macOS Setup

This topic describes how to install Ivanti Device Control on macOS.


An MQTT v5 broker using basic authentication is required, such as HiveMQ ( or Eclipse Mosquitto (

For more information about MQTT, see

An HTTP endpoint without authentication should is needed to report the health of the MQTT Broker, but is not mandatory for the SXS.Net and Mac agent to communicate.

In production, use TLS with either plain TCP or Web Sockets.

Support for M1/ARM64 is currently still in Beta. To use removable encryption provided through the kernel extension you need to boot the device into recovery mode. Access Security Policy and select Reduced Security. Selecting the tick boxes underneath enables the management of kernel extensions.


SXS.Net.Host.exe is deployed with SXS (Server setup) and is available under C:\Windows\sysWOW64\IDAC.SXS.Net.

The available actions are:




Configure SXS.Net.Host service.


Generate Osx Agent DaemonConfig.plist file.


Display more information on a specific command.


Display version information.

Configure: server command

You configure the SXS.Net.Host by providing the license file, setting MQTT connection information, and providing a key path (which is generated if the file is missing) to secure the REST calls.

The configuration can be done in a single command, or can be done in multiple commands if you need to update it later.

The command is of the form:

C:\Windows\SysWOW64\IDAC.SXS.Net\SXS.Net.Host.exe server -l C:\Windows\SysWOW64\MyLicenseFile.lic -m mqtts:// -u username -p password -k C:\Windows\sxsdata\sxsnet-private.key -e --Url --Hostname -c

The following parameters are available for the server action (C:\Windows\SysWOW64\IDAC.SXS.Net\ server --help)



-l, --License

License Filename.

-a, --AutoStart

(Default: -1) SXS starts SXS.Net and monitors it, 0: disabled, 1: enabled.


(Default: ) SXS Rpc/Dcom endpoint (localhost, hostname,, localhost[12345], ...).


(Default: ) SXS Rpc/Dcom endpoint AD/local user name.


(Default: ) SXS Rpc/Dcom endpoint AD/local password.


(Default: ) Save latest Json policies into this folder.

-m, --MqttServer

(Default: ) MQTT broker (mqtts://hostname:8883, ...).

-u, --MqttUsername

(Default: ) MQTT broker user name.

-p, --MqttPassword

(Default: ) MQTT broker password.


(Default: ) MQTT heartbeat URL.


(Default: ) Trusted MQTT thumbprints separated by semicolon.

-k, --TokenKeyFile

(Default: ) ECDSA-256 private key filename.


(Default: ) Save latest JWT token into this folder.


(Default: -1) Swagger UI for REST API, 0: disabled, 1: enabled.

-e, --Endpoints

(Default: ) Endpoints with url syntax separated by semicolon.


(Default: ) Url accessible by the agents.


(Default: ) FQDN of the host (as it appears in the public url).

-c, --CertSubject

(Default: ) Subject of the Certificate.


(Default: ) Path of the PKCS#12 certificate.


(Default: ) Password for the PKCS#12 certificate.


(Default: ) Trusted REST thumbprints separated by semicolon.


Display this help screen.


Display version information.

Logging is configured in SXS.Net.Host.NLog.config and by default logs on the console and in hourly rolling files under %LOCALAPPDATA%\Logs\.

This command generates the configuration file appsettings.json

Setting up the macOS agents

When you have configured the server, you can configure your osx agents by providing the license filename, the MQTT server, user and password, the output path for the .plist file (optional, and generated in the current folder if not specified) and the thumbprints for MQTT communication. The first step is to create the configuration file DaemonConfig.plist using the following command on the server:

C:\Windows\SysWOW64\IDAC.SXS.Net\SXS.Net.Host.exe osx-agent -l "license_file.lic" -m mqtt:// -u user -p password --Thumbprints thumbprint1;thumbprint2 -o .\DaemonConfig.plist


When you have the .pkg or .dmg file and the DaemonConfig.plist file from above in the download package folder on the Mac endpoint, you can start installing the agent.

If the files have attributes (downloaded, and so on), use sudo xattr -c <filename> to clear them if needed.

If you don't have the DaemonConfig.plist at the time of installation, or if you choose to edit it afterwards, make sure that the permissions for the file allow everyone read access.

If it is copied by the installer, it will have the following permissions:

  • system: Read & Write
  • wheel: Read only
  • everyone: Read only

To install the agent, run the installation or upgrade from the .pkg or .dmg file using the defaults, accepting the EULA, and keeping the default destination.

During a clean install, setup will warn you that you must access some security changes. In this case, open the security preferences and allow entry for Ivanti, ensuring full disk access is granted for the ESE (Endpoint Security Extension).

At the end of the installation, if needed, you can access and save the Installer Log for reporting issues. In the Installer Log (Show all logs - detail level) and the saved logs, you can also find the computed sha1 hash of the main installed files.


Inside the *.dmg or next to the *.pkg you can find an uninstall.command script, which properly unregisters and uninstalls everything, and deletes all related files and logs.

The uninstall.command script is also distributed inside the Either go to /Applications in Finder, right click, choose Show Package Contents, then navigate to Contents/Resources where you will find uninstall.command, or directly execute it in a terminal with:

% sh /Applications/

If the files have attributes (downloaded, and so on), use sudo xattr -c <filename> to clear them if needed.

You can double-click the *.command and it will execute in a terminal window, or (using the correct path to the uninstall.command, type:

% sh /Volumes/IDC.Idac/uninstall.command

You are prompted to enter an admin password in the terminal window, and then will ask for an admin password to deactivate the system extension. Finally, you are asked to reboot the system.