Follow

Manually Installing the macOS Managed Agent (AD Enterprise 7.3+)

Created by: Brendan Bone
Created date:
Last Updated date:

Introduction

This document outlines the procedure of installing the Managed Agent on macOS for AD Enterprise 7.3 and later.

 

Procedure

Install the Agent:

  1. Copy the macOS Managed Agent installer PKG, found at "\Forensic_Tools\Agents\MAC\AccessDataAgent-macos-installer-x64-<version>.pkg" on the Forensic Tools ISO/disc, to the Mac system.
  2. Double-click the PKG file and follow the prompts to install the Managed Agent

 

Grant the Agent Full Disk Access:

  1. On the macOS machine, go to System Preferences > Security & Privacy
  2. Select the Privacy tab
  3. Select Full Disk Access on the left, click the lock mceclip0.png icon in the lower-left corner, then enter administrator credentials when prompted
  4. Under the list of items with access, click the + button
    mceclip1.png
  5. Select Applications on the left, then Utilities, select the Console app, and click Open
  6. Repeat steps 4 and 5, but select the Terminal app
    mceclip2.png
  7. Leaving the Security & Privacy dialog open, open Finder and navigate to "/Library/AccessDataAgent/<version>"
  8. Select & drag both ADG.Agent.IndexingService and ADG.ManagedAgentSvc from the Finder window to the open application list in the Security & Privacy window
    Note: You must browse to these files via Finder, as the Security & Privacy dialog won't let you add them directly.
  9. Confirm that the following items are listed and checked, then close the Security & Privacy dialog:
    ADG.Agent.IndexingService
    ADG.ManagedAgentSvc
    sh
    Console
    Terminal

 

Configure Agent Indexing:

  1. On the macOS machine, open "/usr/local/share/AccessData/ManagedAgent/AgentData/agentsetting.json" in a text editor.
  2. Reference the Agent Settings Reference Table in the Installing the Mac Agent chapter of the Enterprise User Guide to make any desired changes to the Agent's indexing settings.
  3. Save and close the modified agentsettings.json.
  4. Open a Terminal window, and run the following commands to stop and restart the Agent:
     
    sudo launchctl unload /Library/LaunchDaemons/com.adg.managedagent.plist
    sudo launchctl load /Library/LaunchDaemons/com.adg.managedagent.plist
  5.  Wait up to 24 hours for the index to build.

 

Add the Target to the Agent List:

  1. On the main screen in Enterprise, go to Tools > Preferences.
  2. Click Agent List.
    2020-09-25_14_56_23-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png
  3. In the bottom-right, click Add...
    2020-09-25_14_58_02-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png
  4. Do the following, then click OK:
      1. Enter a Friendly Name.
      2. Enter a Description (optional).
      3. Under Node/Range, select IP and enter the target's IP address.
      4. Check the is Mac box.
        2020-09-25_14_58_53-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png

 

Notes

  • The macOS Agent with Forensic Tools 7.3.0 uses port 4999 by default.  Future releases will use port 3999 by default.  Follow this article to make sure your Agents and Enterprise are both set to use the same port.
  • Without granting full disk access to the necessary apps on the target, Enterprise may not be able to list and/or collect all desired items.
  • Refer to the chapter on "Installing the Mac Agent" in the Enterprise User Guide for additional notes on optional Agent configurations that can be applied after installation.
  • If a target isn't added to the Agent List, it will not be available for selection during a collection job.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk