How to install the EPM macOS agent via MDM

Prev Next

This document provides guidance on how to install the EPM macOS agent via MDM, applying configuration profiles to authorize the agent’s components and configure communication with the Backend.

How to obtain the configuration profile file for EPM macOS

  • Download the token from the Segura® platform, go to EPM > Management > Settings > Parameters > EPM macOS > Get installation token.
    • This will download a .plist file.
    • Locate the configuration .plist file.
    • Extract the value associated with the SeguraConfig key:
      /usr/libexec/PlistBuddy -c 'Print SeguraConfig:' "/path/to/token.plist"
Info

The token is the value of the SeguraConfig key inside the .plist file.

How to prepare profiles in MDM

  • In your MDM, go to Profiles/Settings to create or import the required payloads.
  • Go to Packages/Applications to add the agent’s .pkg file.
  • Define the deployment scope (static/dynamic groups) according to your device inventory.

How to configure MDM profiles (macOS authorizations)

  1. Authorize the EPM vendor’s system extension. Fill in the agent’s Team ID and Bundle IDs. On Macs with Apple Silicon, macOS may request a restart.
  2. Grant Full Disk Access to the agent’s binary/application and associated services (PPPC/TCC).
  3. Allow the agent’s background items to run (main service, updater).
  4. Set the backend URL, tenant/organization, keys, or enrollment token according to your environment. Use MDM variables if necessary (e.g., serial number).
Info

If your organization uses ZTNA/Proxy with TLS/SSL inspection, create a bypass for the EPM backend domains (port 443/TCP) before rollout. Inspection can break the agent’s handshake.

Deploy the agent package (.pkg)

  1. Add the agent’s .pkg file to the MDM catalog.
  2. Order execution: apply profiles first, then the .pkg.
  3. Assign the deployment to device groups and publish the policy/task.
  4. Restart devices at the end when requested by macOS.

Review

  • Check the agent icon in the menu bar or processes in Activity Monitor.
  • In the EPM console, confirm that devices appear as Online and are receiving policies.
  • Trigger a check-in/synchronization (when available) and validate that events reach the backend.

Troubleshooting

  • Agent not syncing: confirm TLS/Proxy bypass, DNS, and port 443/TCP.
  • Extension blocked: verify that the System Extensions profile was applied and restart.
  • Missing events/policies: validate Full Disk Access (PPPC/TCC) and Background Items; check allowlist in Antivirus/EDR/XDR.
  • Conflicts with other ESF agents: adjust the allowlist and avoid overlapping hooks/monitors.
Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved