Guides

MacOS

Suggest Edits

Probe Install

All versions of Intel and ARM are supported.

curl -sL https://api.preludesecurity.com/download/install/detect.pkg -o detect.pkg
echo "REGISTRATION_STRING='<account>/<token>'" > /tmp/prelude_installer.env
sudo installer -pkg detect.pkg -target /

To uninstall and kill the running process use the uninstall script. 

sudo bash /Library/PreludeSecurity/uninstall

Probe service control

How to check the status and control the probe service.

Check if Prelude Probe service is running

 sudo launchctl list | grep com.preludesecurity.detect

Stop Prelude Probe service

 sudo launchctl disable system/com.preludesecurity.detect

Start Prelude Probe service

 sudo launchctl enable system/com.preludesecurity.detect

Restart Prelude Probe service

 sudo launchctl kickstart -k system/com.preludesecurity.detect

Logging

Probe Actions

All output of the probe is directed to the following directory.

/var/log/prelude/probe.log

Probe Startup

If you need to debug probe startup, you can search 

 log show --predicate 'subsystem == "system/com.preludesecurity.detect"' --info --debug --style syslog

Probes that will not start due to a configuration issue will output logs like 

2024-12-30 16:23:55.301882-0500  localhost launchd[1]: [system/com.preludesecurity.detect:] Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
2024-12-30 16:23:55.301925-0500  localhost launchd[1]: [system/com.preludesecurity.detect:] internal event: WILL_SPAWN, code = 0
2024-12-30 16:23:55.301928-0500  localhost launchd[1]: [system/com.preludesecurity.detect:] service state: spawn scheduled
2024-12-30 16:23:55.301930-0500  localhost launchd[1]: [system/com.preludesecurity.detect:] service throttled by 10 seconds

Jamf Deployment

This process will walk you through creating a bash script that will download, install and register the MacOS Detect probe (.pkg) via JAMF. The bash script below can be used with any other MacOS MDM tool that can run bash scripts. The Detect Probe handles updates automatically so no additional logic is required to keep your probes up to date.

  1. Log in to your JAMF Pro web console
  2. Navigate to "Settings" gear icon, top right side
  3. Navigate to "Computer Management"
  4. Select Scripts and + new Script option
  5. Fill out display name like "detect_install" then move to "Script" tab
  6. Ensure Mode is "Shell/Bash" and paste the following Bash Script into the script window, replacing '/' with the installation token string from your Detect Environment
    • Example:echo "REGISTRATION_STRING='mt04bs6rvobsi3cy2iio4bl9ysznkc6l/3ptupok7-6wni-lltx-l7sx-yku0k896rgrq'" > /tmp/prelude_installer.env
#!/bin/bash

# Set the name of the package
package_name="detect.pkg"

# Check if the package is already installed
package_installed=$(launchctl list | grep com.preludesecurity.detect &> /dev/null; echo $?)

if [ $package_installed -eq 0 ]; then
    echo "Package $package_name is already installed."
else
    echo "Package $package_name is not installed. Installing..."

    # Define installation
    curl -sL https://api.preludesecurity.com/download/install/detect.pkg -o /tmp/detect.pkg
    echo "REGISTRATION_STRING='<account>/<token>'" > /tmp/prelude_installer.env
    installer -pkg /tmp/detect.pkg -target /
    install_result=$?

    if [ $install_result -eq 0 ]; then
        echo "Package $package_name installed successfully."
    else
        echo "Failed to install package $package_name."
        exit 1
    fi
fi

exit 0
  1. Click Save
  2. Now we will create a policy that will run the script on our defined endpoints, navigate to the "Policies" section and " + New"
  3. Under Options select "Scripts" and "Configure"
  4. Select the Script created above ("detect_install" in our example) and click "add"
  5. Fill out name for policy, for example: "Detect Probe Install Check"
  6. Select Trigger and execution frequency (for example, once every week at computer startup)
  7. Next define Scope
  8. Fill out any other settings that may be applicable to your environment and save

Note: To troubleshoot or confirm the script executed successfully:

  • Navigate to any machine in the targeted scope
  • Select History, and Policy Logs
  • If the script executed you will see it listed here and can see the result by clicking "details"

Updated 29 days ago