MacOS EDR - Agent Monitoring
M
Mitchell Matter
Does anyone have a recommendation on how to monitor a Mac endpoint running Huntress, that the Huntress agent is functional and healthy? Like on Windows we use our RMM to check that the Huntress service is running and run a powershell script daily to check for if the agent became orphaned.
K
Keith Myers
There are multiple ways to obtain endpoint status. There's an API endpoint and a binary command. Here's a snippet that uses both. The case conversion is Bash 3.2 friendly since that's what ships with macOS at the time of this writing. For portability I don't always use Zsh because some MDMs don't support it (I'm looking at you, Mosyle). Requires jq, which now ships with macOS as of macOS 15. This can be initiated by an MDM, CWA, Ninja or whatever:
#!/bin/bash
hbin="/Applications/Huntress.app/Contents/MacOS/Huntress"
if [[ -f "$hbin" ]]; then
# Obtain status from the local API. Convert to lower case to handle
# Healthy' or 'healthy'. Negative output is 'degraded'
hstatus=$( curl -s http://localhost:24799/health | jq '.status' 2>/dev/null | tr -d '\"' | tr '[:upper:]' '[:lower:]' )
if [[ "$hstatus" == "healthy" ]]; then
echo "Installed and healthy."
exit 0
else
echo "Installed but not healthy. Status: ${hstatus}"
details=$( "$hbin" status )
if [[ -z "$details" ]]; then
echo "Unable to determine details."
else
echo "Detailed Status: ${details}"
# Huntress reinstall/remediate code
fi
fi
else
echo "Huntress is not installed."
# Huntress install code
fi
Edit: Sorry about the formatting. The form is way too narrow. Copy and paste to your IDE before you run it.
C
Chris Edmondson
Upvoting this feature! This is frustrating trying to deal with MAC endpoints.
S
Stuart Ashenbrenner
Chris We have some fact scripts that MDM users primarily use, but it should work as a daily check to see if it's running.
Are you looking for something different?
B
Bjã¸rn Mathisen
Something like this:
## List of processes to check
processes=("HuntressAgent" "HuntressUpdater")
## Check if processes are running
for process in $processes; do
if ! pgrep -x $process > /dev/null; then
errorFound=true
statusMessage+="$process not running. "
fi
done
D
Dusty'la Auer'la
That's basically what we do as well through CW Automate. Our check is rolled into one for Windows and Mac, looking for HuntressAgent and com.huntress.HuntressAgent to be running, run the install script if it isn't running, and it generates tickets for Mac and Windows devices if it still isn't running into our PSA. Automate appears to display Mac services differently, but it seems to work as a catchall.