The agent installer is available as a PKG file. It can either be installed manually or unattended through existing software deployment tools. Also, most device management solutions support the distribution of such packages natively.
Expected result after the installation: the launch daemon uberAgent is installed and running.
Requirements
Full Disk Access
uberAgent for macOS uses Apple’s EndpointSecurity framework (available since macOS 10.15), which requires explicit user authorization. Authorization is granted by adding /Library/uberAgent/uberAgent.app to System Preferences > Security & Privacy > Privacy > Full Disk Access. This can be done manually or by deploying a Privacy Preferences Policy Control Payload profile on managed devices. Either create the payload on your own, by following the instructions provided by Apple, or make use of tools like the PPPC-Utility. The excerpt from the following file must be part of your configuration.
uberAgent uses the Accessibility framework on macOS to determine parts of the Session Detail metrics. Authorization for this can be granted either by adding /Library/uberAgent/uberAgent.app to System Preferences > Security & Privacy > Privacy > Accessibility manually, or by deploying an appropriate profile on managed devices. See Full Disk Access for more information on configuration profiles. For Accessibility access, your profile must allow access to Accessibility within the Services dictionary. Use the excerpt printed below as a template.
The installation of uberAgent can be started by opening uberAgent.pkg and following the instructions on the screen.
Since uberAgent is installed as a system-wide daemon, the installer will ask for a password for elevated access rights to install it.
Command Line
The Installer can also be used from the command line to install uberAgent using the command installer -pkg uberAgent.pkg -target /
This requires root privileges. A command line installation can be executed locally or remotely, e.g. using SSH.
License File
If you have a license file for uberAgent copy it to the following directory (\Library\Application Support\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client. Please make sure, that Splunk Universal Forwarder has sufficient privileges to perform system-wide installations, e.g. by enabling boot-start.
uberAgent
Copy the directory uberAgent_endpoint from the unzipped uberAgent download package to $SPLUNK_HOME/etc/deployment-apps on your deployment server. Please make sure to apply the executable flag to the installation script by executing chmod +x silent-install.sh. Besides that, the uberAgent_endpoint folder is ready to use for deployment on Windows as well as macOS operating systems.
Note: $SPLUNK_HOME refers to the base directory of the Splunk installation, typically /opt/splunk on Linux.
Configuration
To deploy a customized configuration file copy it into the directory $SPLUNK_HOME/etc/deployment-apps/uberAgent_endpoint/bin. This overwrites /Library/Application Support/uberAgent/uberAgent.conf.
License File
If you have a license file for uberAgent copy it into the directory $SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.
Serverclass
Create a file called serverclass.conf in $SPLUNK_HOME/etc/system/local on your deployment server. serverclass.conf defines what to deploy where. For a quick start paste the following content into serverclass.conf to deploy uberAgent to all macOS machines. You may want to fine-tune this to suit your needs.
# [global]
# We cannot match by machine type here. We'll do that on the app level below.
whitelist.0 = *
# Define a serverclass
[serverClass:macOS]
# Deploy only to macOS machines
machineTypesFilter = darwin-x86_64
# Define which apps to deploy to the serverclass
[serverClass:macOS:app:uberAgent_endpoint]
stateOnClient = enabled
restartSplunkd = true
To make Splunk read the new file serverclass.conf run the following command:
$SPLUNK_HOME/bin/splunk reload deploy-server
Configuration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.
Installing the macOS Endpoint Agent
In this article
The agent installer is available as a PKG file. It can either be installed manually or unattended through existing software deployment tools. Also, most device management solutions support the distribution of such packages natively.
Expected result after the installation: the launch daemon
uberAgentis installed and running.Requirements
Full Disk Access
uberAgent for macOS uses Apple’s EndpointSecurity framework (available since macOS 10.15), which requires explicit user authorization. Authorization is granted by adding
/Library/uberAgent/uberAgent.appto System Preferences > Security & Privacy > Privacy > Full Disk Access. This can be done manually or by deploying a Privacy Preferences Policy Control Payload profile on managed devices. Either create the payload on your own, by following the instructions provided by Apple, or make use of tools like the PPPC-Utility. The excerpt from the following file must be part of your configuration.Accessibility Access
uberAgent uses the Accessibility framework on macOS to determine parts of the Session Detail metrics. Authorization for this can be granted either by adding
/Library/uberAgent/uberAgent.appto System Preferences > Security & Privacy > Privacy > Accessibility manually, or by deploying an appropriate profile on managed devices. See Full Disk Access for more information on configuration profiles. For Accessibility access, your profile must allow access to Accessibility within the Services dictionary. Use the excerpt printed below as a template.Installation method
Interactive
uberAgent.pkgand following the instructions on the screen.Command Line
installer -pkg uberAgent.pkg -target /License File
If you have a license file for uberAgent copy it to the following directory (\Library\Application Support\uberAgent). Without a license file uberAgent displays a splash screen during logon. Contact us for an evaluation license.
Installation Through Splunk Deployment Server
Note: Deployment Server can only be used with Splunk Enterprise and requires Splunk Universal Forwarder on the endpoint as deployment client. Please make sure, that Splunk Universal Forwarder has sufficient privileges to perform system-wide installations, e.g. by enabling boot-start.
uberAgent
Copy the directory
uberAgent_endpointfrom the unzipped uberAgent download package to$SPLUNK_HOME/etc/deployment-appson your deployment server. Please make sure to apply the executable flag to the installation script by executingchmod +x silent-install.sh. Besides that, theuberAgent_endpointfolder is ready to use for deployment on Windows as well as macOS operating systems.Note:
$SPLUNK_HOMErefers to the base directory of the Splunk installation, typically/opt/splunkon Linux.Configuration
To deploy a customized configuration file copy it into the directory
$SPLUNK_HOME/etc/deployment-apps/uberAgent_endpoint/bin. This overwrites/Library/Application Support/uberAgent/uberAgent.conf.License File
If you have a license file for uberAgent copy it into the directory
$SPLUNK_HOME\etc\deployment-apps\uberAgent_endpoint\bin.Serverclass
Create a file called
serverclass.confin$SPLUNK_HOME/etc/system/localon your deployment server.serverclass.confdefines what to deploy where. For a quick start paste the following content intoserverclass.confto deploy uberAgent to all macOS machines. You may want to fine-tune this to suit your needs.To make Splunk read the new file
serverclass.confrun the following command:Configuration
uberAgent can be configured very flexibly. By editing the configuration you can switch metrics on or off, change the data collection frequency and significantly reduce the data volume.