Installing the macOS Sensor

The macOS Endpoint Sensor can be deployed to your endpoint devices using any MDM. We provide a few examples:

• Manual Installation
• Jamf
• MobileIron
• AirWatch/VMware Workspace ONE
• Kandji
• Intune
• JumpCloud
• Manage Engine

You can also manually install the Sensor on an individual device, but that is not recommended and is not supported for production use.

As part of your MDM configuration, you can also set up the Sensor as a Login item to prevent users from disabling Cyberhaven on their device. See, Manage macOS Sensor as a Login Item using MDM.

Prerequisites

To understand the prerequisites for installation of the sensor on macOS review macOS Prerequisites

Known Issue

VPN Configuration Prompt

Some MDM solutions may prompt for a VPN hostname when uploading the Cyberhaven MDM profile (version 2.0.8 or later), due to the inclusion of inline proxy support for Microsoft Teams traffic inspection. If prompted, enter 127.0.0.1 as the VPN hostname to proceed with the upload.

Tokens Request and Refresh

On the first startup following a fresh installation or upgrade of the macOS Sensor, the MDM profile must contain a valid installation token. This token is required for the Sensor to connect with the backend.

IMPORTANT

Install tokens expire every six months. As a best practice, we recommend updating your MDM profile with a new install token every four months. This proactive measure helps ensure continuous service and prevents disruptions when upgrading existing sensors or installing the Sensor on new macOS machines.

The Sensor reads the install token from the MDM Profile. It uses the token to obtain an AccessToken via the authorize API. This AccessToken is then persisted to the Keychain-backed SecureStore.

The Sensor then refreshes the AccessToken on a regular interval (1 day by default, the same as Windows) using the new refresh-token API.