Introduction
You can use Jamf Pro to install the Teramind Agent remotely. The process involves creating a package and then deploying it with a Jamf policy. You can also specify macOS permissions needed for the Agent with Jamf.
1. Download and Prepare the Installation File
You will need to download the Teramind Agent installation file and optionally configure any installation parameter. To download and prepare the installation file, follow these steps:
1. Click the User Menu (the username at the top-right corner) on the Teramind Dashboard.
2. Select Download Teramind Agent from the menu and follow the instructions on screen to download the Agent.
For more information on how to download the Agent, please see the How to download and install the Teramind Agent article.
3. Rename the downloaded .pkg
file to include any necessary installation parameter(s). For example:
teramind-agent-stealth-20230412-1.237.4666-i(onsite)-r(10.55.55.58:235)-do(acme.com).pkg
For more information about the installation parameters, please see the Agent Installation/Configuration Parameters (Mac) section on the How to download and install the Teramind Agent article.
2. Create the Configuration Profiles
Jamf configuration profiles provide an easy way to remotely configure settings and OS permissions for devices, computers, and users.
Teramind Mac Agent needs three OS permissions (Accessibility, Network Extension, and Screen Recording) to work properly.
We will create a few configuration profiles to set the Accessibility, Network Extension and File Monitoring permissions.
Unfortunately, you cannot set the permission for Screen Recording using Jamf at the moment. If you want to record the screen, you will need to enable the permission locally from the Mac. For more information on Mac OS permissions, please see the How to configure macOS permission settings article.
2.1 Create the Accessibility Profile
1. In your Jamf Pro dashboard, click Computers at the top of the sidebar.
2. Click Configuration Profiles in the left sidebar.
3. Click the + New button. You will be taken to the New Profile screen:
4. From the top, select Options. You will see a list of payloads on the left.
5. Select the Privacy Preferences Policy Control payload to configure the accessibility settings.
6. Under App Access, use the following settings for the Visible/Revealed Agent:
Identifier =
teramind.tmui
Identifier Type =
Bundled ID
Code Requirement =
identifier "teramind.tmui"
Use the following settings for the Hidden/Stealth Agent:
Identifier =
com.teramind.tmagent
Identifier Type =
Bundled ID
Code Requirement =
identifier "com.teramind.tmagent"
7. Make sure the Accessibility option under the APP OR SERVICE is allowed access. If not, use the Edit button to change it.
8. Click the Save button to save the profile.
2.2 Create the Network Monitoring Profile
1. Create another profile (follow Steps 1-4 under the Create the Accessibility Profile section).
2. Select the System Extensions payload to configure the network settings.
3. Under the Allowed Team IDs and System Extensions, use the following settings:
Display Name = Provide any name, for example:
tera
System Extension Types =
Allowed System Extensions
Team Identifier =
BMTZWHQN7F
4. In the ALLOWED SYSTEM EXTENSIONS field, enter com.teramind.networkextension
. If needed, use the Edit button to add the extension.
5. Click the Save button to save the profile.
2.3 Create the File Monitoring Profile
1. Create another profile (follow Steps 1-4 under the Create the Accessibility Profile section).
2. Select the System Extensions payload to configure the network settings.
3. Under the Allowed Team IDs and System Extensions, use the following settings:
Display Name = Provide any name, for example:
tera
System Extension Types =
Allowed System Extensions
Team Identifier =
BMTZWHQN7F
4. In the ALLOWED SYSTEM EXTENSIONS field, enter com.teramind.systemextension.endpointsecurity
. If needed, use the Edit button to add the extension.
5. Click the Save button to save the profile.
6. Execute the following command on the Terminal:
sudo "/usr/local/teramind/agent/bin/System Monitoring.app/Contents/MacOS/System Monitoring" filemonitor_permissions;sleep 1;sudo killall "System Monitoring"
2.4 Create the Geolocation Monitoring Profile
1. Create another profile (follow Steps 1-4 under the Create the Accessibility Profile section).
2. Select the System Extensions payload to configure the network settings.
3. Under the Allowed Team IDs and System Extensions, use the following settings:
Display Name = Provide any name, for example:
tera
System Extension Types =
Allowed System Extensions
Team Identifier =
BMTZWHQN7F
4. In the ALLOWED SYSTEM EXTENSIONS field, enter com.teramind.systemextension.endpointsecurity
. If needed, use the Edit button to add the extension.
5. Click the Save button to save the profile.
6. Execute the following command on the Terminal:
sudo "/usr/local/teramind/agent/bin/System Monitoring.app/Contents/MacOS/System Monitoring" geolocation_permissions;sleep 1;killall "System Monitoring"
2.5 Apply the Mobile Config File to Grant Full Disk Access
In order to grant the full disk permissions to allow the Mac Agent to capture the file events user should grant full disk access to the system extension.
You can download the attached mobileconfig file and apply it in the MDM system:
2.6 Apply the Mobile Config File to Apply Network Monitoring Configurations
In order to avoid popup message which asks the user to allow the proxy config the admin should apply the attached mobileconfig file in the MDM system:
2.7 Apply the Certificate via Mobile Config
In order to handle HTTPS traffic, SSL certificate should be included in the MAC keychain. If you distribute the mac agent via JAMF, the best way to include the certificate - is to use the mobileconfig file:
3. Create the Package
As the next step, you will need to create a package. Creating the package involves uploading the Teramind Agent installer file (.pkg
) to Jamf, and configuring settings for the package. Follow the steps below to create the package:
1. In your Jamf Pro dashboard, click the Settings icon located at the top-right corner.
2. Click the Computer Management tab.
3. Select Packages from the list of items (you can search for it using the Search field above the tabs). This will show you a list of available packages. It no package is available, an empty list will be displayed:
4. Click the + New button. You will be taken to the New Package screen:
5. Click the Choose File button and upload the installation file you previously prepared in the Download and Prepare the Installation File section. Once the file is uploaded, it will show up next to the Choose File button and the Display Name field will be populated with the filename.
6. Optionally, you can use the Options tab to configure additional settings for the package, including deployment priority.
7. Optionally, you can use the Limitations tab and configure limitations for the package, including the operating system.
8. Click the Save button to save the package. You will see an Availability Pending message while the package is being prepared. It might take a moment for the package to become available.
4. Create a Policy and Add the Package
Jamf policies allow you to remotely perform common administrative tasks on the managed computers. For example, using a policy you can run scripts, manage accounts, and install software.
We will use a policy to install the package you created previously in the Create the Package section.
Follow the steps below to create a policy and add a package to it:
1. In your Jamf Pro dashboard, click Computers at the top of the left sidebar.
2. Click Policies in the left sidebar.
3. Click the + New button. You will be taken to the New Policy screen:
4. From the top, select Options. You will see a list of payloads on the left.
5. Select the General payload. This will allow you to configure basic settings for the policy.
6. Enter a Display Name for the policy. For example, teramind_stealth_install
. Make sure the Enabled option is checked.
7. Under Trigger, enable the events that will trigger the activation of the policy. For this tutorial, we will enable the following events: Startup, Login, Network State Change, Enrollment Complete, and Recurring Check-in.
8. Select how often the policy will run from the Execution Frequency dropdown list. For our purpose, Once per computer is fine.
9. Enter the Target Drive on which the policy will run. The default /
value means the boot drive, which should be fine for most cases.
10. Optionally, you can configure other settings like the server-side/client-side limitations if needed.
11. Once you are done configuring the General payload, click the Packages payload. You will be taken to the Configure Packages screen:
12. Click the Configure button. A list of available packages will be displayed:
13. From the list of packages, click the Add button next to the package you previously created in the Create the Package section. The package will be added to the policy and you will be taken to the package’s deployment settings:
14. Optionally, change the package’s Distribution Point. For this tutorial, we will use the default, Each computer’s default distribution point option.
15. Optionally, change the Action if needed. For this tutorial, we will use the default, Install action.
16. Click General from the list of payloads on the left. This will take you back to the General payload screen:
17. Change the Category to Installer.
18. Click the Scope tab on top. This will allow you to change the targets, limitations, and other settings for the deployment:
19. Click the Targets tab on top.
20. Select a suitable option for the Target Computers and Target Users as needed. You can deploy the policy to all computers/users or specific computers/users.
21. Click the + Add button. A list of users/computers will be displayed as per the targets:
22. Click the Add button next to a target computer/user to add it to the deployment list.
23. Click the Save button to save the policy. The Agent will be installed when the policy is triggered.
5. Run Scripts to Activate Network and File Monitoring
Note that the NetApp extension (that affects both the Network and File monitoring) is only supported on macOS 11 (Big Sur) and higher.
In order to activate the network and file monitoring, you will need to execute the following commands:
Revealed Agent
sudo "/usr/local/teramind/agent/bin/Teramind Agent.app/Contents/MacOS/Teramind Agent" network_permissions;sleep 1;sudo killall "Teramind Agent"
sudo "/usr/local/teramind/agent/bin/Teramind Agent.app/Contents/MacOS/Teramind Agent" filemonitor_permissions;sleep 1;sudo killall "Teramind Agent"
Hidden Agent:
sudo "/usr/local/teramind/agent/bin/System Monitoring.app/Contents/MacOS/System Monitoring" network_permissions;sleep 1;sudo killall "System Monitoring"
sudo "/usr/local/teramind/agent/bin/System Monitoring.app/Contents/MacOS/System Monitoring" filemonitor_permissions;sleep 1;sudo killall "System Monitoring"
The above commands should be distributed across the Mac devices through the script installation after the Agent installation step in order to activate network and filesystem monitoring.