macOS Agent¶
The SentriKat macOS agent collects installed applications from macOS endpoints and reports them to your SentriKat instance for vulnerability matching.
New in v1.0.2
macOS agent support was added in SentriKat v1.0.2.
Requirements¶
- macOS 12 (Monterey) or later
- Python 3.9+ (included with macOS) or standalone binary
- Network access to your SentriKat instance (HTTPS)
- Agent API key (created in Integrations > Agent Keys)
Installation¶
Download¶
Download the macOS agent from your SentriKat instance:
Install as LaunchDaemon¶
# Install the agent (creates LaunchDaemon for scheduled execution)
sudo ./sentrikat-agent --install \
--server https://sentrikat.example.com \
--api-key YOUR_API_KEY
This creates a LaunchDaemon at /Library/LaunchDaemons/com.sentrikat.agent.plist that runs the agent on a configurable schedule.
Manual Run¶
What Gets Collected¶
The macOS agent collects:
| Source | Data Collected |
|---|---|
/Applications | Application name, version, bundle ID |
| Homebrew | Package name, version |
| System frameworks | macOS version, build number |
| Docker (if installed) | Container images (same as Linux/Windows) |
The agent does not collect user data, browsing history, file contents, or credentials.
Configuration¶
The agent configuration file is located at /etc/sentrikat/agent.conf:
[server]
url = https://sentrikat.example.com
api_key = YOUR_API_KEY
[agent]
# Scan interval in hours (default: 24)
interval = 24
# Include Homebrew packages (default: true)
include_homebrew = true
# Include system frameworks (default: false)
include_system_frameworks = false
# Scan Docker images if Docker is installed (default: true)
scan_containers = true
[logging]
level = INFO
file = /var/log/sentrikat-agent.log
Inventory Sources¶
Applications¶
The agent scans /Applications and ~/Applications for .app bundles, extracting:
- Name from
CFBundleNameinInfo.plist - Version from
CFBundleShortVersionString - Bundle ID from
CFBundleIdentifier
Homebrew¶
If Homebrew is installed, the agent runs brew list --versions to collect installed packages and their versions.
Container Images¶
If Docker Desktop is installed and running, the agent scans container images using Trivy, the same engine used by Windows and Linux agents.
Management¶
View Agent Status¶
# Check if the LaunchDaemon is running
sudo launchctl list | grep sentrikat
# View recent logs
tail -f /var/log/sentrikat-agent.log
Update Agent¶
# Download the latest version
curl -o /tmp/sentrikat-agent https://sentrikat.example.com/agents/macos
chmod +x /tmp/sentrikat-agent
# Replace and restart
sudo cp /tmp/sentrikat-agent /usr/local/bin/sentrikat-agent
sudo launchctl stop com.sentrikat.agent
sudo launchctl start com.sentrikat.agent
Uninstall¶
sudo launchctl unload /Library/LaunchDaemons/com.sentrikat.agent.plist
sudo rm /Library/LaunchDaemons/com.sentrikat.agent.plist
sudo rm /usr/local/bin/sentrikat-agent
sudo rm -rf /etc/sentrikat
MDM Deployment¶
For enterprise deployment via Jamf, Kandji, Mosyle, or other MDM solutions:
- Package the agent binary and configuration into a
.pkg - Include the LaunchDaemon plist
- Deploy via your MDM policy
The agent supports silent installation with no user interaction required.
Troubleshooting¶
Agent Not Reporting¶
- Check the LaunchDaemon status:
sudo launchctl list | grep sentrikat - Verify network connectivity:
curl -I https://sentrikat.example.com/api/health - Check the API key is valid in Integrations > Agent Keys
- Review logs:
cat /var/log/sentrikat-agent.log
Permission Issues¶
macOS may require granting Full Disk Access to the agent for scanning /Applications:
- Go to System Settings > Privacy & Security > Full Disk Access
- Add
/usr/local/bin/sentrikat-agent
Homebrew Not Detected¶
The agent looks for Homebrew at /opt/homebrew/bin/brew (Apple Silicon) and /usr/local/bin/brew (Intel). If installed elsewhere, set HOMEBREW_PREFIX in the agent configuration.
Sprint 4+5 additions¶
Delta scans with SHA-256 fingerprinting¶
macOS agents now perform delta scans: on each scheduled run, the agent computes a SHA-256 hash of the full inventory (Applications folder + Homebrew + MAS receipts + browser extensions) and compares it against the previous run. Matching hashes skip the full payload and send a small "no change" heartbeat instead.
Typical macOS laptops see ~90% bandwidth reduction because most days have zero install activity.
Gzip compression¶
All inventory uploads are gzipped before transmission. No configuration needed.
Store-and-forward spool¶
If the agent cannot reach the SentriKat server (corporate VPN down, server maintenance), it spools payloads to ~/Library/Application Support/SentriKat/spool/ and retries on exponential backoff. The spool has a 100 MB cap and drops the oldest entries when full. When connectivity is restored, the spool drains to the server in order.
Next Steps¶
- Agent overview for all agent types
- Container Scanning for Docker image scanning on macOS
- REST API Import for custom integrations