General information on installing and configuring macOS Clients

There are three types of macOS Client. For a quick overview of the differences, refer to the Client compatibility matrix.

*Full*	Designed for normal enterprise usage - including pre-installation as part of standard builds
*Headless*	For installation on unattended machines such as Servers.
*Always-On*	For normal enterprise usage where an always-on connection to/from certain (protected) hosts is required

Ensure the Client version is designed for use with the associated software OS version. See the Download Center for more information.

NOTE
When macOS FileVault is enabled, the headless Client will not be started on boot by the operating system until a user with permission to decrypt the drive logs in. This affects both the Headless and the Always-On Clients.

Installing macOS Clients

All the elements required for full, headless, and always-on Clients are installed from the standard installer file. The pages for each type of macOS Client contain more specific details about the installation of each.

The default installation will operate as a full Client. Modifying the Client to operate in either headless or always-on modes requires some manual configurations. See macOS headless Client for details.

It is not uncommon for end-point protection software to interfere with or break the installation of the Client. The Client contains a number of components/executables which may need to be allowed within the end-point protection software.

Uninstalling macOS Clients

Run the AppGate SDP Uninstaller script in the .dmg file used to install the Client to uninstall it.

There is an option to keep saved configurations and credentials in Keychain. Other configurations will be removed.

Never try to partially uninstall the Client, for example removing only the AppGate ZTNA driver.

You can manually uninstall the Client by running the following as root:

/Library/Application\ Support/Appgate/interactive-uninstall

To remove all secrets stored in the Keychain, run the following as root:

/Library/Application\ Support/Appgate/interactive-uninstall --clear-settings

Components and executables for macOS Clients

Upgraded Clients may retain some existing paths even when new paths are used. This only shows the paths used in new installations.

Location	Component/Executable	Description
`/Applications/`	`Appgate SDP.app`	Contains the executable `Appgate SDP` and will run as USER handling the UI process.
`/Library/Application Support/Appgate/`	`Appgate Driver`	The virtual network adapter that handles connections to the Gateways.
	`Appgate Service.app`	Contains the executable AppGate Service and runs as USER handling the business logic.
	`appgate-updater`	Runs with root privileges handling auto-update of the Client.
	`headless-installer`	Used for headless and always-on Clients.
	`appgate_service_configurator`	Tool to control the headless Client. Requires that the AppGate Service is running.
	`interactive-uninstall`	The uninstall script.
	`appgate-starter`	Runs with root privileges and full disk access rights.
`/etc/`	`appgate.conf`	The configuration file containing the parameters required for the headless Client to sign-in.

Setting defaults

You can configure some default options by running the following commands:

Option	Command
Skip the data usage user approval screen	`defaults write com.appgate.sdp.service user_approval -bool YES`
Prevent the running of device claim scripts Note that these run with full admin privileges so present a security risk	`defaults write com.appgate.sdp.service scripts_disabled -bool true`
Set multiple default profiles after a fresh install of the Client Each profile should be separated using a semicolon encapsulated in quotes ["profile1;profile2"]	`defaults write com.appgate.sdp.service default_profiles "appgate://profile1.com/foo;appgate://profile2.com/bar"`
Set the default attention mode	`defaults write com.appgate.sdp attention_mode [ATTENTION_VALUE] where ATTENTION_VALUE can be 0-2`
Prevent the full Client from auto-starting on boot	`defaults write com.appgate.sdp.service autostart 0`

Configuration settings

To list local firewall rules	`sudo pfctl -a com.appgate -sr`
To clean all Client settings	Delete: `~/Library/Preferences/com.appgate.sdp.plis` `~/Library/Preferences/com.appgate.sdp.service.plist` Reboot the computer.
To remove a profile link	Open the Keychain Access application. Search for “appgate” and find entries of the kind “Profile”. Show the password to see the profile name. Delete the required profile.
To remove all stored passwords and certificates	Open the Keychain Access application. Search for “appgate”. Delete all related passwords. The following image shows typical AppGate Keychain entries:

DNS configuration

The Client comes with the option of running a custom DNS script. The custrom script tries to change the network configuration when connecting to AppGate ZTNA, so that the AppGate ZTNA DNS is called for AppGate ZTNA domains. The regular DNS will remain in charge of resolving everything else. You might require this if you are using legacy applications that rely on resolving through /etc/resolv.conf, for example.

To achieve this, add a script that will be will be used when the Client connects. The script resets the network configuration when AppGate ZTNA disconnects.

To use a custom DNS script:

Create your script and save it somewhere, such as in /etc/custom_dns_script.sh
Create a new file containing the line dns_script=/etc/custom_dns_script.sh
Save this file as /etc/appgate.conf

When the Client connects, the script will be called with:

--servers <dns-server-ips> --domains <dns-domains>

When the Client disconnects, the script will be called with:

--reset