Skip to main content

Mass deployment on MacOs

Intended for use with any MDM solution that supports macOS package deployment and script execution, such as Jamf Pro, Kandji, Mosyle, Microsoft Intune (macOS), or Apple's native MDM framework

Updated this week

🚨 IMPORTANT 🚨
​

Please note, when setting the DeviceName this must be unique to avoid issues when scanning. The scripts below use $(hostname -s) to automatically derive the device name from the machine's hostname β€” we recommend leaving this in place.

Please note that every organisation has a different environment, different device and software management processes, and very different requirements, so we can only provide a generic guide – we cannot account for every eventuality, but we hope this helps.


Step one:

Get your agent information

  • Go to your Intruder account > Targets > Click Add target > click Internal targets:

  • Select Mass deployment:
    ​

  • You will be presented with the following screen, make sure you note down the Prefix and Key and hit 'All done'.
    ​

  • Head to https://www.tenable.com/downloads/nessus-agents > scroll down until you see the agent that corresponds with your version of MacOS and hit the download icon. For example:

  • Finally, open your downloads folder > click the .dmg file > then double click the Install Nessus Agent.pkg file to save it.
    ​

Step two:

Prepare your deployment script

  • Create a shell script (e.g. install-nessus-agent.zsh) containing the following, replacing the placeholder values with your own:
    ​
    zsh

    #!/bin/zsh  # Post-install script for Nessus Agent deployment via MDM # The .pkg file should be staged to /var/tmp/ prior to running this script  /usr/sbin/installer -pkg /var/tmp/NessusAgent-10.x.x-macos.pkg -target /  /Library/NessusAgent/run/sbin/nessuscli agent link \   --name=<Intruder_Client_ID>_$(hostname -s) \   --key=<Key> \   --cloud  exit 0

  • Make sure you:

    • Replace NessusAgent-10.x.x-macos.pkg with the exact filename of the .pkg you downloaded

    • Replace <Intruder_Client_ID> with the Prefix from the Mass Deployment modal in the portal

    • Replace <Key> with the Key from the Mass Deployment modal in the portal

    • Leave $(hostname -s) in place – this will automatically use each machine's hostname as the device name at installation time
      ​
      ​Note: If you're an MSP, you can extend the name to identify the client, e.g. [YourPrefix]_[ClientName]_$(hostname -s)

Step three:

Deploy via your MDM

The exact steps will vary depending on your MDM solution, but the general process is:

  1. Upload the .pkg file to your MDM as a deployable package.

  2. Upload or attach the deployment script – this should run after the package has been staged (as a post-install or policy script, depending on your MDM).

  3. Ensure the .pkg is staged to /var/tmp/ before the script runs, or update the path in the script to match wherever your MDM places the file.

  4. Scope the deployment to the relevant devices or groups.

  5. Deploy to a test device first and confirm the agent appears in your Intruder portal before rolling out more broadly.


Program specific guidance:

Jamf Pro

  • Add the .pkg as a Package under Settings > Computer Management > Packages

  • Create a Policy that installs the package and runs the script in the correct order (package first, then script)

  • Scope the policy to a test group before wider deployment

Kandji / Mosyle / Intune (MacOS)

  • Upload the .pkg as a managed app or package

  • Attach the script as a post-install or custom script

  • Follow your MDM's standard scoping and deployment workflow

You should now be able to validate that the agent calls back to your Intruder portal account.

If you come unstuck, it might be worth reviewing the other help articles found here.

Related Articles
Mass Deployment on Windows via InTune
Mass Deployment on Windows using PowerShell
Mass Deployment on Linux using Bash Scripting
Did this answer your question?