre-install payload to run prior to the installation of the PKG.
# Replace the tmsBaseUrl with your own server url i.e "https://your.privman.com/TMS"
# Replace installCode with your own details.

/bin/mkdir -p /Library/Application\ Support/Delinea/Agent/

/bin/cat << EOF > /Library/Application\ Support/Delinea/Agent/agentconfig.json
{
      "tmsBaseUrl": "",
      "installCode": "",
      "loginProcessingDelayS": 30, 
      "validateServerCertificate": 0
}
EOF
sleep 5

It will take 15-30 minutes for newly installed agents to register in Privilege Manager. See the agent registration information in the Terminal Commands topic to speed the process up.

Uninstalling an Agent

In the 11.4.3 agent, instead of using a shell script to uninstall the agent, there is now an uninstaller .pkg file. When you need to uninstall the macOS agent, mount the .dmg file and use the Uninstaller.pkg package.

There will be prompts for admin credentials throughout the process. Once the uninstaller has finished, this screen is displayed.

Uninstall.sh

If the Uninstall.sh script is still needed to add to an existing script-based workflow, it can be run as follows:

sudo <pathToDownloadedUninstallScript>/Uninstall.sh

Verification

Running pkgutil - -files com.delinea.agent should report the following:

No receipt for 'com.delinea.agent' found at '/'.

Deploying Uninstaller.pkg with an MDM

Removing a system extension requires that the end user supply admin credentials, unless the system extension was installed silently using an MDM Configuration Profile with a System Extension whitelist payload. See Using MDM Profiles for your Agent.

If this is the case in your environment, it is possible to uninstall Privilege Manager without end user interaction via Jamf or MDM using these steps.

  1. Remove the deployed system extension whitelist profile from the endpoint. This will terminate the system extension.

Unloading the system extension WILL DISABLE THE AGENT.

  1. Push out the Uninstaller.pkg via policy to uninstall Privilege Manager.

  2. An endpoint reboot is not required, but the terminated system extension will remain installed and inactive until reboot.