Managed EDR for macOS
complete
James Mason | PMM @ Huntress
complete
James Mason | PMM @ Huntress
We are thrilled to annouce that Managed EDR for macOS is now live, please view our Changelog - https://feedback.huntress.com/changelog/managed-edr-for-macos-now-available - to understand more about this update.
T
Taylor Bryant
Update on Huntress' Managed EDR for macOS!
First, we wanted to update you on the technology behind our Mac EDR. We've refactored our existing macOS agent and transformed it into a more robust EDR. The EDR has been created in-house by Huntress, not built on top of another tool. Alongside our agent, we've also built a system extension that will need to be installed and granted Full Disk Access to enable our EDR functionality when it is released. This system extension allows us to leverage Apple's Endpoint Security Framework to utilize all of the live endpoint data. The framework is Apple's preferred and supported method for gathering security data from a Mac endpoint.
When we move to General Availability we will have a fully managed EDR solution for macOS, but we will not have any managed macOSAV solution at this time. We're currently looking into what a Huntress managed AV solution for macOS might look like and the appetite for it, so please upvote and leave comments here if you are interested: https://feedback.huntress.com/feature-requests/p/mav-for-mac
We also wanted to update you on the progress and timing of the macOS version of Managed EDR. On Feb 20, we officially expanded our beta to include all partners that already have Huntress agents for macOS. If you currently have Huntress agents for macOS, once you complete the macOS agent setup checklist found on the agent detail page, our EDR will start automatically. During this beta, we will focus on collecting a large amount of data to refine our detection capabilities so you'll get the protection you'd expect from Huntress when we go live. We will move to General Availability for everyone when we are satisfied with our detection efficacy during this beta period.
The macOS version of Huntress Managed EDR will be a part of our Managed EDR offering for the same cost per endpoint that exists today. It will not be a separate product, and you won't have to pay any more than you already are for macOS agents. You will get a fully managed EDR solution for macOS on top of our existing persistence functionality.
NW
Taylor Bryant legends. I do like it when two things I looked at today get answers 🤟🏼
D
David Ridenhour
Taylor Bryant two questions (if this isn't the right spot to ask them happy to get redirected. If it is an expected feature for the *.mobileconfig file to grant full disk access, at least in my testing it does not. I am still showing all of my endpoints not yet setup because the required permission for full disk access for the app is not granted. Full disk access, however, does show correctly for the system extension, so perhaps that part of the payload is working as expected. now I forgot what the second question is, so there you have it.
T
Taylor Bryant
David Ridenhour We actually just found a typo in the *.mobileconfig file an hour ago that was causing it not to grant the agent Full Disk Access.
I just updated the KB article attachments right now!
or you can pull it straight from Github:
You'll want to delete the old profile that wasn't installing FDA to the agent and upload the corrected one now.
Once you upload the new config file and apply it to your machines, you should see FDA for the agent turn green after 5-10min as the agent checks in.
We had a couple tickets come to our Support team for this which helped us find the issue.
Sorry for the time you spent troubleshooting and hope this helps!
D
David Ridenhour
Taylor Bryant that's ok! check your linking in this paragraph: Policies for:
Huntress agents version 0.13.72 and newer (System Extension) - mobileconfig file updated Feb 2024
Huntress agents version 0.13.70 and older (legacy) - mobileconfig file updated Nov 2023
do system extensions have to be pushed per agent once the core app is installed via MDM, or is there a way to bulk push the system extension capability once the app is installed via the bash script?
T
Taylor Bryant
David Ridenhour: Oops, that is what happens when you try to fix something 'quickly'. I corrected the link/attachment on the article to get you to the right profile.
Once you have the MDM profile in place, you can install the System Extension in bulk by pushing this terminal command to the endpoints:
sudo /Applications/Huntress.app/Contents/MacOS/Huntress extensionctl install --preauthorize
The command can be found at the bottom of this KB article (https://support.huntress.io/hc/en-us/articles/21286469262867-Install-the-System-Extension-for-macOS) for easier copy/pasting in case the formatting gets messed up here.
Going forward if you have the MDM profile in place, your Huntress Mac agent deploy should consist of running the agent deploy script and then pushing this System Extension install command.
N
Nick Whittome
Hi Team, any kind of update on this please?
B
Bjørn Mathisen
Any news on this? Which antivirus / EDR solution would this be built on top of?
M
Michael Thompson
Having EDR on Mac to go along with Windows would be very important
J
James O'Leary
in progress
M
Michael Ferree
Wanted to see if there was any traction on this feature request.
D
Dean Pirera
This would enable us to streamline all operations for EDR Mac and Windows into the one reliable (Huntress) platform. It is a saving on many levels not just financial.
A
Annie Ballew
under review
Load More
→