Skip to main content

Installing the macOS Sensor

The macOS Endpoint Sensor can be deployed to your endpoint devices using any MDM. We provide a few examples:

  • Manual Installation
  • Jamf
  • MobileIron
  • AirWatch/VMware Workspace ONE
  • Kandji
  • Intune
  • JumpCloud
  • Mosyle
  • Manage Engine

You can also manually install the Sensor on an individual device, but that is not recommended and is not supported for production use.

As part of your MDM configuration, you can also set up the Sensor as a Login item to prevent users from disabling Cyberhaven on their device. See, Manage macOS Sensor as a Login Item using MDM.

Prerequisites

macOS Sensors are designed to run on macOS endpoint devices to monitor data movements in your environment and prevent data leaks.

Operating System and Hardware Requirements

  • Intel and Apple silicon chips
  • Minimum 4 GB of RAM
  • Minimum 300 MB GPU RAM
  • Minimum 5 GB of free disk space

Supported macOS Releases

Any of the following supported macOS versions.

  • macOS 13 (Ventura)
  • macOS 14 (Sonoma)
  • macOS 15 (Sequoia)

Dependencies

Custom MDM Profile for macOS

Cyberhaven provides a custom MDM configuration profiles for macOS. Use the cyberhaven.mobileconfig profile to set up the Cyberhaven Sensor. You can download this profile from the Endpoint Sensors page of the Cyberhaven Console.

The cyberhaven.mobileconfig profile uses an install token to authenticate the Sensor with the backend.

warning

Warning Install tokens expire every six months. As a best practice, we recommend updating your MDM profile with a new install token every four months. This proactive measure helps ensure continuous service and prevents disruptions when upgrading existing sensors or installing the Sensor on new macOS machines.

Optional Profiles

Cyberhaven also provides optional configuration profiles with additional capabilities.

Read more: Compatibility Reference for MDM Profiles and Versions

Network

Ability to resolve the backend URL and connect to the Cyberhaven service over TCP port 443.

Security exclusions

Make sure to exclude all macOS Sensor-related files, folders, and processes from being scanned, monitored, or blocked by any security applications or tools. Review the full list of Sensor processes and paths, macOS Sensor Processes and Paths.

Known Issue

VPN Configuration Prompt

Some MDM solutions may prompt for a VPN hostname when uploading the Cyberhaven MDM profile (version 2.0.8 or later), due to the inclusion of inline proxy support for Microsoft Teams traffic inspection. If prompted, enter 127.0.0.1 as the VPN hostname to proceed with the upload.

Tokens Request and Refresh

On the first startup following a fresh installation or upgrade of the macOS Sensor, the MDM profile must contain a valid installation token. This token is required for the Sensor to connect with the backend.

warning

IMPORTANT Install tokens expire every six months. As a best practice, we recommend updating your MDM profile with a new install token every four months. This proactive measure helps ensure continuous service and prevents disruptions when upgrading existing sensors or installing the Sensor on new macOS machines.

The Sensor reads the install token from the MDM Profile. It uses the token to obtain an AccessToken via the authorize API. This AccessToken is then persisted to the Keychain-backed SecureStore.

The Sensor then refreshes the AccessToken on a regular interval (1 day by default, the same as Windows) using the new refresh-token API.