uberAgent for macOS: What To Expect
Our User Experience Monitoring agent for Windows, the one you have come to know and love, has been on the field for quite some time now. And of course, we know that your user’s devices in a complex IT environment may run different operating systems, or to be more precise: a certain percentage of them might be Macs. To ensure the same high level of visibility across your whole fleet, we have decided to develop our own agent for macOS. And we chose to do it from scratch, by following Apple’s best practices.
Since we made our first official announcement of development in mid-2019, we have already integrated many of the well-known great features from the Windows equivalent to macOS. In this article, we want to highlight some of the specifics we have been working on in the last months and talk a little bit about upcoming development steps.
Our goal is to achieve functional parity between UXM for Windows and macOS over time. To ensure that the use of our data remains as intuitive and seamless as ever, we determine the same values on macOS for the same dashboards you already know. So you can exactly compare different operating system platforms without switching views. Naturally, Windows and macOS work differently under the hood. Therefore I would like to give some insights into the implementation of two features, which give the same result for both operating system platforms, but the determination of the data itself is quite different.
Operating systems usually do not have a concept of applications, they only know about processes. uberAgent is different. It automatically groups related processes to applications, because humans think in applications, not in processes. This greatly eases the troubleshooting of performance problems. Because it is not enough to know that a specific process is causing a problem. You need the actual application that is having an impact on your machine and uberAgent shows you exactly that. Of course, we can not rely on the data sources we have been using so far. So instead of utilizing the Windows registry, we came up with a different approach to map processes to applications on macOS.
In the most simple case, a process observed on macOS was launched from an executable that is located somewhere within an app bundle. Well-behaved app bundles contain the obligatory
Info.plist file that holds at least the name of the app and more often than not also a human-readable version number. uberAgent uses this information to map the process to its app.
But, of course, there are more complex scenarios. Many processes are launched from within a system framework and many of these are background services managed by the system or helpers of background services. uberAgent maps these processes to the framework, and, if possible, even to the sub-framework where the respective executable is located, a popular candidate being
CoreServices/Metadata, for example. This enables you to track which subsystem of macOS might be responsible for specific performance loads.
However, not all processes launched from within a system framework can be attributed to the system. You might be aware of XPC Services, a powerful concept built into macOS that allows for mitigation of security and stability risks. If you look up Safari in the macOS Activity Monitor and switch its view to hierarchical presentation, you might see a plethora of processes belonging to the app, many of them directly linked to your open browser tabs. These are XPC Services started by
launchd on behalf of Safari. This means, there is no parent-child relationship between Safari and these processes but Safari is responsible for their lifecycle. Or, to put it another way, the performance of these XPC Service processes must be attributed back to Safari, their host app. Of course, uberAgent does that for you, too.
A concept somewhat similar to XPC Services is Privileged Helper Tools. These processes take special effort to attribute to an app because they are also started by
launchd but act like any other background service. Except that they talk to their host app, at least occasionally. But again, uberAgent is able to attribute Privileged Helper Tools to their host app whenever possible.
At this point, there are not many processes left unaccounted for. The majority of them can usually be attributed to system activities. However, uberAgent ensures to only map processes to macOS directly if they were started from locations belonging to the system.
User sessions on macOS are different. Coming from Windows, you might be used to one system session (session 0) plus one additional session per user. On macOS, things are more complex, even after ignoring the issue of macOS knowing different kinds of session. For starters, the system alone runs several sessions. The biggest and first one belongs to
root which also gets shared with other system users. Still other system users have their own dedicated session. Non-system users might have a pre-login session that exists even if the user never actually logs in. And finally, there are the sessions that you are really interested in, GUI sessions and SSH sessions.
For now, and to keep things simple, uberAgent on macOS monitors GUI user sessions. Processes belonging to other sessions get allocated to session 0 in order to remain consistent with uberAgent on Windows. For the future, however, we plan on breaking up session 0 on macOS a bit more, especially in regards to SSH sessions.
These explanations do not cover every detail yet, but it is already clear how different these approaches are for different operating systems.
So please look forward to more articles in the near future, which will deal with individual topics in greater detail and depth.
With our final release of uberAgent 6 right around the corner, you definitely want to know what exactly is already part of our macOS agent. For that purpose, we created a dedicated page in our documentation. It shows all the details about dashboards and sourcetypes currently available and is updated regularly.
And what about all the exciting upcoming features? Well, nothing is written in stone and we definitely would love to hear all of your feedback once you get uberAgent up and running on your Macs. On a side note: a good percentage of features currently available in uberAgent is based on real customer feedback. But as logical next steps, we have put a focus on networking, on/off transitions, and user logons.
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.