You can manually add Mac endpoints to Nebula in a few different ways. The most common method is to copy an installer file to the endpoint and run the file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.
This article covers the following methods:
- Use a downloaded installer and copy it to the endpoint.
- Command line remote installation for Mac endpoints, which can be run silently.
- Dissolvable Unmanaged Remediation Tools installation.
If you have many endpoints, you can use the macOS PKG installer with Mobile Device Manager (MDM) solutions such as JAMF.
Use a downloaded installer
To manually install the endpoint agent on a Mac, download the ThreatDown Endpoint Agent installation file and run it from the endpoint. Each installer is pre-configured for your account.
We provide endpoint installers for you to use with your preferred installation method.
Mac Endpoint Installer Notes
- Do not change the name of the downloaded installer file as it retrieves the Nebula accounttoken value from the file's name. Device management tools may remove the accounttoken. In this case, use the following command line instructions here.
- The following items are mandatory for correct operation:
- For macOS High Sierra 10.13 and Mojave 10.14, Approve kernel extension for Nebula on macOS devices using UAMDM
- For macOS Catalina 10.15, Big Sur 11, Monterey 12, Ventura 13, and Sonoma 14, Mac endpoint missing Full Disk Access in Nebula
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group. To automatically assign endpoints to a group during installation:
- On the left navigation menu, click Download Center.
- Under the Advanced tools tab, click the Specify group assignment link.
- The Deployment tab has two methods to begin deployment with your Mac users:
- Direct Download: Download the Endpoint Agent installer to your local endpoint.
Link Sharing: Copy and share the download link to the Endpoint Agent installer. Links expire after 7 days. Choose from the following options:
- Copy installer link: Contains the download link.
- Copy installer link with instructions: Contains the download link and installation instructions.
- com.malwarebytes.ncep.nobody: An account with minimal permissions created on Mac endpoints during installation. The agent uses this account to run unprivileged system and service tasks.
- On the left navigation menu, click Download Center.
- Select Mac from the platform drop-down menu.
- Click Start download to download the Mac Endpoint Installer to your local device.
- We recommend you keep __xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___ naming as this is your accounttoken value, which identifies your account to the macOS installer. If removed, see the command line instructions below to set the accounttoken after installation.
- After you have downloaded the installer, copy it to the endpoint and run the installer.
- When the installation process completes, the Endpoint Agent registers and the endpoint appears in Nebula.
- The Endpoint Agent retrieves policy information and configures the endpoint, downloading agents for the configured features. This process takes about 5 minutes until the endpoint is protected and ready to scan.
Command line remote installation for Mac
You may use the terminal command below to perform a silent install on Mac endpoints by software deployment and management systems.
- sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent__xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___.pkg -target /
You may use the terminal command below to perform a silent install on Mac endpoints while specifying the target group. Group identifiers may be seen in the Nebula Console Downloads Specify group assignment link. This command uses extended file attributes (xattr) to set the Group ID and is shown on multiple lines due to the length of the command.
xattr -w MALWAREBYTES_GROUP <GroupID> Setup.MBEndpointAgent__xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___.pkg; sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent__xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___.pkg -target /
Command line set ACCOUNTTOKEN after installation
You may use the terminal command below to set the new accounttoken:
- SUDO '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' AccountToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
After setting the account token, restart the Endpoint Agent service using the commands below:
- sudo launchctl unload /Library/LaunchDaemons/com.malwarebytes.agent.daemon.plist
- sudo launchctl load /Library/LaunchDaemons/com.malwarebytes.agent.daemon.plist
Check macOS Services and security extensions
$ sudo launchctl list | grep com.malwarebytes*
1750 0 com.malwarebytes.ncep.settings.daemon
- 0 com.malwarebytes.UserAgent
1748 0 com.malwarebytes.ncep.rtprotection.daemon
1649 0 com.malwarebytes.EndpointAgent
Check Kernel Extension for the following versions of macOS: El Capitan 10.11, Sierra 10.12, High Sierra 10.13, Mojave 10.14.
$ kextstat | grep malwarebytes
187 0 0xffffff7f85a07000 0x8000 0x8000 com.malwarebytes.ncep.rtprotection (3.9.16) 9EF16C6D-E345-31AF-8646-2507C3F781D8 <6 5 3 1>
Check System Extension for the following versions of macOS: Catalina 10.15, Big Sur 11, Monterey 12, Ventura 13, Sonoma 14.
$ systemextensionsctl list | grep -i malwarebytes
* * GVZRY6KDKR com.malwarebytes.edr.helper.ext (1.5.136/1.5.136) EDRMacHelperExt [activated enabled]
Dissolvable unmanaged remediation tools
You may prefer to use a dissolvable remediation tool instead of an installer. Under Advanced tools is the Remediation (Unmanaged) section. Here you can download the following dissolvable unmanaged remediation tool.
Mac Breach Remediation: our dissolvable remediation program for Mac endpoints. For more information, see the Breach Remediation for Mac Command Line Administrator Guide.