Install Arctic Wolf Agent on macOS using Microsoft Intune

You can install macOS Agent on multiple endpoints in your organization using Microsoft Intune as part of your deployment strategy.

Note:

  • Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.

These resources are required:

  • To correctly view Agent risks in the Unified Portal, macOS Agent version 2024-01_27 or later is required

  • Administrator permissions or the ability to do administrator or root level functions

  • macOS 26, 15, 14, 13, 12, or 11 for 64-bit systems
    Note:
    • macOS 10.14 and 10.15 are only supported on Agent version 2024-03_88.
    • Center for Internet Security (CIS) Benchmarks for macOS 26, which are used in Managed Risk (MR) benchmark scanning, are not yet available. They will be added when CIS releases them.
  • These system resources:
    • Apple Silicon (M-series) or 64-bit Intel-based Apple chipsets
    • At a minimum:
      • A dual-core CPU
      • 2 GB of memory
      • 50 MB of disk space

These actions are required:

  • For versions 2024-01_27 or higher, make sure outbound access is available for port 443. For lower versions, make sure outbound access is available for ports 443 and 1514.

  • Your organization's macOS Agent deployment PKG file provided by Arctic Wolf.
    Note: Contact your CST to get your macOS Agent deployment PKG file.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
    Note:

    Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

  1. Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
    Tip:

    Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a macOS endpoint, define a rule that applies to this file path: /Library/ArcticWolfNetworks/Agent.

  2. Add the files listed in Arctic Wolf Agent hash values to all allowlists.
  3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Configure PPPC

If you are an Aurora Vulnerability Management (Aurora VM) customer, to detect all vulnerabilities during scans, you must enable Full Disk Access in Privacy Preferences Policy Control (PPPC) settings.

To configure PPPC to allow Full Disk Access, do these actions:
  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Managed devices > Configuration.
  3. Click Create > New Policy.
  4. In the Create a profile panel, configure these settings, and then click Create:
    • Platform — Enter macOS.
    • Profile type — Select Settings catalog.
  5. In the Basics tab, configure these settings, and then click Next:
    • Name — Enter a name, for example, Arctic Wolf Agent - PPPC settings.
    • Description — Enter a description, for example, Grants Full Disk Access to Arctic Wolf Agent processes.
  6. In the Configuration settings tab, click Add settings.
  7. In the Settings picker panel, go to Privacy > Privacy Preferences Policy Control.
  8. In Privacy Preferences Policy Control subcategory, go to Services > System Policy All Files.
  9. Click System Policy All Files, and then click Select all of these settings.
  10. Close the Setting picker panel.
  11. In System Policy All Files, click Edit instance.
  12. For scout-client, in the Configure instance panel, configure these settings:
    • Allowed — Select True.
    • Code Requirement — Enter identifier "scout-client" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
    • Identifier — Enter /Library/ArcticWolfNetworks/Agent/bin/scout-client.
    • Identifier Type — Select path.
  13. Click Save.
  14. For scout-desktop, click Add, and then click Edit instance.
  15. In the Configure instance panel, configure these settings:
    • Allowed — Select True.
    • Code Requirement — Enter identifier "scout-desktop" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
    • Identifier — Enter /usr/local/libexec/scout-desktop.
    • Identifier Type — Select path.
  16. For audit-module, click Add, and then click Edit instance.
  17. In the Configure instance panel, configure these settings:
    • Allowed — Select True.
    • Code Requirement — Enter identifier "audit_module" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
    • Identifier — Enter /Library/ArcticWolfNetworks/Agent/plugins/audit_module/audit_module.
    • Identifier Type — Select path.
  18. Click Save.
  19. For uninstall-modules, click Add, and then click Edit instance.
  20. In the Configure instance panel, configure these settings:
    • Allowed — Select True.
    • Code Requirement — Enter identifier "uninstall_modules" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
    • Identifier — Enter /Library/ArcticWolfNetworks/Agent/bin/uninstall_modules.
    • Identifier Type — Select path.
  21. Click Save.
  22. In the Scope tags tab, click Next.
  23. In Assignments tab, click Add groups.
  24. Select the group containing your macOS devices to apply this policy, and then click Next.
  25. In the Review settings tab, review your settings, and then click Create.

Download and install Agent

  1. Sign in to the Intune portal.
  2. Go to Apps > macOS, and then click Add.
  3. In the App type section, select macOS app (PKG), and then click Select.
    The Add App form appears.
  4. In the App information section, in the Select file section, click Select app package file.
  5. In the App package file section, locate the PKG file provided by Arctic Wolf.
  6. Click Open, and then Next.
  7. Enter this information, and then click Next:
    • Name — The name of the app.
    • Description — A description of the app.
    • Publisher Arctic Wolf Networks.
  8. Under Program, click Next.
  9. Under Requirements > Minimum operating system , select macOS Mojave 10.14.
  10. Under Detection rules, click Next.
  11. Under Assignments, click Add group.
    Select the group that contains the macOS devices for the macOS Agent deployment.
  12. Click Select, and then Next.
  13. Under Review + create, click Create.
    The macOS Agent installation should complete within several minutes.
    Note: To manually update the macOS devices, you can:
    • Restart the enrolled macOS devices to initiate deployment of the macOS Agent policy.
    • In the Intune portal, navigate to the macOS devices section and select Sync to initiate a manual policy refresh on the device.