The Cyrisma macOS Agent enables vulnerability scanning, configuration analysis, and optional network-based scanning on supported macOS systems. This guide provides complete installation instructions for both Intel and Apple Silicon (M1/M2/M3/M4) devices, including workflows for systems with macOS System Integrity Protection (SIP) enabled or disabled.

For OS-agnostic requirements (CPU, memory, network access, whitelisting), refer to the Global Scan Agent Requirements article.

1. Supported macOS Platforms

Cyrisma supports installation on:

• macOS 10.15 (Catalina) and later

• Intel-based Macs (x64)

• Apple Silicon devices (Arm64 – M1, M2, M3, M4)

Separate installers are provided for each architecture.

2. Downloading the Cyrisma macOS Agent

1. Log in to your Cyrisma instance.

2. Navigate to Admin > Scan Agents.

3. Choose the correct package for your Mac:

The file will be downloaded to your ~/Downloads directory unless otherwise specified.

3. Required macOS Permissions (Full Disk Access)

Full Disk Access is not required in all environments for the Cyrisma macOS agent to install or operate correctly. In most cases, the agent installs and functions without any additional macOS permission changes.

However, depending on local macOS security settings, MDM profiles, or endpoint protection controls, installation or scanning operations may fail unless Full Disk Access is granted.

When Full Disk Access Is Needed

You may need to grant Full Disk Access if you encounter:

• Installation failures during agent setup

• Permission-related errors during data or configuration scans

• Incomplete scan results caused by restricted file access

If no errors are observed, no action is required.

Granting Full Disk Access to Terminal (If Needed)

If Full Disk Access is required, grant it to Terminal before rerunning the installer.

Steps:

1. Open System Settings (or System Preferences on older macOS versions)

2. Select Privacy & Security

3. Unlock the padlock to allow changes

4. Open the Privacy tab.

5. Scroll to Full Disk Access.

6. Click +, then add Terminal.

7. Restart Terminal.

Granting this permission allows the installer to set required environment variables and place necessary files when macOS security controls would otherwise block these actions.

Best Practice

Only grant Full Disk Access if prompted by errors or if installation or scanning fails. Avoid granting elevated permissions proactively unless required by your environment.

4. Installation Instructions for macOS with SIP Enabled

(macOS Catalina 10.15 and later)

When SIP is enabled, macOS prevents the use of launchctl setenv. Therefore, installation requires creating a temporary environment file with your Cyrisma key and URL.

Step 1 — Log in with Admin Rights

Ensure your macOS user account has administrative privileges.

Step 2 — Prepare Installation Variables

Open Terminal and navigate to your Downloads folder:

cd ~/Downloads

Create the temporary environment file (replace the key and URL with your own):

echo "CY_KEY=1234-5678-90AB" > /tmp/cyrisma_env.txt
echo "CY_URL=https://cc12ab34.cyrisma.com" >> /tmp/cyrisma_env.txt

These values must match the Installation Key and Instance URL found under:

Admin > Scan Agents

Step 3 — Install the Agent

Run the installer using:

sudo installer -pkg CyBroker_Installer.pkg -target /

When installation completes, the agent is available under:

/Applications/Cyrisma/

5. Installation Instructions for macOS with SIP Disabled

(macOS versions before 10.15)

Older macOS versions allow launchctl setenv for passing environment variables directly.

Step 1 — Log in with Admin Rights

Use an administrator account.

Step 2 — Prepare the Installer

Download the correct .pkg file from Admin > Scan Agents, then navigate to the folder:

cd ~/Downloads

Step 3 — Execute Installation

Replace the key and URL with your own:

sudo launchctl setenv cy_key 1234-5678-90AB cy_url https://cc12ab34.cyrisma.com && sudo installer -pkg CyBroker_Installer.pkg -target /

6. Post-Installation Steps

After installation, register the new macOS agent inside your Cyrisma instance:

1. Log in to Cyrisma.

2. Go to Admin > Scan Agents.

3. Click Provision to view unprovisioned agents.

4. Select the newly installed macOS device.

Choose Scan Mode:

Local-Only Scans:
Select Yes for “Agent only runs local scans?”

Network-Based Scans:
Select No, then supply Windows domain credentials in NT/NetBIOS format:

DOMAIN\username

(The macOS agent uses these credentials to scan Windows targets on the network.)

7. Mass Deployment Using a Shell Script

For RMM platforms (Jamf, Kandji, JumpCloud, Addigy, Intune/MDM scripts), large-scale automation is supported.

Sample Script

#!/bin/bash

# Constants
CY_KEY="XXXXXX"
CY_URL="XXXXXX"
DOWNLOAD_URL="https://dl.cyrisma.com/6167656E7473/CyBroker_Installer.pkg"
DOWNLOAD_PATH="/tmp/CyBroker_Installer.pkg"
ENV_FILE="/tmp/cyrisma_env.txt"
LOG_FILE="/var/log/cybroker_installation.log"

# Function to log messages
log() {
    echo "$(date) - $1" >> "$LOG_FILE"
}

# Write CY_KEY and CY_URL to the environment file
echo "CY_KEY=$CY_KEY" > "$ENV_FILE"
echo "CY_URL=$CY_URL" >> "$ENV_FILE"

# Download the file using curl
log "Downloading CyBroker package from $DOWNLOAD_URL"
sudo curl -o "$DOWNLOAD_PATH" "$DOWNLOAD_URL"

# Check if the download was successful
if [ $? -eq 0 ]; then
    log "Download successful. Installing CyBroker."
    sudo installer -pkg "$DOWNLOAD_PATH" -target /
    
    if [ $? -eq 0 ]; then
        log "CyBroker installation complete."
    else
        log "Installation failed. Check installation logs for more details."
    fi
else
    log "Download failed. Check your internet connection or the download URL."
fi

Replace the placeholder variables with your actual:

• Installation Key

• Instance URL

8. Whitelisting Requirements for macOS Installation

Ensure outbound access to:

*.cyrisma.com
*.dataspotlite.com

Port 443 must be allowed for installation, provisioning, and updates.
TLS inspection should bypass these domains.

9. Conclusion

Your macOS device is now configured with the Cyrisma Agent. Once provisioned in your Cyrisma instance, the agent will begin scanning and will automatically update as new versions become available.

For deploying on additional systems, repeat these steps or utilize the mass-deployment script for automation.