How to install the EPM macOS agent in batch (without MDM)

Prev Next

This document provides guidance on how to perform a batch installation of the EPM macOS Client, without MDM, using local commands that can be orchestrated by your preferred tool.

Before you begin

  1. Obtain the artifacts from the IT team:
    1. agent installer (pkg),
    2. configuration script (configuration.tool),
    3. configuration file (.plist) containing the token.
  2. Distribute the .pkg and the script to the target devices (via network share, automation tool, etc.).

Prerequisites

  • macOS 14 or later.
  • Segura 4.0 or later.
  • Local administrator required for installation and configuration.
  • No critical conflict with other EPM/EDR/AV based on ESF (create allowlist).
  • Recommended hardware minimums: 4-core CPU, 8 GB RAM.
  • HTTPS connectivity (443/TCP) to the EPM backend.

How to install the application (agent)

  1. Ensure the .pkg file is present on the machine.
  2. Run the silent installation targeting the system volume: sudo installer -pkg "/path/to/senhasegura.pkg" -target /

How to obtain the configuration token

  1. Download the token from the Segura® Platform, go to EPM > Management > Settings > Parameters > EPM macOS > Get Configuration File.
  2. This downloads a .plist file.
  3. Locate the configuration .plist file.
  4. Extract the value associated with the SeguraConfig key:
    /usr/libexec/PlistBuddy -c 'Print SeguraConfig:' \
    "/caminho/para/token.plist"
    Info

    The token is the value of the SeguraConfig key in the .plist file.

  5. Copy the returned value (the server configuration token).

How to apply the agent configuration

  1. Run the configuration script with the token:
    sudo bash "/path/to/configuration.tool" --config token
  2. Wait for confirmation and restart macOS if prompted.

Review

  • Check the agent icon (menu bar) or processes in Activity Monitor.
  • In the EPM console, confirm the device is Online and receiving policies.
  • If necessary, manually grant in System Settings:
    • Privacy & Security > Allow (System Extensions),
    • General > Login Items (Background Items),
    • Privacy & Security > Full Disk Access (Full Disk Access).

Important notes

  • For fully silent execution, the user must have passwordless sudo (NOPASSWD) or the commands must run as root.
  • The .pkg installer must be present on the device before installation; it is not possible to install remotely without making the file available.
  • In environments with ZTNA/Proxy and TLS inspection, configure a bypass for the EPM backend domains.
Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved