This document outlines the procedure of installing the Managed Agent on macOS for AD Enterprise 7.3 and later.
- Remove Full Disk Access for any previous versions of the MacOS Agent.
- Uninstall any previous versions of the MacOS Agent.
- Make sure the "QuincServerUrl" key in the "Qview.exe.config" file (typically in "C:\Program Files\AccessData\Forensic Tools\<version>\bin\QView\") on the Enterprise machine is correct. Meaning using the correct protocol, correct name and correct port.
- Make sure the "QuincServerUrl" key in the "JobsMonitor.exe.config" file (typically in "C:\Program Files\AccessData\Forensic Tools\<version>\bin\QView\") on the Enterprise machine is correct.
Install the Agent:
- Copy the macOS Managed Agent installer PKG, found at "\Forensic_Tools\Agents\MAC\AccessDataAgent-macos-installer-x64-<version>.pkg" on the Forensic Tools ISO/disc, to the Mac system.
- Once copied check the hash value to confirm it matches that of the hash value for the file on the ISO image.
- Double-click the PKG file and follow the prompts to install the Managed Agent
Grant the Agent Full Disk Access:
- On the macOS machine, go to System Preferences > Security & Privacy
- Select the Privacy tab
- Select Full Disk Access on the left, click the lock icon in the lower-left corner, then enter administrator credentials when prompted
- Under the list of items with access, click the + button
- Select Applications on the left, then Utilities, select the Console app, and click Open
- Repeat steps 4 and 5, but select the Terminal app
- Leaving the Security & Privacy dialog open, open Finder and navigate to "/Library/AccessDataAgent/<version>"
- Select & drag both ADG.Agent.IndexingService and ADG.ManagedAgentSvc from the Finder window to the open application list in the Security & Privacy window
Note: You must browse to these files via Finder, as the Security & Privacy dialog won't let you add them directly.
- Confirm that the following items are listed and checked, then close the Security & Privacy dialog:
Configure Agent Indexing:
- On the macOS machine, open a Terminal window and run the following command to stop the Agent:
sudo launchctl unload /Library/LaunchDaemons/com.adg.managedagent.plist
- Open "/usr/local/share/AccessData/ManagedAgent/AgentData/agentsetting.json" in a text editor.
- Reference the Agent Settings Reference Table in the Installing the Mac Agent chapter of the Enterprise User Guide to make any desired changes to the Agent's indexing settings.
- Save and close the modified agentsettings.json.
- Open a Terminal window and run the following command to start the Agent:
sudo launchctl load /Library/LaunchDaemons/com.adg.managedagent.plist
- Wait up to 24 hours for the index to build.
Check if the Agent is online and accessible:
From the Enterprise machine, go to https://<AgentIP>:3999/api/hostname in a browser. If the page returns a JSON string with the Agent's hostname, you should be good to go. If you aren't able to access that page, there may be a firewall blocking communication between the Agent and Examiner.
Add the Target to the Agent List:
- On the main screen in Enterprise, go to Tools > Preferences.
- Click Agent List.
- In the bottom-right, click Add...
- Do the following, then click OK:
- Enter a Friendly Name.
- Enter a Description (optional).
- Under Node/Range, select IP and enter the target's IP address.
- Check the is Mac box.
- The macOS Agent with Forensic Tools 7.3.0 listens on port 4999 by default. The macOS Agent with Forensic Tools 7.4.0 and newer listens on port 3999 by default. Follow this article to make sure your Agents and Enterprise are both set to use the same port.
- Without granting full disk access to the necessary apps on the target, Enterprise may not be able to list and/or collect all desired items.
- Refer to the chapter on "Installing the Mac Agent" in the Enterprise User Guide for additional notes on optional Agent configurations that can be applied after installation.
- If a target isn't added to the Agent List, it will not be available for selection during a collection job.