Script Checks for Mac devices

You can monitor Mac devices by adding user-defined or default Script Checks. When you add a Script Check, configure the required parameter values.

Before adding a script check to a device, upload the script to the All Devices view. For upload instructions, see Add a script to Script Manager.

Default scripts for Mac devices

Expand a section for script details and parameters.

  • Checks /Library/Managed Installs/InstallInfo.plist for the installation status of patches deployed using Munki, including Managed Patch.
  • Does not report on patches deployed through other methods, such as manual user installation.
  • Generates an alert if a patch installation fails or if patches are queued and pending user logout.
  • Results appear in the script’s More Information section and in the View the Managed Patch for Mac report.
  • Script type: Python
  • Parameters:
    • Script Timeout Range: 1 - 3600 seconds (default 120 seconds)
  • Checks whether FileVault is enabled.
  • Fails if FileVault is off.
  • Script type: Bash
  • Parameters:
    • Script Timeout Range: 1 - 3600 seconds (default 120 seconds)
  • Checks whether the firewall is enabled.
  • Fails if the firewall is off.
  • Script type: Shell
  • Parameters:
    • Script Timeout Range: 1 - 3600 seconds (default 120 seconds)

  • Checks whether the Gatekeeper is enabled.

    Fails if Gatekeeper is off.

  • Script type: Shell
  • Parameters:
    • Script Timeout Range: 1 - 3600 seconds (default 120 seconds)

  • Checks for changes to Transparency, Consent, and Control (TCC) permissions in the past 72 hours. This time frame accounts for weekend activity.

  • Generates an alert if any permissions changed during that period.
  • Supports management using the Clear Check function.
  • Checks the latest Time Machine snapshot for backup status
  • Generates an alert if the latest backup date is equal to or older than the specified number of days.
  • Script type: Bash
  • Parameters:
    • Days without backup: The number of days without a snapshot before the check fails
    • Script Timeout Range: 1 - 3600 seconds (default 120 seconds)

You can suppress alerts until the number of consecutive check failures reaches the configured threshold. For details, see Configure alert thresholds to suppress alerts.

Check configuration

Add a script check to a device

  1. In the All Devices view, select the device in the North-pane.
  2. In the South-pane, go to the Checks tab.
  3. Select Add Check, choose the check frequency, then select Script Check.

  4. Choose a script, then select Next.

    Scripts are grouped by default script categories (if applicable). On Linux, only user-defined scripts are supported.

  5. Configure script parameters, including the Command Line for custom scripts (if required).

    To prevent the removal of a leading zero in command-line arguments, any part of the command that begins with 0 is wrapped in \ so the full argument is preserved during execution or processing.

    To add the check to multiple devices, select Multiple Devices.

  6. To run an automated task when the check fails, select Assign a Task after creating the Check.
  7. Select Finish to save and apply the check.

If you selected Assign a Task:

  1. Choose the Automated Task script.
  2. Select Next to configure parameters.
  3. Enter any required Command Line or Script parameters.
  4. (Optional) Set maximum permitted execution time for the script.
  5. Select Finish to save and apply the task.

Edit

Script Check - Endpoint Detection and Response (EDR) settings can't be edited. To remove them, you must uninstall EDR from the device.

  1. In the All Devices view North-pane, select the device.
  2. Go to the Checks tab in the South-pane.
  3. Right-click the check and choose Edit Check.
  4. Edit the script details and parameters.
  5. Select OK to save and apply.

Delete

  1. In the All Devices view North-pane, select a device.
  2. In the South-pane, go to the Checks tab.
  3. Right-click the check and choose Delete Check.
  4. Review the summary and select OK to confirm removal.

You can run custom scripts on servers and workstations using this product, but we don’t manage or validate them. We’re not liable for system, hardware, or data loss. Customers or developers must confirm the integrity and impact of any custom scripts.

What do you want to do?