Ivanti® Endpoint Manager uses agent configurations to gain control of devices and manage them. For Macintosh devices, these configurations are pushed to unmanaged devices using the same process used to push agents to Windows devices.
The Default Mac Configuration package contains the required agent for controlling Macintosh devices. To use this functionality, create a Mac agent configuration and then deploy the agent to your Mac devices.
After the agents have been installed, your Macintosh devices become managed devices. Then you can create custom configurations to have greater control of these devices.
This section describes the agent configuration dialog for Macintosh devices. The dialog includes the following pages:
•Configuration name: Type a unique name for the agent configuration.
•Default configuration: Select this check box to make this the default Macintosh agent configuration
•Agent components to install: Standard Ivanti agent is selected by default. You can also select Ivanti Antivirus. If this is selected, then the rules of including or excluding the agent files apply. If you don't select this option, then the antivirus component of the agent will not be deployed to the device. This ensures a smaller agent configuration package to deploy.
•Do not run client status menu: Select this check box if you don't want end users to see the status bar menu that lets them run installs and scans.
Use this page to configure agent security and management scope. For more information on agent security, see Agent security and trusted certificates. For more information on scope, see Role-based administration overview.
- Trusted certificates: Lists the certificates on the core server. The client must have a certificate that matches the certificate on the core server for agent communication to be authorized. These certificates are used to authenticate agent communication. You can enter a domain name or IP address for the client to use when communicating with the core server. The remote control agent for Macintosh doesn't use a certificate.
- Path: Defines the device's computer location inventory attribute. Scopes are used by role-based administration to control user access to devices, and can be based on this custom directory path. The path is optional.
Use this page to configure which hardware and software scan components the inventory scanner will gather data for. By default all components are enabled. Disabling components may increase scan speed and reduce inventory record sizes.
The other pages in the Inventory settings dialog box are the same as what is used for Windows devices. Click Help on each page for more information.
Available hardware components include items such as:
- System info
- USB devices
Available software components include items such as:
- Data files
Use this page to configure the remote control agent.
- Local template: This is the most basic security, using whatever remote control settings are specified on the device. This model doesn't require any other authentication or group membership.
- Integrated security: This is the most secure option. Integrated security follows this communication flow:
- The remote control viewer connects to the managed device's remote control agent, but the agent replies that integrated security authentication is required.
- The viewer requests remote control rights from the core server.
- The core server calculates remote control rights based on the viewer's scope, role-based administration rights, and Active Directory rights. The core server then creates a secure signed document and passes it back to the viewer.
- The viewer sends this document to the remote control agent on the managed device, which verifies the signed document. If everything is correct, the agent allows remote control to begin.
Use this page to configure scheduling for patch and compliance scans.
- Scan and repair settings: Select the settings that you want to use for patch and compliance scans.
- Configure: View all available scan and repair settings. Edit or create new settings and select the settings that you want to use for patch and compliance scans.
Use this page to specify which antivirus settings are included with the agent.
- Ivanti Antivirus settings: Select the settings that you want to use for antivirus scans.
- Configure: View all available antivirus settings. Edit or create new settings and select the settings that you want to use for antivirus scans.
- Include Antivirus setup files: Antivirus setup files (around 250 MB) are included when the Macintosh agent is scheduled and downloaded to the Macintosh device. This option is only available when the Ivanti Antivirus setting is enabled from the Start tab.
- Exclude Antivirus setup files: Even if you don't need or want the antivirus component of Ivanti® Endpoint Manager and Endpoint Security for Endpoint Manager, by selecting this option the Antivirus setup files are still downloaded from the core server, but aren't installed.
Use this page if you have the Tenant management add-on for Endpoint Manager. You can assign an agent configuration to a tenant within your organization.
- Assign a tenant to this configuration: Select this check box if this Macintosh agent configuration is only used with a tenant in your organization.
- Choose a tenant: Select a tenant from the list of available tenants that have been defined in the Ivanti Management Console.
Use this page if you want to use an OSX profile with the Macintosh agent.
- Apply OSX profiles to this configuration: select this check box to use an OSX profile with this Macintosh agent.
- Choose which OSX profiles to apply: Select the settings to use with this Macintosh agent.
- Configure: View all available OSX profile settings. Edit or create new settings and select the settings that you want to use for this Macintosh agent.
Deploying agents to Macintosh devices that use Secure Shell (SSH)
To place agents on Macintosh devices that have Secure Shell (SSH) turned on, you must specify the SSH login credentials for the unmanaged Mac devices by selecting Configure > Services > Scheduler > Change Login from the Windows console. You can then use the same push-based agent deployment you would use for Windows devices.
Deploying and installing agents on Macintosh devices that do not use Secure Shell (SSH)
To place agents on Macintosh devices that do not have Secure Shell (SSH) turned on, you will need to decide on an alternate deployment method, such as:
- Accessing the agent from LDLogon/Mac using a Web browser and e-mailing the configuration package to users.
- Putting the configuration package on a USB drive or other removable media and taking it to each Macintosh device.
Use the Agent configuration tool to create and update (replace) custom configurations for your Macintosh devices. You can create different configurations for your specific needs, such as changing inventory scanner settings, remote control permissions, or what network protocols the agents use.
In order to push a configuration to devices, you need to create or update an agent configuration and then schedule the task.
Set up specific configurations for your devices. Don't use parentheses in your Macintosh agent configuration names. Parentheses in the name will cause the deployment task to fail. Once you've deployed an agent configuration, you can use agent settings to update that configuration without having to redeploy the full configuration.
To create an agent configuration for Macintosh devices
- Click Tools > Configuration > Agent configuration.
- Select a configuration group (My configurations or Public configurations). On the toolbar, click the New agent configuration button > New Mac agent configuration.
- Complete the options in the Agent configuration dialog box. For more information, see Using the Macintosh agent configuration dialog.
- Click Save.
To schedule an agent configuration for Macintosh devices
- Click Tools > Configuration > Agent configuration.
- Right-click the agent configuration to be scheduled and select Schedule agent deployment.
- From the network view, drag devices, groups, or queries onto the task to target devices for the task.
- Select the task, click the Properties button on the toolbar, and schedule a time to start the task.
To update an agent configuration with a change settings task
- Follow the instructions here: Create change settings tasks.
You can manually run agent configurations for Macintosh devices once they have been created or updated. When you create an agent configuration, the following file is created in the LDLogon/Mac folder on your core server:
- <agent configuration name>.dmg
The LDLogon/Mac folder is a Web share and should be accessible from any browser. Follow the instructions for installing the agent (see Manually running agent configurations for Macintosh devices), but insert your agent configuration file name instead of the default file name.