Arctic Wolf Agent Installation on MacOS - Multiple Endpoints

Updated Feb 22, 2024

Install Arctic Wolf Agent on macOS using Jamf Pro

You can install Agent on multiple endpoints in your organization using Jamf Pro®.

Requirements

Before you begin

Steps

  1. Install Rosetta 2.
  2. Download the Arctic Wolf Agent installer.
  3. Create an Arctic Wolf Agent package.
  4. Create a new policy.
  5. Configure the policy settings.
  6. Configure the package settings.
  7. Verify that Arctic Wolf Agent was successfully deployed.

Step 1: Install Rosetta 2

Note: For compatibility, Rosetta 2 is required on ARM-based processors (M1 and M2 based CPUs) before Agent is installed.

  1. Open the Jamf Pro web application, and then authenticate.

  2. At the top of the page, click Computers.

  3. Click Policies.

  4. Click + New.

  5. Click the Options tab.

  6. In the navigation menu, click Files and Processes.

  7. In the Execute Command section, enter this command:

    usr/sbin/softwareupdate --install-rosetta --agree-to-license
  8. Click the Scope tab.

  9. In the Target Computers list, select All Computers.

  10. In the Target Users list, select All Users.

  11. Click Save.

Step 2: Download the Arctic Wolf Agent installer

  1. Sign in to the Arctic Wolf Unified Portal.
  2. Click > Downloads.
  3. In the Arctic Wolf Agent section, in the Operating System list, select the required operating system.
  4. Click Download Agent.

Step 3: Create an Arctic Wolf Agent package

Package Agent with the customer.json file and a shell script that runs the package installation on each device:

Tip: In this procedure, Jamf Composer® is used to create the Agent package, but you can use any similar package creation tool to do this.

  1. Create a new shell script file to run the package installation:

    1. In a terminal, create a file and name it install_AWNAGENT.sh using a text editor. For example, Vim.

    2. Copy this content, and then paste it into the file:

      #!/bin/sh
      sudo installer -pkg /private/tmp/AGENT/ArcticWolfAgent.pkg -target /
      exit 0
    3. Save the file in any location.

  2. Create a new package using a snapshot:

    Tip: Before you begin, verify that your macOS software is updated.

    1. Open the Jamf Composer application, and then authenticate.

    2. In the menu bar, click New.

      The Choose a method to create your package dialog appears.

    3. Click Normal Snapshot.

    4. Click Next.

    5. In the Package Name field, enter a name for the new package. For example, NewAgentPkg.

    6. Click Next.

    7. Wait for the first snapshot to complete.

      Note: Do not perform any updates, installations, uninstallations, or other configuration changes to your computer while the snapshot is running.

    8. Click Create Package Source.

    9. Wait for the second snapshot to complete.

      Note: If your computer updated or changed between snapshots, Jamf Composer shows you the items that changed. To delete changes from the snapshot, right-click the top file folder of any change and select Remove <folder>. This does not delete them from the computer. It removes them from the package so that it is empty.

  3. Configure the /private/tmp/AGENT directory in the new package:

    1. In Jamf Composer, select the package you created in the previous step, for example, NewAgentPkg, to open it in the folder panel.

    2. Click File > Create New Directory.

    3. For the name of the directory, enter private.

    4. Right-click private, and then select Create New Directory.

    5. For the name of the directory, enter tmp.

    6. Right-click tmp, and then select Create New Directory.

    7. For the name of the directory, enter AGENT.

  4. In Finder, find and then drag each of these files into the new /private/tmp/AGENT directory:

    • <filename>.pkg — This file is included in the Endpoint Agent zip file that you downloaded from the Arctic Wolf Unified Portal. Rename the PKG file to match the package name that you used in the sudo command. For example, ArcticWolfAgent.pkg.
    • customer.json — This file is included in the Endpoint Agent zip file.
    • install_AWNAGENT.sh — This file was created at the beginning of this procedure.
  5. For each of these directories and files, make sure R, W, and X permissions are enabled for Owner: root and Group: wheel:

    • Directories — private, tmp, and AGENT.

    • Files — <filename>.pkg, customer.json, and install_AWNAGENT.sh.

      For example:

      the directory permission settings
  6. Build the package:

    1. In the Jamf Composer menu bar, click Build as PKG.
    2. Choose a location to save the package, and then click Save.

Step 4: Create a new policy

  1. Click Settings.
  2. Click Computer Management > Packages > Upload Package.
  3. Upload the new PKG file created in Create an Arctic Wolf Agent Package. For example, NewAgentPkg.
  4. At the top of the page, click Computers.
  5. Click Policies.
  6. Click + New.
  7. Find your Agent package, and then click Add.
  8. Select a Category for the policy. For example, Enrollment.

Step 5: Configure the policy settings

  1. Click the Options tab.
  2. In the Trigger section, select a checkbox. For example, Recurring Check in.
  3. In the Execution Frequency list, select Once per computer.
  4. Click the Scope tab.
  5. In the Target Computers list, select All Computers.
  6. In the Target Users list, select All Users.
  7. Click the Self Service tab.
  8. Select the Make policy available for Self Service checkbox.
  9. Click the Options tab.
  10. In the navigation menu, click Packages.
  11. Click Configure.
  12. Select the package you want to add to the policy, and then click Add.

Step 6: Configure the package settings

  1. In the Packages list, keep the default value.

  2. In the Action list, select Install.

  3. In the navigation menu, click Files and Processes.

  4. In the Execute Command field, enter this command:

    /private/tmp/AGENT/install_AWNAGENT.sh
  5. In the navigation menu, click Maintenance

  6. Click Configure.

  7. Select the Update inventory checkbox.

  8. Click Save.

    Agent is deployed to all computers when the Trigger setting matches.

Step 7: Verify that Arctic Wolf Agent was successfully deployed

  1. On any macOS with Agent installed, open Activity Monitor.

  2. Click the Memory tab.

  3. In the Apple menu, click View > All processes to verify that these processes display:

    • ossec-agentd
    • ossec-execd
    • ossec-logcollector
    • ossec-syscheckd
    • scout-client
  4. Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team (CST) at security@arcticwolf.com to confirm that Agent data is reaching Arctic Wolf.

See also