This guide covers deploying the DefensX Agent to macOS devices managed by Hexnode MDM. The process involves three policies:
-
A common policy, installs the agent and pushes shared configurations (CA certificate, DNS Proxy extension)
-
A customer/deployment specific policy, pushes the deployment key and browser settings per customer
-
An optional uninstall policy, removes the agent when needed
Step 1: Download Required Files
Log in to the DefensX backend and navigate to Policies & Groups. Under the Deployments section, locate your deployment and click the RMM button.
In the RMM dialog, click Mac MDM and download the following files:
| File |
How to Download |
DefensX-installer.sh
|
Click Download Installer Script |
DefensX-CA.mobileconfig
|
Click Download DefensX-CA Certificate → As mobileconfig |
DefensX-DNSProxy-Extension.mobileconfig
|
Click DNS Proxy Extension mobileconfig |
DefensX-[deployment].mobileconfig
|
Click Download mobileconfig |
DefensX-uninstaller.sh
|
Click Download Uninstaller Script |
Keep all files available, they are needed in the steps below.
Step 2: Create the Common Policy
Most installation and configuration steps are identical across customers. Creating a shared common policy avoids repetition.
-
Select Create a full custom policy.
-
Enter a descriptive name, e.g. DefensX Common Install & Configurations.
-
Go to the macOS tab → Configurations → Scripts, then click Configure.
-
Click Choose Scripts, upload DefensX-installer.sh, then click Configure.
Adjust script execution options if needed, then click Add.
-
Under Configurations, click Deploy Custom Configuration → Configure.
-
Click Choose File and upload DefensX-CA.mobileconfig.
-
Click Upload and upload DefensX-DNSProxy-Extension.mobileconfig.
Your screen should now show both files. Click Ok to continue.
Assign Policy Targets
-
Click the Policy Targets tab.
-
Add devices by Device, Device Groups, User Groups, or any supported attribute.
-
Click Save (top right), then click Yes to confirm the association.
The DefensX Agent will install on associated devices according to the script execution settings. With default settings, the script runs on each logon, log out and back in to trigger it, then wait a few minutes.
Once installed, a gray tray icon appears in the menu bar. This is expected:
-
The agent is installed and running
-
No deployment key or browser settings have been applied yet
-
The agent is inactive until the customer-specific policy is pushed
Step 3: Create the Customer Configuration Policy
Each DefensX deployment has a unique Deployment Key, embedded in the per-customer mobileconfig file downloaded in Step 1. This policy delivers that configuration to the target devices.
-
In Hexnode MDM, click Policies → New Policy.
-
Select Create a full custom policy.
-
Enter a descriptive name, e.g. DefensX Agent Configuration [Customer Name].
-
Go to the macOS tab → Configurations → Deploy Custom Configuration, then click Configure.
-
Click Choose File and upload the DefensX-[deployment].mobileconfig file (the mobileconfig from Step 1).
The other two profiles from the common policy will appear unchecked, leave them as is. Click Ok to continue.
Assign Policy Targets
Once the configuration is received by client devices, the DefensX tray icon changes from gray to its normal state, and a corresponding agent record appears in the DefensX backend under the relevant customer and deployment.
Step 4: Uninstalling DefensX
To remove DefensX from devices you need to remove the devices from both policy targets (common policy and customer configuration policy) before running the uninstall script. Otherwise the MDM will continue reinstalling the agent and reapplying configurations.
To create the uninstall policy:
-
Click Policies → New Policy.
-
Select Create a full custom policy.
-
Enter a name, e.g. DefensX Uninstall Script.
-
Go to macOS tab → Configurations → Scripts, then click Configure.
-
Click Choose Scripts, upload DefensX-uninstaller.sh, then click Configure.
-
Adjust execution options if needed, then click Add.
-
Click the Policy Targets tab, add the devices to uninstall from, then click Save.
The uninstall script will execute based on the configured trigger (by default, on the next logon).
|
