You can manually add Mac endpoints to Malwarebytes Nebula in a few different ways. The most common method is to copy an installer file to the endpoint and run the file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.
This article covers the following methods:
- Use a downloaded installer and copy it to the endpoint.
- Command line remote installation for Mac endpoints, which can be run silently.
- Dissolvable Unmanaged Remediation Tools installation.
If you have many endpoints, you can use the macOS PKG installer with Mobile Device Manager (MDM) solutions such as JAMF.
Use a downloaded installer
To manually add an endpoint to Malwarebytes Nebula, download the Malwarebytes Endpoint Agent installation file and run the file from the endpoint. Each is pre-configured for your account.
Malwarebytes provides endpoint installers for you to use with your preferred installation method.
Mac Endpoint Installer Notes
- Do not change the name of the downloaded installer file as it retrieves the Nebula accounttoken value from the file's name. Device management tools may remove the accounttoken. In this case, use the following command line instructions here.
- The following items are mandatory for correct operation:
- For macOS 10.13 and 10.14, Approve kernel/security framework extension for Malwarebytes Endpoint Protection on Mac devices
- For macOS 10.15, macOS 11.x, and macOS 12.x, Mac endpoint missing Full Disk Access in Malwarebytes Nebula
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group. To automatically assign endpoints to a group during installation:
- Log in to Malwarebytes Nebula.
- Go to Downloads.
- On the right side, click the Specify group assignment link.
- The Installation process shows how to download and manually run the endpoint installer on your macOS devices. Alternatively, you can share the installer with your endpoint users by clicking the following in the Nebula Downloads page:
- Email link: Click this button to email the endpoint installer to your endpoint users. This email pre-populates with a download link unique to your Nebula account. Your recipients can click this link to install the agent. The link expires after 7 days.
- Copy link: Click this button to copy the installer download link to your clipboard. The download link is unique to your Nebula account, and expires after 7 days.
- com.malwarebytes.ncep.nobody: An account with minimal permissions, created on Mac endpoints during installation. The Malwarebytes agent uses this account to run unprivileged system and service tasks.
- Log in to the Malwarebytes Nebula.
- Go to Downloads.
- In the Mac section, click Download to download the Mac Endpoint Installer to your local device.
- We recommend you keep __xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___ naming as this is your accounttoken value, which identifies your account to the macOS installer. If removed, see the command line instructions below to set the accounttoken after installation.
- After you have downloaded the installer, copy it to the endpoint and run the installer.
- When the installation process completes, the Management Agent registers and the endpoint shows up in the Malwarebytes Nebula platform console.
- The Management Agent retrieves Policy information and configures the endpoint, downloading Agents for the configured features. This process takes about 5 minutes until the endpoints is protected and ready to scan.
Command line remote installation for Mac
You may use the terminal command below to perform a silent install on Mac endpoints by software deployment and management systems.
- sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent__aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa___.pkg -target /
You may use the terminal command below to perform a silent install on Mac endpoints, while specifying the target group. Group identifiers may be seen in the Nebula Console Downloads 'Specify group assignment' link. The command is shown on multiple lines due to the length of the command.
- sudo launchctl setenv MALWAREBYTES_GROUP <GroupID> ; sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent__aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa___.pkg -target /
Command line set ACCOUNTTOKEN after installation
You may use the terminal command below to set the new accounttoken:
- sudo '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' ACCOUNTTOKEN=<accounttoken>
After setting the account token, restart the Endpoint Agent service using the commands below:
- sudo launchctl unload /Library/LaunchDaemons/com.malwarebytes.agent.daemon.plist
- sudo launchctl load /Library/LaunchDaemons/com.malwarebytes.agent.daemon.plist
Check macOS Services and security extensions
$ sudo launchctl list | grep com.malwarebytes*
1750 0 com.malwarebytes.ncep.settings.daemon
- 0 com.malwarebytes.UserAgent
1748 0 com.malwarebytes.ncep.rtprotection.daemon
1649 0 com.malwarebytes.EndpointAgent
Check Kernel Extension for: OS X 10.11, 10.12 Sierra, macOS 10.13 High Sierra, and macOS 10.14 Mojave
$ kextstat | grep malwarebytes
187 0 0xffffff7f85a07000 0x8000 0x8000 com.malwarebytes.ncep.rtprotection (3.9.16) 9EF16C6D-E345-31AF-8646-2507C3F781D8 <6 5 3 1>
Check System Extension for: macOS 10.15 Catalina, macOS 11 Big Sur, macOS 12 Monterey
$ systemextensionsctl list | grep -i malwarebytes
* * GVZRY6KDKR com.malwarebytes.edr.helper.ext (1.5.136/1.5.136) EDRMacHelperExt [activated enabled]
Dissolvable unmanaged remediation tools
You may prefer to use a dissolvable remediation tool instead of an installer. At the bottom of the console Downloads screen is the Remediation (Unmanaged) section. Here you can download the following Malwarebytes dissolvable unmanaged remediation tool.
Mac Breach Remediation: our dissolvable remediation program for Mac endpoints. For more information, see the Malwarebytes Breach Remediation (Mac) Administrator Guide.
Return to the Malwarebytes Nebula Administrator Guide.