Team: Huntress EDR
Product: Huntress Agent for macOS
Environment: macOS
Summary: Using an MDM policy and scripting the deployment of the Huntress Agent can expedite installation on macOS endpoints. These instructions are based on Addigy workflows, but should be applicable to other MDMs.
Mobile Device Management tools allow providers to distribute the Huntress Agent and the necessary permission profiles for the Agent to run. When configured properly, an MDM installation can be silent to the end user.
In this Article
Process Overview
Create an MDM Policy
Install the Agent with a Deployment Script
Verifying the Configuration
Process Overview
To take full advantage of all Huntress EDR capabilities, macOS endpoints must have the Huntress Agent, our system extension, and the network content filters configured to allow Huntress access. Without this, Huntress does not have the ability to isolate the endpoint and might be blocked from accessing some directories.
This process has two steps that must be done in this order:
- Create an MDM policy to set permissions and push the policy to your endpoints.
- Deploy the Huntress Agent through a script.
Create an MDM Policy
An MDM policy allows the Agent and the system extension to install silently with FDA, and adds the network content filter without prompting the user for approval.
We recommend using our prebuilt mobileconfig file, which is already set up for MDMs.
If you prefer to do it yourself, you'll need to create a System Extension profile and a Network Content Filter profile. We've included screenshots from Addigy, our supported MDM, but software can vary.
The policy must be added to your endpoints before installing the Huntress Agent.
System Extension Profile
To permit the Huntress Agent to automatically install and remove the system extension without prompting the user, enter the following settings:
- Allowed Team Identifiers:
- 7W6HQ9J9XA [this is Huntress’s Team ID]
- Removable System Extensions:
- Team Identifier: 7W6HQ9J9XA
- Bundle Identifier: com.huntress.sysext
Network Content Filter profile
To permit the Huntress Agent to isolate and release this endpoint without prompting the user for approval, enter the following settings:
- Filter Type: Plug-In
- User Defined Name: Huntress
- This is the value that will be shown to the user when describing the filter (for example, in the Network settings panel)
- Plugin Bundle ID: com.huntress.app
- This is specifically the bundle ID of the application installing the network extension, not the extension itself.
- Enable Filter Socket Traffic
- Bundle Identifier: com.huntress.sysext
- This is the bundle ID of the network extension.
- Designated Requirement: Copy and paste the following:
- identifier "com.huntress.sysext" and anchor apple generic and certificate leaf[subject.OU] = "7W6HQ9J9XA" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13]
- This is used to verify that the Huntress app is genuine and not an imitation, and should be pasted in as presented above.
- Bundle Identifier: com.huntress.sysext
- Enable Filter Network Packets
- Bundle Identifier: com.huntress.sysext
- This is the bundle ID of the network extension.
- Designated Requirement: Copy and paste the following:
- identifier "com.huntress.sysext" and anchor apple generic and certificate leaf[subject.OU] = "7W6HQ9J9XA" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13]
- This is used to verify that the Huntress app is genuine and not an imitation, and should be pasted in as presented above.
- Bundle Identifier: com.huntress.sysext
- Filter Grade: Firewall
After creating these two MDM profiles, add them to your policy and deploy them to your macOS endpoints.
Install the Agent with a Deployment Script
You can use a deployment script to deploy the Huntress Agent to macOS endpoints so that your unique Huntress Account Key and assigned Organization Key can be applied to the Agent during installation.
- Log in to Huntress and go to the Agent Setup page.
- Get your Account and Organization keys. If you use Agent tags, have those ready as well.
- Add the generic deployment script to the scripting engine of your management tool.
- Update Line 44 with your Account Key.
- Update Line 48 with an assigned Organization Key.
- Update Line 52 with the name of your management solution (i.e. Jamf Pro). This value is used for support.
- Finish any other necessary steps and deploy the Agent out to your macOS endpoints.
Verifying the Configuration
There are several ways to confirm that the endpoint is configured properly for Huntress EDR.
With a properly configured MDM policy, the Agent and the system extension should install silently, with FDA and the network content filter, without prompting the user for approval.
If the user is asked to approve the extension or allow control of network traffic, double-check that you have created the necessary profiles for the system extension and network content filter, entered everything correctly in the MDM policy, and deployed that policy out to the endpoints.
Additionally, these MDM profile settings in the policy are at the device level and always override changes made by the user in the System Settings app. This might result in FDA appearing to be disabled when viewed by the end user but actually enabled due to the device-level settings profile. Do not make changes at the user level.
We've also provided several ways to check from the Huntress platform.
Related Articles
There are more options for installing the Huntress Agent on macOS.
Review the full list of supported operating systems.