Introduction
Both Stealth and Revealed Mac Agents support Protected Agent mode - a tamper-resistant installation option that prevents unauthorized users from removing or modifying the Agent on monitored endpoints.
Installing the Agent in protected mode has the following advantages:
Tamper Protection: When enabled, the Agent is shielded from unauthorized removal, file deletion, or modification by local users, even those with administrator privileges.
Supports both Stealth and Revealed Agents: Protection works identically regardless of Agent type.
Zero-Configuration Operation: Protection arms automatically once the installer runs. No post-install setup, no policy files or complex configurations required. Disarming and re-arming are handled entirely through authorized uninstall flows.
Kernel-Level Enforcement: Protection is enforced by the Endpoint Security framework, ensuring it remains active even if other Agent components are interrupted.
Owner-Based Access Control: Only the user who originally installed the Agent can perform updates or uninstalls without a password. All other local users must provide a valid password to uninstall.
Seamless Maintenance: Server-driven updates, and auto-updates continue to work without interruption.
MDM-Ready: Fully compatible with MDM solutions. Deploy the protected installer package silently with no console user required - protection arms automatically and management is restricted to server-driven flows.
How to Protect the Agent
1. Download the Agent from the dashboard.
2. Rename the filename to include the doprotection(1) parameter. For example:
tmagent-i(__8393b2bf7cca79d089e51d56ef558f75a5ca2073)-doprotection(1).pkg
3. Run the following command in the Terminal:
sudo installer -pkg <path><teramind_agent>-doprotection(1).pkg -target /
For example:
sudo installer -pkg ~/Download/tmagent-i(__8393b2bf7cca79d089e51d56ef558f75a5ca2073)-doprotection(1).pkg -target /
How to Verify Protection
1. Check if the protection marker file exists by running the following command in the Terminal:
ls /usr/local/teramind/agent/etc/protected
2. Steam the system log live to confirm protection as soon as it's armed:
log stream --predicate 'subsystem == "com.teramind.filemonitoring"' --level info
You should see a log entry containing Self-protection enabled within ~10 seconds of the marker being created.
To check past log without steaming it live, you can use the following command:
log show --predicate 'subsystem == "com.teramind.filemonitoring"' --level info | grep -i "protection"
Check out this article, to learn how to uninstall a Protected Agent.
