Elastic Explained: How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide.

Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security capabilities, it’s great for analyzing your Zeek logs, and monitoring your Microsoft 365 cloud.  Beyond that, there are plenty of of other great use cases.

In this guide, we’ll walkthrough step-by-step how to deploy Elastic Agent in your Intune-managed enterprise so you can start securing and monitoring your environment.

Create and deploy .mobileconfig file

Recent versions of macOS require applications to explicitly request approval for the use of System Extensions.  If we deployed Elastic Agent on macOS without first approving these System Extensions, the end user would receive a prompt requesting approval.  To prevent this, we need to first deploy a System Extensions profile that grants this approval prior to installation.

  1. Download the mobile_config_gen.py Python script from Elastic’s endpoint GitHub.
  2. Open a Terminal window and navigate to the folder that you saved the Python script to.  Then type the following to run the script:
    python3 mobile_config_gen.py -n <name of your company> -o <name of output file>

    For example, we would specifically type the following command to create a system profile named elastic-agent.mobileconfig:

    python3 mobile_config_gen.py -n “Ooi Ventures” -o elastic-agent
  3. Navigate to https://endpoint.microsoft.com/ and then click on Devices -> macOS.
  4. Next, click on Configuration profiles.
  5. Click on + Create profile to add a new configuration profile.
  6. In the Create a profile menu that appears on the right, select the following.  Click Create at the bottom when finished.
    Profile type
    Templates
    Template name
    Custom
  7. Complete the Basics section. Only the Name field is required.  Click Next at the bottom when finished.
  8. Complete the Configuration settings section. Click Next at the bottom when finished.
    Custom configuration profile name
    Elastic Agent Onboarding
    Note: You must use this name as a subsequent script we will be using depends on this profile name. If you change the name here, you’ll need to manually update the script to match.
    Deployment channel
    Device channel
    Configuration profile file
    Click the blue folder to upload the elastic-agent.mobileconfig system profile that we created in step 2.
  9. Complete the Assignments section. Under the Required section click on one of + Add group, + Add all users, or + Add all devices to assign the application as needed.
    You’ll want to first create an Azure AD pilot group to test this deployment.

    Click Next at the bottom when finished. Once everything is working as expected, you can then deploy to a broader group.
  10. In the Review + create section, look over the configuration settings one more time. Once you’re ready, click Create at the bottom to create the system profile. As a reminder, the Custom configuration profile name should be Elastic Agent Onboarding as this system profile name is required by a subsequent script we will be using.

Create macOS Elastic Agent Install Script

With our System Extensions profile created, let’s now create a shell script to deploy Elastic Agent to our macOS systems. I’ve modified a Microsoft-developed shell script template for this specific purpose that we can use.  The custom deployment script performs the following:

  • Checks for the presence of the System Extensions profile we created above prior to starting installation
  • Downloads Elastic Agent and saves it locally
  • Unzips the installation files and runs the install command

Before we can use it, we’ll need to edit the script and set the values of a few variables.

  1. Open the install-elastic-agent-macos.sh script in your favorite text editor.
  2. At the top you’ll see a section titled # User Defined variables.  You’ll need to edit (as in, change what is inside the quotation marks for each) the following variable values with your own:
    intel_url
    This is the download URL for the Intel-based x86 version of Elastic Agent.apple_urlThis is the download URL for the Apple-based ARM version of Elastic Agent.
    weburl
    This is the download URL for the Elastic Agent that you want to install.
    fleeturl
    This is your Elastic Fleet server URL.
    enrolltoken
    This is the enrollment token of the Elastic Agent profile you want to deploy.
    Note: You can find your Elastic Fleet server URL and enrollment token by navigating in Kibana’s left menu and clicking on Fleet under Management. Next, click on Add agent and select the Agent policy you want deployed. This will display a command that includes the URL and enrollment token as shown below.
  3. When you’re finished, save the file.

Create macOS Shell Scripts Deployment

With our Elastic Agent install script ready to go, let’s create a shell script deployment to deploy this script and install Elastic on our macOS systems.

  1. Navigate back to https://endpoint.microsoft.com and then click on Devices -> macOS.
  2. Next, click on Shell scripts.
  3. Click on + Add to add a new shell script.
  4. Complete the Basics section. Only the Name field is required. Click Next at the bottom when finished.
  5. Complete the Script settings section. Click Next at the bottom when finished.
    Upload script
    Click on the blue folder to upload your modified install-elastic-agent-macos.sh that you previously saved.
    Run script as signed-in user
    No
    Hide script notifications on devices
    Yes
    Script frequency
    Every 1 day (or however often you prefer)
    Max number of times to retry if script fails
    3 times (or however often you prefer)
  6. Complete the Assignments section. Under the Required section click on one of + Add group, + Add all users, or + Add all devices to assign the application as needed. You’ll want to first create an Azure AD pilot group to test this deployment.

    Click Next at the bottom when finished. Once everything is working as expected, you can then deploy to a broader group.
  7. In the Review + create section, look over the configure settings one more time. Once you’re ready, click Create at the bottom to create the shell script deployment.
  8. You can check the deployment status of the script by clicking on the newly created shell script deployment and then clicking on Device status. Check the Status field and click on the Result field to see more details. Additionally, you can click Show details to show the script’s log output.

That’s it! Once your systems start checking in, you’ll see them appear in Fleet inside of Kibana. Happy deploying!

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How To Guides For The Elastic Stack

Elastic Explained: How To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

Transform Your Business & Operate at Peak Efficiency