macOS Clients

Client types

There are a number of different types of macOS Client. For a quick overview of the differences refer to the Client compatibility matrix.

Full	Designed for normal enterprise usage - including pre-installation as part of standard builds
Headless	For installation on unattended machines such as Servers.
Always-On	For normal enterprise usage where an always-on connection to/from certain (protected) hosts is required

Ensure the Client version is designed for use with the associated software OS version - see Download Center

NOTE
When macOS FileVault is enabled, the headless client will not be started on boot by the operating system until a user who has permission to decrypt the drive logs in. This affects both the Headless and the Always-On Clients.

Installing and running the Client

Installation and uninstallation

How to install

All the elements required for full, headless and always-on are installed from the standard installer file and there is a page containing more specific details about how each is installed.The default installation will operate as a full Client. To modify the Client to operate in either headless or always-on modes requires some manual configurations. See macOS headless Client for details.

It is not un-common for end-point protection softwares to interfere with or break the installation of the Client. The Client contains a number of components/executables which may require to be white-listed within the end-point protection software.

How to uninstall

In the .dmg file used to install the Client, there in an Appgate SDP Uninstaller script. Run this to un-install the Client. There is the option of keeping saved configurations and credentials in Keychain. Other configurations will be removed regardless.

Never try to partially un-install the Client such as only removing the Appgate SDP driver.

Or for manual un-installation run as root:

/Library/Application\ Support/Appgate/interactive-uninstall

or to also remove all secrets stored in the keychain run as root:

/Library/Application\ Support/Appgate/interactive-uninstall --clear-settings

macOS Clients - components/executables

Upgraded Clients may retain some existing paths even though new paths are now used. This only shows the paths used in new installations.

Located in /Applications/

Appgate SDP.app - which contains the executable Appgate SDP and will run as USER handling the UI process.

Located in /Library/Application Support/Appgate/

Appgate Driver - the virtual network adapter - it handles connections to the Gateways.

Appgate Service.app - which contains the executable AppGate Service and will run as USER handling the business logic.

appgate-updater - will run with root privileges - it handles auto-update of the Client.

headless-installer - used for headless and always-on Clients.

appgate_service_configurator - tool to control the headless Client. Requires that the AppGate Service is running.

interactive-uninstall - the uninstall script.

appgate-starter - will run with root privileges (and full disk access rights)

Located in /etc/

appgate.conf - the configuration file containing the parameters required for headless Client to sign-in.

Setting defaults

There are some default options which can be configured by running the following commands - run as the actual user:

to skip the data usage user approval screen:
defaults write com.appgate.sdp.service user_approval -bool YES
to prevent the running of device claim scripts. Remember these run with full admin privileges so present a security risk:
defaults write com.appgate.sdp.service scripts_disabled -bool true
to set multiple default profiles after a fresh install of the Client. Each profile should be separated using a semicolon encapsulated in quotes ["profile1;profile2"]:
defaults write com.appgate.sdp.service default_profiles "appgate://profile1.com/foo;appgate://profile2.com/bar"
to set the default attention mode:
defaults write com.appgate.sdp attention_mode [ATTENTION_VALUE] where ATTENTION_VALUE can be 0-2
To prevent the full Client auto-starting on boot:
defaults write com.appgate.sdp.service autostart 0

Configuration settings

To list local firewall rules

sudo pfctl -a com.appgate -sr

To clean all client settings

Delete:

~/Library/Preferences/com.appgate.sdp.plist ~/Library/Preferences/com.appgate.sdp.service.plist

Then reboot the computer.

To remove a profile link

Open "Keychain Access" application. Search for "Appgate" in the search box and find ones with Kind: Profile.

Show Password to see the profile name.

Delete the required Profile.

To remove all stored passwords/certificates

Open "Keychain Access" application. Search for "Appgate" in the search box. Delete all related passwords.

An example is shown below of typical Appgate SDP Keychain entries.

List of Appgate SDP Client activities with timestamps and login details.

DNS configuration

The Client comes with the option of running a custom DNS script which tries to change the network configuration when connecting to Appgate SDP, so that the Appgate SDP DNS is called for Appgate SDP domains, while the regular DNS remains in charge of resolving everything else. You might require this if for example you are using legacy applications that rely on resolving through /etc/resolv.conf.

To achieve this you can add a script which will be will be used when the Client connects. The script resets the network configuration when Appgate SDP disconnects.

To use a custom DNS script:

Create your script and save it somewhere such as in /etc/custom_dns_script.sh
Create a new file containing the line dns_script=/etc/custom_dns_script.sh
Save this file as /etc/appgate.conf

When the Client connects, the script will be called with:

--servers <dns-server-ips> --domains <dns-domains>

and when the Client disconnects will be called with:

--reset