Skip to main content

How to protect your Agent installation from tampering (Mac)

A
Written by Arick Disilva

Introduction

Both Stealth and Revealed Mac Agents support Protected Agent mode - a tamper-resistant installation option that prevents unauthorized users from removing or modifying the Agent on monitored endpoints.

Installing the Agent in protected mode has the following advantages:

  • Tamper Protection: When enabled, the Agent is shielded from unauthorized removal, file deletion, or modification by local users, even those with administrator privileges.

  • Supports both Stealth and Revealed Agents: Protection works identically regardless of Agent type.

  • Zero-Configuration Operation: Protection arms automatically once the installer runs. No post-install setup, no policy files or complex configurations required. Disarming and re-arming are handled entirely through authorized uninstall flows.

  • Kernel-Level Enforcement: Protection is enforced by the Endpoint Security framework, ensuring it remains active even if other Agent components are interrupted.

  • Owner-Based Access Control: Only the user who originally installed the Agent can perform updates or uninstalls without a password. All other local users must provide a valid password to uninstall.

  • Seamless Maintenance: Server-driven updates, and auto-updates continue to work without interruption.

  • MDM-Ready: Fully compatible with MDM solutions. Deploy the protected installer package silently with no console user required - protection arms automatically and management is restricted to server-driven flows.

How to Protect the Agent

1. Download the Agent from the dashboard.

2. Rename the filename to include the doprotection(1) parameter. For example:

tmagent-i(__8393b2bf7cca79d089e51d56ef558f75a5ca2073)-doprotection(1).pkg

3. Run the following command in the Terminal:

sudo installer -pkg <path><teramind_agent>-doprotection(1).pkg -target /

For example:

sudo installer -pkg ~/Download/tmagent-i(__8393b2bf7cca79d089e51d56ef558f75a5ca2073)-doprotection(1).pkg -target /

How to Verify Protection

1. Check if the protection marker file exists by running the following command in the Terminal:

ls /usr/local/teramind/agent/etc/protected

2. Steam the system log live to confirm protection as soon as it's armed:

log stream --predicate 'subsystem == "com.teramind.filemonitoring"' --level info

You should see a log entry containing Self-protection enabled within ~10 seconds of the marker being created.

To check past log without steaming it live, you can use the following command:

log show --predicate 'subsystem == "com.teramind.filemonitoring"' --level info | grep -i "protection"

Check out this article, to learn how to uninstall a Protected Agent.

Did this answer your question?