Install Elastic Endpoint manually on macOS Ventura and higheredit

To properly install and configure Elastic Endpoint manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before Elastic Endpoint can be fully functional:

The following permissions that need to be enabled are required after you configure and install the Elastic Defend integration, which includes enrolling the Elastic Agent.

Approve the system extension for Elastic Endpointedit

For macOS Ventura (13.0) and later, Elastic Endpoint will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.

The following message appears during installation:

system extension blocked warning ven
  1. Click Open System Settings.
  2. In the left pane, click Privacy & Security.

    privacy security ven
  3. On the right pane, scroll down to the Security section. Click Allow to allow the ElasticEndpoint system extension to load.

    allow system extension ven
  4. Enter your username and password and click Modify Settings to save your changes.

    enter login details to confirm ven

Approve network content filtering for Elastic Endpointedit

After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow Elastic Endpoint to filter network content.

allow network filter ven

Click Allow to enable content filtering for the ElasticEndpoint system extension. Without this approval, Elastic Endpoint cannot receive network events and, therefore, cannot enable network-related features such as host isolation.

Enable Full Disk Access for Elastic Endpointedit

Elastic Endpoint requires Full Disk Access to subscribe to system events via the Elastic Defend framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data.

If you have not granted Full Disk Access, the following notification prompt will appear.

allow full disk access notification ven

To enable Full Disk Access, you must manually approve Elastic Endpoint.

The following instructions apply only to Elastic Endpoint version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Enable Full Disk Access for the Elastic Endgame sensor on macOS Catalina though Monterey.

  1. Open the System Settings application.
  2. In the left pane, select Privacy & Security.

    privacy security ven
  3. From the right pane, select Full Disk Access.

    Select Full Disk Access
  4. Enable ElasticEndpoint and co.elastic to properly enable Full Disk Access.

    allow fda ven

If the endpoint is running Elastic Endpoint version 7.17.0 or earlier:

  1. Click the + button to view Finder.
  2. The system may prompt you to enter your username and password if you haven’t already.

    enter login details to confirm ven
  3. Navigate to /Library/Elastic/Endpoint, then select the elastic-endpoint file.
  4. Click Open.
  5. In the Privacy tab, confirm that ElasticEndpoint and co.elastic.systemextension are selected to properly enable Full Disk Access.

    Select Full Disk Access