Install Arctic Wolf Agent using Jamf Pro

You can install Arctic Wolf® Agent on multiple endpoints in your organization using Jamf Pro®.

Note:

  • Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.

These resources are required:

  • To correctly view Agent risks in the Unified Portal, macOS Agent version 2024-01_27 or later is required

  • Administrator permissions or the ability to do administrator or root level functions

  • macOS 26, 15, 14, 13, 12, or 11 for 64-bit systems
    Note:
    • macOS 10.14 and 10.15 are only supported on Agent version 2024-03_88.
    • Center for Internet Security (CIS) Benchmarks for macOS 26, which are used in Managed Risk (MR) benchmark scanning, are not yet available. They will be added when CIS releases them.
  • These system resources:
    • Apple Silicon (M-series) or 64-bit Intel-based Apple chipsets
    • At a minimum:
      • A dual-core CPU
      • 2 GB of memory
      • 50 MB of disk space

These actions are required:

  • For versions 2024-01_27 or higher, make sure outbound access is available for port 443. For lower versions, make sure outbound access is available for ports 443 and 1514.

  • Set up a distribution point in Jamf Pro to manage the packages that you want to deploy.

    See Package Management for more information.

    Note:

    If necessary, contact Jamf support for help configuring a distribution point.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
    Note:

    Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

  1. Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
    Tip:

    Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a macOS endpoint, define a rule that applies to this file path: /Library/ArcticWolfNetworks/Agent.

  2. Add the files listed in Arctic Wolf Agent hash values to all allowlists.
  3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Configure PPPC

If you are a Managed Risk customer, to detect all vulnerabilities during scans, you must enable Full Disk Access in Privacy Preferences Policy Control (PPPC) settings.

To configure PPPC to allow Full Disk Access, do these actions:
  1. In Jamf Pro, navigate to Configuration Profiles.
  2. Click New, and then configure these settings:
    • Display Name — Enter a name, for example, Arctic Wolf Agent - PPPC settings.
    • Level — Select Computer Level.
    • Distribution Method — Select Install Automatically.
  3. Select the Privacy Preferences Policy Control payload.
  4. Click Configure, and then add these entries:
    1. For scout-client:
      • Identifier — Enter /Library/ArcticWolfNetworks/Agent/bin/scout-client.
      • Identifier Type — Select Path.
      • Code Requirement — Enter identifier "scout-client" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
      • App or Service — Select SystemPolicyAllFiles.
      • Access — Select Allow.
    2. For scout-desktop:
      • Identifier — Enter /usr/local/libexec/scout-desktop.
      • Identifier Type — Select Path.
      • Code Requirement — Enter identifier "scout-desktop" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
      • App or Service — Select SystemPolicyAllFiles.
      • Access — Select Allow.
    3. For audit-module:
      • Identifier — Enter /Library/ArcticWolfNetworks/Agent/plugins/audit_module/audit_module.
      • Identifier Type — Select Path.
      • Code Requirement — Enter identifier "audit_module" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
      • App or Service — Select SystemPolicyAllFiles.
      • Access — Select Allow.
    4. For uninstall_modules:
      • Identifier — Enter /Library/ArcticWolfNetworks/Agent/bin/uninstall_modules.
      • Identifier Type — Select Path.
      • Code Requirements — Enter identifier "uninstall_modules" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2BMD89ZPN.
      • App or Service — Select SystemPolicyAllFiles.
      • Access — Select Allow.
  5. Click the Scope tab.
  6. Select All Computers or target specific groups.
  7. Click Save.

Download the Arctic Wolf Agent installer

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Downloads.
  3. In the Arctic Wolf Agent section, in the Operating System list, select the required operating system.
  4. Click Download Agent.

Create an Arctic Wolf Agent package

Package Agent with the customer.json file and a shell script that runs the package installation on each device:

Tip:

In this procedure, Jamf Composer® is used to create the Agent package, but you can use any similar package creation tool to do this.

  1. Create a new shell script file to run the package installation:
    1. In a terminal, create a file and name it install_AWNAGENT.sh using a text editor. For example, Vim.
    2. Copy this content, and then paste it into the file:
      SHELL 
      #!/bin/sh
sudo installer -pkg /private/tmp/AGENT/ArcticWolfAgent.pkg -target /
exit 0
    3. Save the file in any location.
  2. Create a new package using a snapshot:
    Tip:

    Before you begin, verify that your macOS software is updated.

    1. Open the Jamf Composer application, and then authenticate.
    2. In the menu bar, click New.

      The Choose a method to create your package dialog appears.

    3. Click Normal Snapshot.
    4. Click Next.
    5. In the Package Name field, enter a name for the new package. For example, NewAgentPkg.
    6. Click Next.
    7. Wait for the first snapshot to complete.
      Note:

      Do not perform any updates, installations, uninstallations, or other configuration changes to your computer while the snapshot is running.

    8. Click Create Package Source.
    9. Wait for the second snapshot to complete.
      Note:

      If your computer updated or changed between snapshots, Jamf Composer shows you the items that changed. To delete changes from the snapshot, right-click the top file folder of any change and select Remove folder. This does not delete them from the computer. It removes them from the package so that it is empty.

  3. Configure the /private/tmp/AGENT directory in the new package:
    1. In Jamf Composer, select the package you created in the previous step, for example, NewAgentPkg, to open it in the folder panel.
    2. Click File > Create New Directory.

    3. For the name of the directory, enter private.
    4. Right-click private, and then select Create New Directory.
    5. For the name of the directory, enter tmp.
    6. Right-click tmp, and then select Create New Directory.
    7. For the name of the directory, enter AGENT.
  4. In Finder, find and then drag each of these files into the new /private/tmp/AGENT directory:
    • filename.pkg — This file is included in the Endpoint Agent zip file that you downloaded from the Arctic Wolf Unified Portal. Rename the PKG file to match the package name that you used in the sudo command. For example, ArcticWolfAgent.pkg.
    • customer.json — This file is included in the Endpoint Agent zip file.
    • install_AWNAGENT.sh — This file was created at the beginning of this procedure.
  5. For each of these directories and files, make sure R, W, and X permissions are enabled for Owner: root and Group: wheel:
    • Directories — private, tmp, and AGENT.
    • Files — filename.pkg, customer.json, and install_AWNAGENT.sh.

      For example:

      the directory permission settings

  6. Build the package:
    1. Ensure that only the Agent folders and files are in the Composer build. Removing all other files does not delete the files from your computer. For example:
    2. In the Jamf Composer menu bar, click Build as PKG.
    3. Choose a location to save the package, and then click Save.

Create a new policy

  1. Click Settings.
  2. Click Computer Management > Packages > Upload Package.
  3. Upload the new PKG file created in Create an Arctic Wolf Agent package. For example, NewAgentPkg.
  4. At the top of the page, click Computers.
  5. Click Policies.
  6. Click + New.
  7. Find your Agent package, and then click Add.
  8. Select a Category for the policy. For example, Enrollment.

Configure the policy settings

  1. Click the Options tab.
  2. In the Trigger section, select a checkbox. For example, Recurring Check in.
  3. In the Execution Frequency list, select Once per computer.
  4. Click the Scope tab.
  5. In the Target Computers list, select All Computers.
  6. In the Target Users list, select All Users.
  7. Click the Self Service tab.
  8. Select the Make policy available for Self Service checkbox.
  9. Click the Options tab.
  10. In the navigation menu, click Packages.
  11. Click Configure.
  12. Select the package you want to add to the policy, and then click Add.

Configure the package settings

  1. In the Packages list, keep the default value.
  2. In the Action list, select Install.
  3. In the navigation menu, click Files and Processes.
  4. In the Execute Command field, enter this command:
    SHELL 
    /private/tmp/AGENT/install_AWNAGENT.sh
  5. In the navigation menu, click Maintenance
  6. Click Configure.
  7. Select the Update inventory checkbox.
  8. Click Save.

    Agent is deployed to all computers when the Trigger setting matches.

Verify that Arctic Wolf Agent was successfully deployed

  1. On any macOS with Agent installed, open Activity Monitor.
  2. Click the Memory tab.
  3. In the Apple menu, click View > All processes to verify that these processes display:
    • scout-client
    • scout-desktop
  4. Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team (CST) at security@arcticwolf.com to confirm that Agent data is reaching Arctic Wolf.