Introduction

This document outlines the procedure of installing the Managed Agent on macOS for AD Enterprise 7.3 - 8.0. 

 

Prerequisite

  • Remove Full Disk Access for any previous versions of the MacOS Agent.
  • Uninstall any previous versions of the MacOS Agent.
  • Make sure all host values in the following files are the same:

    NOTE: if using Enterprise 7.4 use Qview config. If using 7.5, 7.6, 8.0 use  FTKPlus.exe.config instead


    Files\AccessData\Forensic Tools\<version>\bin\Qview\JobMonitor.exe.config file 


    C:\Program Files\AccessData\Forensic Tools\<version>\bin\FTKPlus\FTKPlus.exe.config 

    3. Look in C:\Program Files\AccessData\Forensic Tools\<version>\bin\ADG.WebLabSelfHost.exe.config file

    • Make sure this section (https) is marked "true"

 

Procedure

Install the Agent:

  1. Copy the macOS Managed Agent installer PKG, found at "\Forensic_Tools\Agents\MAC\AccessDataAgent-macos-installer-x64-.pkg" on the Forensic Tools ISO/disc, to the Mac system.
  2. Once copied check the hash value to confirm it matches that of the hash value for the file on the ISO image.
  3. Double-click the PKG file and follow the prompts to install the Managed Agent

 

Grant the Agent Full Disk Access:

  1. On the macOS machine, go to System Preferences > Security & Privacy
  2. Select the Privacy tab
  3. Select Full Disk Access on the left, click the lock https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875877/original/mceclip0.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=3e1308eb2330d3e119f96e208aa15a4e875171aaf79799001b08aa2ecc31e6e1 icon in the lower-left corner, then enter administrator credentials when prompted
  4. Under the list of items with access, click the + button
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875878/original/mceclip1.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=01883807fdfdc1f7b6a3e190da7f08963aff38fe415fb043bb2c4127658ef017
  5. Select Applications on the left, then Utilities, select the Console app, and click Open
  6. Repeat steps 4 and 5, but select the Terminal app
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875879/original/mceclip2.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=d39268705025b654ecc8299b17d3f1f2f625c942ef3fefc4a00b70b4e5e2f7a2
  7. Leaving the Security & Privacy dialog open, click Go > Go to Folder and navigate to "~/Library/AccessDataAgent/[version]/"
  8. Select & drag both ADG.Agent.IndexingService and ADG.ManagedAgentSvc from the Finder window to the open application list in the Security & Privacy window
    Note: You must browse to these files via Finder, as the Security & Privacy dialog won't let you add them directly.
  9. Click Go > Go to Folder and navigate to "/bin/"
  10. Select & drag both sh and zsh from the Finder window to the open application list in the Security & Privacy window
    Note: You must browse to these files via Finder, as the Security & Privacy dialog won't let you add them directly.
  11. Confirm that the following items are listed and checked, then close the Security & Privacy dialog:
ApplicationPurpose
ADG.Agent.IndexingServiceRequired for full disk indexing.
ADG.ManagedAgentSvcRequired for full disk collections.
shRequired for the agent to run with full disk access.
zshRequired for Big Sur & Monterey.
ConsoleRequired for indexing and full disk collections.
TerminalRequired for indexing and full disk collections.


Installing Rosetta (Required for M1/M2 Mac systems)

Rosetta must be installed on M1/M2 Mac systems. Rosetta is required for some binary translation, allowing full compatibility with Apple chipsets.


  1. On the macOS machine, open a Terminal window and run the following command to install Rosetta:
    softwareupdate --install-rosetta

 

Configure Agent Indexing:

  1. On the macOS machine, open a Terminal window and run the following command to stop the Agent:
    sudo launchctl unload /Library/LaunchDaemons/com.adg.managedagent.plist
  2. Open "/usr/local/share/AccessData/ManagedAgent/AgentData/agentsetting.json" in a text editor.
  3. Reference the Agent Settings Reference Table in the Installing the Mac Agent chapter of the Enterprise User Guide to make any desired changes to the Agent's indexing settings.
  4. Save and close the modified agentsettings.json.
  5. Open a Terminal window and run the following command to start the Agent:
    sudo launchctl load /Library/LaunchDaemons/com.adg.managedagent.plist
  6.  Wait up to 24 hours for the index to build.

 

Check if the Agent is online and accessible:

From the Enterprise machine, go to https://<target>:3999/api/hostname in a browser.  If the page returns a JSON string with the Agent's hostname, you should be good to go.  If you aren't able to access that page, there may be a firewall blocking communication between the Agent and Examiner.

 

Add the Target to the Agent List:

  1. On the main screen in Enterprise, go to Tools > Preferences.
  2. Click Agent List.
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875880/original/2020-09-25_14_56_23-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=cf137809362d23366c239d0f1d4e6bb779af10a53af9181822d15b9d5b6eedbc
  3. In the bottom-right, click Add... 
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875881/original/2020-09-25_14_58_02-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=225a97b7bdec1cc3ee4bc3da68443465554cbbd1e3867bdd0229854eea3c54b6
  4. Do the following, then click OK:
      1. Enter a Friendly Name.
      2. Enter a Description (optional).
      3. Under Node/Range, select IP and enter the target's IP address.
      4. Check the is Mac box.
        https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875882/original/2020-09-25_14_58_53-Python_SDK_DevBox_on_BBONEDELLTOP_-_Virtual_Machine_Connection.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164149Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=1e372c53f7c9109869c977cd93e6fa49298ad7b19611d30525db6e7e2609d64f

 


ADDITIONAL NOTES

  • Mac Agent 1.0.265 is code signed by Apple and can be found here. Released with 7.6 SP3 and 8.0. 


  • Previous version of Mac Agent 1.0.258 can be found here.
  • Custom Public/Private certificates can be used. More information can be found here.
  • The macOS Agent with Forensic Tools 7.3.0 listens on port 4999 by default.  The macOS Agent with Forensic Tools 7.4 - 8.0  listens on port 3999 by default.  Follow this article to if you want to change the port that's used.
  • Without granting full disk access to the necessary apps on the target, Enterprise may not be able to list and/or collect all desired items.
  • Refer to chapter 48 "Installing the Mac Agent" on page 653 in the Enterprise User Guide for additional notes on optional Agent configurations that can be applied after installation.
  • If a target isn't added to the Agent List, it will not be available for selection during a collection job.