# Deploy with macOS

<figure><img src="/files/V9Pws4KDWmowQDRLmCeV" alt=""><figcaption></figcaption></figure>

This page walks you through how to install and set up Keeper Endpoint Privilege Manager (EPM) on macOS devices. It explains what components are installed and why, how to install and register a device, the key differences between macOS versions, and how to confirm that everything is working correctly.

## Overview

Keeper EPM runs on macOS using a lightweight background application, known as an agent, that operates on each device. The agent acts as the enforcement layer for your policies by receiving rules from the Keeper Admin Console, monitoring user activity, and applying security controls—such as approvals, MFA, or privilege elevation—when required.

## macOS Version Support

#### System Extension Support

Support for system extensions varies by macOS version. macOS Tahoe (newer versions) provides full support and delivers the best overall experience, while older versions such as Sonoma and Sequoia offer only partial support. When possible, it is recommended to use macOS Tahoe or later to ensure full functionality.

#### Supported macOS Versions

* **Tahoe (newer)** → Full support (best experience)
* **Sonoma / Sequoia (older)** → Partial support

<h3 align="center">What Changes Between macOS Versions?</h3>

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="211">Feature</th><th>Sonoma / Sequoia (Older)</th><th>Tahoe and Later (Newer)</th></tr></thead><tbody><tr><td><strong>Installing Applications</strong></td><td>Standard users cannot install apps directly and must use KeeperClient</td><td>Users can install <code>.pkg</code> files (double-click), <code>.dmg</code> apps (drag-and-drop), or use KeeperClient</td></tr><tr><td><strong>File Access Policies</strong></td><td>Some system folders are read-only (e.g., <code>/System/Applications</code>), so policies do not apply</td><td>Broader system-level control with greater policy flexibility</td></tr><tr><td><strong>Command Line Controls (Non-Elevated)</strong></td><td>Not supported</td><td>Supported</td></tr><tr><td><strong>Command Line Controls (Elevated / sudo)</strong></td><td>Supported</td><td>Supported</td></tr></tbody></table>

#### What This Means for You

For the best experience, it is recommended to use macOS Tahoe or later, as it provides full feature support. On older versions such as Sonoma or Sequoia, you should use KeeperClient for application installations, avoid targeting restricted system folders, and expect some limitations in policy enforcement and functionality.

## Deployment Packages

#### How you can deploy Keeper's Endpoint Manager&#x20;

You have several deployment options depending on your environment. Manual installation is suitable for testing or small rollouts, while scripts provide a flexible way to automate deployment. For larger organizations, MDM tools such as Jamf or Intune are typically the best choice, offering centralized management and consistency across devices. Most customers use MDM-based deployment to achieve scalable and reliable rollouts.

### Before You Start (Prerequisite Checklist)

* A Keeper tenant with EPM enabled
* A **registration token** from the Admin Console
* The macOS installer package&#x20;
* **Admin access** on the device
* Network access (HTTPS on port 6889 by default)

<figure><img src="/files/4r4QfBclTSNhKY375ths" alt="" width="375"><figcaption></figcaption></figure>

## Deployment Steps

{% stepper %}
{% step %}

#### Download & Unpack

From the Admin Console, navigate to Endpoint Privilege Manager then click on "Deployments" to view your deployment packages.

<figure><img src="/files/ZwbhK6mtsQ19oQ40xHYl" alt=""><figcaption></figcaption></figure>

Click on the deployment package that you wish to deploy to a macOS workstation.  Under "Select Package Files" select "Mac".

<figure><img src="/files/NkuQpVPLDQu8R2cyvaVS" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Install the Agent

Install the Keeper package on the Mac.

{% endstep %}

{% step %}

#### Full Disk Access

**Important:** The agent must be provided Full Disk Access permission for File Access and Command Line policies to function.

* Go to: **Settings** → **Privacy & Security** → **Full Disk Access** to the **KeeperPrivilegeManager** application.
* After full disk access is granted, it may take up to two minutes for configurations to be updated.&#x20;

{% hint style="info" %}
The agent is signed from "Callpod Inc." which is the holding company of Keeper Security. All of Keeper's software on macOS and iOS devices are digitally signed by Callpod Inc. due to Apple's policies.
{% endhint %}
{% endstep %}

{% step %}

#### Start/Restarting the Service

#### Starting the Service

Keeper runs in the background using macOS’s service manager.

Start it with:

```bash
keepersudo launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist
```

Check it’s running:

```bash
keepersudo launchctl list | grep keeper
```

#### Restarting the Service

If a service restart is required on macOS, the following commands can be used:

<pre class="language-bash"><code class="lang-bash"><strong>keepersudo launchctl unload /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist
</strong></code></pre>

```bash
keepersudo launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist
```

{% endstep %}

{% step %}

#### Check That It’s Healthy

Make sure the agent is working:

```bash
curl -k https://localhost:6889/health
```

You should see a successful response.

This confirms the service is running and responsive (the agent exposes a local health endpoint for monitoring ).
{% endstep %}

{% step %}

#### Register the Device

Now connect the device to your Keeper environment.

```bash
keepersudo /Library/Keeper/sbin/Jobs/bin/KeeperRegistrationHelper/KeeperRegistrationHelper --token="YOUR_TOKEN_HERE"
```

This step is what links the Mac to your organization so it can receive policies.

Check registration:

```bash
curl -k https://localhost:6889/api/Keeper/registration
```

You should see:

* Registered = true
* Deployment ID present
  {% endstep %}

{% step %}

#### (Optional) Deploy with MDM

For large environments, use Jamf, Intune, or another MDM.

#### Typical workflow

1. Upload the PKG installer
2. Deploy it to devices
3. Run a script to:
   * Start the service
   * Register the device

Example:

```bash
#!/bin/bash

launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist

sleep 20
/Library/Keeper/sbin/Jobs/bin/KeeperRegistrationHelper/KeeperRegistrationHelper --token="YOUR_TOKEN_HERE"
```

{% endstep %}

{% step %}

#### Validate Everything

After deployment, confirm:

#### 1. Service is running

```bash
keepersudo launchctl list | grep keeper
```

#### 2. Health check works

```bash
curl -k https://localhost:6889/health
```

#### 3. Device is registered

```bash
curl -k https://localhost:6889/api/Keeper/registration
```

#### 4. Plugins are active (optional)

```bash
curl -k https://localhost:6889/api/plugins
```

You should see key components like:

* KeeperAPI
* KeeperPolicy

These are core to how policies are evaluated and enforced.
{% endstep %}
{% endstepper %}

### What Happens After Installation

After installation, the agent is placed in `/Library/Keeper/` and the background service starts automatically. The device begins collecting system data and synchronizes policies from the Keeper Admin Console.

On some systems, users may see prompts related to system extensions or security permissions. These prompts can typically be pre-approved using MDM tools to ensure a seamless deployment experience.

#### What the User Experiences

Most of the deployment process is invisible to end users. Installation is typically silent and does not require any interaction.

After setup, users will only see prompts when policies apply, such as for MFA, approval, or privilege elevation. This aligns with Keeper’s goal of allowing users to do their work while ensuring those actions are performed securely.

#### Default Behavior After Deployment

After deployment, the agent starts in Monitor mode, where policies are evaluated but not actively enforced. This allows you to safely test and validate policy behavior before enabling enforcement.

### **Uninstall on macOS**

To uninstall the Keeper agent from macOS, run the uninstall script that is included with the install script that is downloaded with the deployment package.

{% hint style="info" %}
Notes:

* The Keeper Agent will launch for users upon a new login session. Therefore logout/login may be required.
* The `sudo` policy controls are documented on the [Command Line Policy](https://docs.keeper.io/endpoint-privilege-manager/policies/policy-types/command-line-policy-type.md) page.
  {% endhint %}

### Logs (If You Need Them)

To view recent activity, you can use the following command:

```bash
keepersudo log show --predicate 'process contains "keeper"'
```

Logs are rotated automatically, and retention is managed by the macOS logging system.

For greater detail, access the logs directly at:

```
/Library/Keeper/sbin/Plugins/bin/KeeperLogger/Log/KeeperLoggerYYYYMMDD.log
```

### Important Notes & Common Adjustments

#### Permissions & Security Prompts

macOS may require approval for certain security-related components during deployment, including system extensions and Security & Privacy permissions. These prompts can be pre-approved using MDM tools to ensure a smooth and non-interactive user experience.

#### Protect Your Token

Registration tokens are sensitive credentials and should be handled securely. They should not be hardcoded in scripts and instead should be managed using secure MDM variables or other protected delivery methods. Additionally, tokens should be rotated as needed to reduce the risk of exposure.

#### Timing Issues

If registration fails, it may be because the service has not fully initialized yet. In these cases, increasing the delay before running the registration command—for example, from `sleep 20` to `sleep 40`—can help ensure the service is ready.

#### Path Limitations (Older macOS)

On older macOS versions, certain system directories are restricted and cannot be controlled by policy. For example, paths under `/System/*` are typically read-only and should not be targeted.

Instead, use supported locations such as `/Users` and `/Applications`, where policies can be applied more reliably.

### Troubleshooting

#### Service not running

If the service is not running, verify that the launchd configuration is properly loaded and configured. You should also review system logs to identify any errors or issues preventing the service from starting.

#### Device not registering

If a device is not registering, first verify that the registration token is correct. Then check that the device has proper network access, and ensure that the Keeper service is running before attempting registration.

#### Policies not working

If policies are not working as expected, check that the macOS version supports the required features, avoid targeting restricted system paths, and confirm that the device has been successfully registered.

### Summary

Deploying Keeper EPM on macOS allows you to:

* Secure Apple devices with the same policy model as other platforms
* Control privilege elevation, file access, and commands
* Scale deployment easily with MDM tools

For the **best results**, use macOS Tahoe or later.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/deployment/deploy-with-macos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.