macOS clients

  • 3 minute read
Prev Next

There are three types of macOS client. For a quick overview of the differences, refer to the Client compatibility matrix.

Full

Designed for normal enterprise usage - including pre-installation as part of standard builds

Headless

For installation on unattended machines such as servers.

Always-On

For normal enterprise usage where an always-on connection to/from certain (protected) hosts is required

Ensure the client version is designed for use with the associated software OS version. See the Download Center for more information.

NOTE

When macOS FileVault is enabled, the headless client will not be started on boot by the operating system until a user with permission to decrypt the drive logs in. This affects both the Headless and the always-on clients.

Installing macOS clients

All the elements required for full, headless, and always-on clients are installed from the standard installer file. The pages for each type of macOS client contain more specific details about the installation of each.

The default installation will operate as a full client. Modifying the client to operate in either headless or always-on modes requires some manual configurations. See macOS headless client for details.

It is not uncommon for end-point protection software to interfere with or break the installation of the client. The client contains a number of components/executables which may need to be allowed within the end-point protection software.

Uninstalling macOS clients

Run the AppGate SDP Uninstaller script in the .dmg file used to install the client to uninstall it.

There is an option to keep saved configurations and credentials in Keychain. Other configurations will be removed.

Never try to partially uninstall the client, for example removing only the AppGate ZTNA driver.

You can manually uninstall the client by running the following as root:

/Library/Application\ Support/Appgate/interactive-uninstall

To remove all secrets stored in the Keychain, run the following as root:

/Library/Application\ Support/Appgate/interactive-uninstall --clear-settings

Components and executables for macOS clients

Upgraded clients may retain some existing paths even when new paths are used. This only shows the paths used in new installations.

Location

Component/Executable

Description

/Applications/

Appgate SDP.app

Contains the executable Appgate SDP and will run as USER handling the UI process.

/Library/Application Support/Appgate/

Appgate Driver

The virtual network adapter that handles connections to the Gateways.

Appgate Service.app

Contains the executable AppGate Service and runs as USER handling the business logic.

appgate-updater

Runs with root privileges handling auto-update of the client.

headless-installer

Used for headless and always-on clients.

appgate_service_configurator

Tool to control the headless client. Requires that the AppGate Service is running.

interactive-uninstall

The uninstall script.

appgate-starter

Runs with root privileges and full disk access rights.

/etc/

appgate.conf

The configuration file containing the parameters required for the headless client to sign-in.

Setting defaults

You can configure some default options by running the following commands:

Option

Command

Skip the data usage user approval screen

defaults write com.appgate.sdp.service user_approval -bool YES

Prevent the running of device claim scripts
Note that these run with full admin privileges so present a security risk

defaults write com.appgate.sdp.service scripts_disabled -bool true

Set multiple default profiles after a fresh install of the client

Each profile should be separated using a semicolon encapsulated in quotes ["profile1;profile2"]

defaults write com.appgate.sdp.service default_profiles "appgate://profile1.com/foo;appgate://profile2.com/bar"

Set the default attention mode

defaults write com.appgate.sdp attention_mode [ATTENTION_VALUE] where ATTENTION_VALUE can be 0-2

Prevent the full client from auto-starting on boot

defaults write com.appgate.sdp.service autostart 0

Configuration settings

To list local firewall rules

sudo pfctl -a com.appgate -sr

To clean all client settings

  1. Delete: ~/Library/Preferences/com.appgate.sdp.plis

    ~/Library/Preferences/com.appgate.sdp.service.plist

  2. Reboot the computer.

To remove a profile link

  1. Open the Keychain Access application.

  2. Search for “appgate” and find entries of the kind “Profile”.

  3. Show the password to see the profile name.

  4. Delete the required profile.

To remove all stored passwords and certificates

  1. Open the Keychain Access application.

  2. Search for “appgate”.

  3. Delete all related passwords.

The following image shows typical AppGate Keychain entries:

List of Appgate SDP Client activities with timestamps and login details.

DNS configuration

The client comes with the option of running a custom DNS script. The custrom script tries to change the network configuration when connecting to AppGate ZTNA, so that the AppGate ZTNA DNS is called for AppGate ZTNA domains. The regular DNS will remain in charge of resolving everything else. You might require this if you are using legacy applications that rely on resolving through /etc/resolv.conf, for example.

To achieve this, add a script that will be will be used when the client connects. The script resets the network configuration when AppGate ZTNA disconnects.

To use a custom DNS script:

  1. Create your script and save it somewhere, such as in /etc/custom_dns_script.sh  

  2. Create a new file containing the line dns_script=/etc/custom_dns_script.sh

  3. Save this file as /etc/appgate.conf

When the client connects, the script will be called with:

--servers <dns-server-ips> --domains <dns-domains>

When the client disconnects, the script will be called with:

--reset