TDR Host Sensor Installation with Jamf

If you use Jamf for remote management of Apple devices, you can create a Jamf policy for distributed installation of the Mac Host Sensor on managed macOS devices.

For information about TDR Host Sensor OS compatibility, see the Threat Detection & Response Release Notes on the TDR Release Notes page.

To install a Mac Host Sensor through Jamf, you must have:

  • Host Sensor .pkg installer file
  • TDR Account ID
  • TDR Controller Address

Use this procedure for initial installation of the Mac Host Sensor.

Updates to the Host Sensor occur automatically through TDR.

Download the Host Sensor and Account Information

To download the Mac Host Sensor .pkg installation file and get the required account information:

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. In the Devices / Users section, select Hosts.
    A list of hosts on your network appears. By default, the Hosts page shows only hosts with a Host Sensor installed.
  4. Click Download Host Sensor.
    The Host Sensor Download page opens.
  5. In the Operating System drop-down list, select Mac.
  6. Copy the Account ID and Controller Address.
  7. Click Download.
    The Host Sensor .pkg installer file downloads.

The installer file name is host_sensor_<version>.pkg.

Configure Jamf to Install the Mac Host Sensor

To use Jamf to install the Mac Host Sensor, you must:

  • Upload the Host Sensor.pkg file to Jamf
  • Add a Jamf policy to install the package

For detailed instructions about how to create packages and policies in Jamf, go to the Jamf documentation.

To upload the .pkg file to a Jamf package:

  1. Log in to your Jamf management interface.
  2. Create a new Jamf package.
    The New Package page appears.
  3. Click Choose file. Find and double-click the Host Sensor .pkg file you downloaded from TDR.
  4. In the Display Name text box type a package name. For example, TDR Host Sensor.
  5. From the Category drop-down list, select a package category defined in your Jamf instance.
  6. In the Info text box, type any other information to identify this package. For example, type the TDR Host Sensor version.
  7. Save the package.

To create the policy to install the package:

  1. Add a new Jamf policy.
  2. In the Display Name text box, specify a name for the policy.
  3. In the Trigger section, select conditions that trigger the installation. Recommended triggers include:
    • Enrollment Complete — Install the Host Sensor on newly enrolled computers
    • Recurring Check-in — Install the Host Sensor on previously enrolled computers
  4. From the Execution Frequency drop-down list, select Once per computer.
  5. Click Packages.
  6. Select the TDR Host Sensor package you added earlier
  7. From the Action drop-down list, select Install.
  8. Click Files and Processes.
  9. In the Execute Command text box, type this command, without spaces (replace the TDR Account ID and TDR Controller Address with the settings from the Host Sensor configuration page in your TDR account):

/usr/local/watchguard/tdr/ --account <TDR-Account-ID> --controller <TDR-controller-address>

For example:

/usr/local/watchguard/tdr/ --account 12345678-1234-1234-1234-123456789012 --controller

  1. In the policy settings, select the Scope tab.
  2. From the Target Computers drop-down list, select the target computers to deploy this policy to. Select All Computers to install the Host Sensor on all enrolled computers.
  3. Click Save.

When a new computer is enrolled, or when a previously enrolled computer checks in, Jamf executes the policy once for each computer specified in the scope.

Monitor Host Sensor Status

The first time each installed Host Sensor sends a heartbeat to your Threat Detection and Response account, the host is added to your TDR account and appears in the Hosts list in TDR.

To view the status of installed hosts:

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. In the Devices / Users section, select Hosts.

The icon in the Sensor Status column indicates the status of the Host Sensor on each computer.

  • — Host Sensor is installed and operational
  • — Host Sensor is installed but has a problem
  • — Host Sensor is not communicating
  • — Host Sensor has shut down correctly
  • Paused icon — Host Sensor has protection paused
  • Host Contained icon — Host Sensor has contained the host

For more information about the Hosts page, go to Manage TDR Hosts and Host Sensors.

Related Topics

TDR Host Sensor Automated Installation

Uninstall TDR Host Sensors