Installing macOS Agents

The macOS agent installer package .pkg and uninstaller package .pkg is delivered as a .dmg file. You can use the installer directly on individual endpoints for testing or for production environments.

Refer to the Software Downloads for the current versions available.

Agent Components

Some instances of the System Extension Privilege Manager Security failing to install have been observed when certain Antivirus, VPNs, and other tools that perform SSL packet inspection are enabled, these include but are not limited to: Global Protect VPN, CrowdStrike, and Palo Alto. If you encounter this issue, Delinea recommends disabling the tool performing SSL packet inspection and retrying the installation. If issues persist, contact Delinea Support.

The agent is made up of several components:

Privilege Manager.app
System Extension
Agent Utility
sudo Plugin
Service Agent

Installing macOS Agents

Examples below are using version placeholders instead of the actual install package versions. If you copy the example, make sure to switch n.n.nnnn with the actual version numbers as listed on the Software Downloads page.
If you enter the wrong install code or you need to update an install code for whatever reason, rerun the package installer to provide the correct/new install code.

Directly

You can use the macOS agent installer directly on individual endpoints for testing or production environments.

To install the agent software on a single endpoint, follow these steps:

Go to Software Downloads - macOS Endpoints to download the Privilege Manager macOS Agent.
Mount the DMG and run the PKG installer on the computer you want to manage.
During the installation process,
1. Enter the Privilege ManagerServer URL.
2. Enter the install code.
If you are not using Mobile Device Management (MDM) to manage allowed system extensions, you will need to enable the following settings:

Allow Notifications
Enable the System Extension
Enable Full Disk Access

Allow Notifications

When presented with the Privilege Manager Notifications dialog, click Options | Allow. This will ensure that you are notified via Notification Center when an approval request is allowed or denied.

These settings can be viewed again from System Settings | Notifications.

Enable the System Extension

The procedure for enabling the system extension differs based on your version of macOS.

Instructions are provided based on whether you are using Prior to macOS Sequoia 15 or macOS Sequoia 15 and Later.

Prior to macOS Sequoia 15

When the installation completes, macOS presents the following dialog, prompting you to acknowledge that Privilege Manager tried to load a new system extension.

Click Open System Settings. In the Security section of the Privacy & Security dialog, locate the notice that the system extension was blocked. Click Allow to enable the system extension to load. (If prompted, enter the credentials of the administrator account.)

If you click OK on the dialog instead, the alert will be dismissed and you will need to open System Settings | Privacy & Security and enable the system extension in the Security section.

macOS Sequoia 15 and Later

When the installation completes, the following dialog prompts you to acknowledge that privilege-manager wants to use a new endpoint security extension.

Click Open System Settings, and the Endpoint Security Extensions window opens. Enable the Privilege Manager toggle to allow the system extension to load. (If prompted, enter the credentials of the administrator account.)

If you click OK on the dialog, the alert will be dismissed and you will need to open Open System Settings | General | Login Items and Extensions, and enable the extension to load in the Endpoint Security Extensions section.

Enable Full Disk Access

Select General | Privacy & Security. In the Full Disk Access dialog, enable the Privilege Manager Security toggle. The macOS agent is now properly configured to enforce policy.

Using an Unattended Install Method

After downloading the latest bundled macOS Agent package onto one of your macOS endpoints, extract the DelineaManagementAgent-n-n-nnnn.pkg installer from inside the DMG and upload it to your MDM's distribution point.

Create a policy to include the newly uploaded installer package, and include the script below to run before the package installation. Replace the values for tmsBaseUrl and installCode as required. loginProcessingDelayS has a default value of 30 (seconds). The validateServerCertificate setting controls whether the endpoint agent validates the Privilege Manager server's certificate when communicating with the server; set the value to 1 to enable validation. The default value is 0 for backward compatibility.

Refer to this video demonstration.

Replace the version placeholders with the real package file version numbers.

Copy

#!/bin/zsh
# Verify Privilege Manager macOS configuration script to be used with a "vanilla" download of the agent.
# This script should be used as a pre-install payload to run prior to the installation of the PKG.
# Replace the tmsBaseUrl with your own server url i.e "https://your.privman.com/TMS"
# Replace installCode with your own details.

/bin/mkdir -p /Library/Application\ Support/Delinea/Agent/

/bin/cat << EOF > /Library/Application\ Support/Delinea/Agent/agentconfig.json
{
      "tmsBaseUrl": "",
      "installCode": "",
      "loginProcessingDelayS": 30, 
      "validateServerCertificate": 0
}
EOF
sleep 5

It will take 15-30 minutes for newly installed agents to register in Privilege Manager. See the agent registration information in the Terminal Commands topic to speed the process up.

Uninstalling an Agent

In the 11.4.3 agent, instead of using a shell script to uninstall the agent, there is now an uninstaller .pkg file. When you need to uninstall the macOS agent, mount the .dmg file and use the Uninstaller.pkg package.

There will be prompts for admin credentials throughout the process. Once the uninstaller has finished, this screen is displayed.

Uninstall.sh

If the Uninstall.sh script is still needed to add to an existing script-based workflow, it can be run as follows:

sudo <pathToDownloadedUninstallScript>/Uninstall.sh

Verification

Running pkgutil - -files com.delinea.agent should report the following:

No receipt for 'com.delinea.agent' found at '/'.

Deploying Uninstaller.pkg with an MDM

Removing a system extension requires that the end user supply admin credentials, unless the system extension was installed silently using an MDM Configuration Profile with a System Extension whitelist payload. See Using MDM Profiles for your Agent.

If this is the case in your environment, it is possible to uninstall Privilege Manager without end user interaction via Jamf or MDM using these steps.

Remove the deployed system extension whitelist profile from the endpoint. This will terminate the system extension.

Unloading the system extension WILL DISABLE THE AGENT.

Push out the Uninstaller.pkg via policy to uninstall Privilege Manager.
An endpoint reboot is not required, but the terminated system extension will remain installed and inactive until reboot.