Arctic Wolf Agent Installation on MacOS

Updated Sep 25, 2023

Arctic Wolf Agent installation on macOS
Requirements
Install Agent using Jamf Pro
Uninstall Agent
Agent deactivation

Arctic Wolf Agent installation on macOS

Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:

Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.

You can bulk install Agent on macOS computers across your organization using Jamf Pro software.

Requirements

macOS 10.14 or newer for 64-bit systems

At a minimum, dual-core CPU
x64 or x86 processor
At a minimum, 2 GB of memory
Notes:
- Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
- Agent does not support ARM architecture.
Ports 443 and 1514 outbound open
Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.

Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.

Administrator permissions or the ability to perform administrator or root level functions

Install Agent using Jamf Pro

Install Rosetta 2.

Note: For compatibility, Rosetta 2 is required on ARM-based processors (M1 and M2 based CPUs) before Agent is installed.
Download the Agent installer.
Create an Agent package.
Create a new policy.
Configure the policy settings.
Configure the package settings.
Verify that Agent was successfully deployed.

Step 1: Install Rosetta 2

Open Jamf Pro and authenticate.
At the top of the page, click Computers.
Click Policies.
Click + New.
Click the Options tab.
In the navigation menu, click Files and Processes.

In the Execute Command section, enter the following:

usr/sbin/softwareupdate --install-rosetta --agree-to-license

Click the Scope tab.
In the Target Computers list, select All Computers.
In the Target Users list, select All Users.
Click Save.

Step 2: Download the Agent installer

In the Arctic Wolf Portal, click Accounts > Downloads.
Under Endpoint Agent, select the desired Operating System option.
Click Download Agent.

Step 3: Create an Agent package

Before you install Agent, you must package Agent with the customer.json file and a shell script that runs the package installation on each device.

Tip: In this procedure, Jamf Composer is used to create the Agent package, but you can use any similar package creation tool to do this.

Create a new shell script file to run the package installation:
1. In terminal, create a file called install_AWNAGENT.sh using an editor such as vim.
2. Add this content to the file:
```
#!/bin/sh
sudo installer -pkg /private/tmp/AGENT/ArcticWolfAgent.pkg -target /
exit 0
```
3. Save the file in any location.
Create a new package using a snapshot:

Tip: Before you begin, we recommend that you make sure your Mac software is up-to-date.
1. Open Jamf Composer and authenticate.
2. In the menu bar, click New.
  
  The Choose a method to create your package dialog appears.
3. Click Normal Snapshot.
4. Click Next.
5. In the Package Name field, enter a name for the new package.
  
  For example, NewAgentPkg.
6. Click Next.
7. Wait for the first snapshot to complete.
  
  Note: Do not perform any updates, installations, uninstallations, or other configuration changes to your computer while the snapshot is running.
8. Click Create Package Source.
9. Wait for the second snapshot to complete.
  
  Note: If your computer updated or changed between snapshots, Jamf Composer shows you the items that changed. To delete changes from the snapshot, right-click the top file folder of any change and select Remove <folder>. This does not delete them from the computer; it removes them from the package so that it is empty.
Configure the /private/tmp/AGENT directory in the new package:
1. In Jamf Composer, select the package you created in the previous step, for example, NewAgentPkg, to open it in the folder panel.
2. Click File > Create New Directory.
3. Enter the name private for the directory.
4. Right-click private, and then select Create New Directory.
5. Enter the name tmp for the directory.
6. Right-click tmp, and then select Create New Directory.
7. Enter the name AGENT for the directory.
In Finder, find and then drag each of the following files into the newly created /private/tmp/AGENT directory:
- .pkg — This file is included in the Endpoint Agent .zip file that you downloaded from Arctic Wolf Portal. Rename the .pkg file to match the package name that you used in the sudo command at the beginning of this procedure, for example ArcticWolfAgent.pkg.
- customer.json — This file is included in the Endpoint Agent .zip file.
- install_AWNAGENT.sh — This file was created at the beginning of this procedure.
Verify that for Owner: root and Group: wheel, the following R, W, and X permissions are set for the following:
- private, tmp, and AGENT directories
- pkg, customer.json, and install_AWNAGENT.sh files
Build the package:
1. In the Jamf Composer menu bar, click Build as PKG.
2. Choose a location to save the package, and then click Save.

Step 4: Create a new policy

Click Settings.
Click Computer Management > Packages > Upload Package.
Upload the new .pkg file created in Create an Agent package, such as NewAgentPkg.
At the top of the page, click Computers.
Click Policies.
Click + New.
Locate your Agent package, and then click Add.
Select a Category for the policy. For example, Enrollment.

Step 5: Configure the policy settings

Click the Options tab.
In the Trigger section, select any checkbox. For example, Recurring Check in.
In the Execution Frequency list, select Once per computer.
Click the Scope tab.
In the Target Computers list, select All Computers.
In the Target Users list, select All Users.
Click the Self Service tab.
Select the Make policy available for Self Service checkbox.
Click the Options tab.
In the navigation menu, click Packages.
Click Configure.
Select the package to add to the policy, and then click Add.

Step 6: Configure the package settings

In the Packages list, keep the default value.
In the Action list, select Install.
In the navigation menu, click Files and Processes.
In the Execute Command field, enter the following:
```
/private/tmp/AGENT/install_AWNAGENT.sh
```
In the navigation menu, click Maintenance
Click Configure.
Select the Update inventory checkbox.
Click Save.

Agent is deployed to all computers when the Trigger setting matches.

Step 7: Verify that Agent was successfully deployed

On any Mac with Agent installed, open Activity Monitor.
Click the Memory tab.
From the Apple menu, click View > All processes, to verify that all processes display.
Verify that the following processes exist:
- ossec-agentd
- ossec-execd
- ossec-logcollector
- ossec-syscheckd
- scout-client
Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team to confirm that Agent data is reaching Arctic Wolf.

Uninstall Agent

Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.

Index the package in Jamf Admin.
Configure the uninstall policy.
Uninstall the package.

Step 1: Index the package in Jamf Admin

Open Jamf Admin and authenticate.
Use the Search bar to locate the agent package in the process table.

Tip: The process table is sorted alphabetically.
Select the package, and then select Index to index the package.
Enter your credentials when prompted.
Right-click the package and select Info.
Click the Options tab.
Select the Allow package to be uninstalled checkbox.
Click OK.
Click Save.

Step 2: Configure the uninstall policy

Set a policy to uninstall Agent on macOS using Jamf Pro. If the policy is applied to the client device and the device meets the criteria that you configure, the package will uninstall the next time that the user checks in according to your policy.

Note: Your configuration choices might be different than those outlined in this document. Make configuration changes based on the needs of your environment.

Open Jamf Pro and authenticate.
At the top of the page, click Computers.
Click Policies.
Click + New.
Configure basic settings for the policy that you want for your environment. These options let users uninstall directly from Self Service as needed:
1. Click the Options tab, and then do the following:
  - In the Trigger section, make sure that the Recurring Check-in checkbox is selected.
  - In the Execution Frequency list, select Once per computer.
2. Click the Scope tab, and then in the Target Computers list, select All Computers.
  
  Note: If you do not want Agent removed from all computers, adjust this setting accordingly.
Click the Options tab.
In the navigation menu, click Packages.
Click Configure.

Step 3: Uninstall the package

In the Packages list, select the package that you want to uninstall.
In the Action list, select Uninstall.
Click Save.
In the navigation pane, click Maintenance.
Verify that the Update inventory checkbox is selected.
Click Save.

During check-in, Agent is uninstalled from the computers you defined in the Scope setting.

Agent deactivation

You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.

Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.

Contained Agent deactivation

You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Automatic Agent deactivation and activation

Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.

Deactivate an Agent

If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

Confirm that the Agent is uninstalled from the device.
On the Arctic Wolf Portal, click Endpoint Status.
In the Endpoints table, click Remove offline endpoint on the appropriate device.

Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.
In the dialog, click Remove Endpoint.

Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.