Skip to main content
All CollectionsCYFOX EDRGet Started
Get Started with CYFOX EDR for macOS
Get Started with CYFOX EDR for macOS
Omer Kushmirski avatar
Written by Omer Kushmirski
Updated this week

Starting January 2025, CYFOX will officially launch its EDR version for macOS endpoints, completing comprehensive support for Windows, Linux, and macOS devices. This ensures full-spectrum protection and detection across all major operating systems.

This article provides a step-by-step walkthrough on how to start using CYFOX EDR for macOS while introducing the core principles for effectively operating the software, including:

  • Licensing

  • Installation and Uninstallation

  • Configuration and Troubleshooting

Licensing

To start with CYFOX for macOS, you will need to make sure that licenses are purchased as part of the standard onboarding process. Once agents are acquired, you can select the desired OS script by going to the downloads page and choosing the right script for installation.

For example, if you purchase 10 licenses, you can:

# Split them across Windows, Linux, and macOS

# Deploy all 10 on macOS devices

# Use any other combination that suits your needs

Pre-Installation

From this point of the article, we assume that all licenses are valid and operating as intended. Any licensing issues encountered are likely unrelated to the macOS installation process and may indicate a broader licensing concern. For assistance with licensing matters, please contact the CYFOX support team.

Before installing, please make sure the machine meets the macOS system requirements.

Next, ensure you obtain the latest macOS EDR installation script, which is accessible through the CYFOX Management Interface:

  • For MSSPs/Resellers: Log in to cloud.cyfox.com using your account credentials. Then, navigate to the User Profile section (located at the top-right corner), select Downloads, and choose the macOS installation script.

  • For XDR Admins (users managing a single XDR unit), the script is accessible directly under the Downloads option in the main menu.

Installation

You can start the installation process after following the steps above to download the installer file from the CYFOX website.

We strongly recommend downloading the installation package directly from the official CYFOX platform. If you received the package through any other source, it is important to verify its authenticity. While Apple performs automatic checks, you can manually confirm the package's validity by clicking the lock icon at the top right of the installer window.

The CYFOX macOS installation file is officially signed by CYFOX TECHNOLOGIES LTD and notarized by the Apple Notary Service.

Authenticate for Installation

Upon launching the installer, you may be prompted to enter your username and password to grant necessary permissions.

Start the Installation

  • Click Install and then Continue to begin installing the agent. After the installation is completed, the Agent Configurator (Setup Wizard) will automatically launch.

Follow the Setup Wizard

  • Click Next to begin configuring the agent.

Grant Full Disk Access

The CYFOX Agent requires full disk access to operate effectively. During the Setup process, you will be prompted to grant this permission.

If the full disk access prompt does not appear automatically:

  • Open System Preferences.

  • Navigate to Privacy & Security > Full Disk Access.

  • The CYFOX package should already be visible in the list. Add cfx to the list of allowed applications.

Configure Deployment Type

After approving full disk access, you will be prompted to choose between on-premises deployment and cloud deployment.

For On-Premises installations, select the "On-Premises" option in the setup wizard and enter your on-premises server address. When operating within the same network, the XDR server automatically identifies the new host, so no key is required.

You can change the Deployment Type directly to "Cloud" using the Setup Wizard.

When switching to Cloud, you will be prompted to enter the customer's License Key and Activation Key.

Review and Apply Settings

Upon filling in the details, click next. A summary of the configurations will be displayed. Click Apply to finalize the setup.

  • The agent will verify server availability and, for cloud deployments, activate the license key.

Confirm Installation Success

Once completed, you’ll see the Cyfox Agent icon in the macOS taskbar. This indicates that the agent is running.

Troubleshooting

License or Server Errors: If an issue arises during configuration:

  • A notification with options to OK (proceed) or Cancel (update settings) will appear.

Configuration

After the installation is complete, you can configure certain values to adjust the EDR modes. It is important to note that there is currently no UI support for modifying these settings. To make changes, you will need to use the system terminal.

Below is a list of settings you can configure after installing the CYFOX macOS Agent:

IP Address

The field specifies the address of the on-premises server where the CYFOX agent communicates. This is required for on-premises deployments to ensure proper integration with your XDR infrastructure.

  • Example: address=192.168.17.36

  • Enter the server address during installation or update it later if the server IP changes.

Port

Defines the communication port used to connect to the on-premises server. The default is typically provided, but it can be customized if necessary.

  • Example: port=4242

  • Use this setting if your server uses a non-standard port for communication.

Log Path

Specifies the file path where the agent's log files are stored. These logs capture operational details and are useful for monitoring and troubleshooting.

  • Example: logpath=/var/log/cfx.log

  • Customize the path if you have a specific directory for log management, such as for centralized logging or compliance requirements.

Debug Mode

Enables or disables detailed logging for debugging purposes. When enabled, the logs provide extensive details about the agent's internal processes.

  • Options: True (enabled) or False (disabled)

  • Example: debug=False

  • Use True for debugging issues or troubleshooting. For normal operation, set it to False to minimize log size and improve performance.

Run Mode

Determines the operational mode of the agent. Options are EDR or Sensor

The EDR mode is used for active threat detection and prevention, while the sensor operates as a lightweight sensor for data collection without full EDR functionality.

  • Example: runmode=EDR

  • Choose EDR for full protection and monitoring. Choose Sensor for environments where you only need data collection with minimal system impact.

Apply Configurations

Follow these steps to update and apply configuration settings for the CYFOX macOS Agent:

Open the Terminal on your macOS system.

  • Use Spotlight Search (Command + Space) and type Terminal, then press Enter.

Navigate to the directory where the configuration file is stored:

cd /Library/Application\ Support/Cyfox/etc/

Open the configuration file (cfx.conf) with your preferred text editor (e.g., nano):

sudo nano cfx.conf

  • You may need to enter your system password to gain editing permissions.

Inside the file, you’ll see settings like this:

[api]
address=192.168.17.36
port=4242

[general]
logpath=/var/log/cfx.log
debug=False
runmode=EDR

Update the values based on your requirements.

  • address: Enter your on-premises server address.

  • port: Specify the communication port (default is 4242).

  • logpath: Set the desired path for log files.

  • debug: Set to True for detailed debugging or False for standard operation.

  • runmode: Choose between EDR (Endpoint Detection and Response) or Sensor mode.

  • autoupdate: Set to True to enable automatic updates or False to disable them.

Save your changes

  • In nano, press Ctrl + O to save, then press Enter; Next - exit the editor by pressing Ctrl + X.

  • You may be prompted to save changes locally: Choose "Y" to save

For the changes to take effect, you need to reload the Cyfox agent daemon. Choose one of the following methods:

Option 1: Signal the Daemon

Send a signal to the Cyfox daemon to reload the configuration:

pkill -USR2 cfx

Option 2: Reload the Daemon

Unload the current configuration:

sudo launchctl unload /Library/LaunchDaemons/com.cyfox.cfx.plist

Reload the daemon with the updated configuration:

sudo launchctl load /Library/LaunchDaemons/com.cyfox.cfx.plist

Verify the Changes

Check the log file to confirm the updated settings. You can do this using one of two methods: The Terminal (described below) or the macOS EDR User Interface.

cat /var/log/cfx.log

Uninstallation

Users can uninstall the Cyfox Agent at any time by running the following command in the Terminal:

  • To ensure security and prevent unauthorized tampering, the uninstallation process requires the user to enter their root (system administrator) password to confirm the action.

sudo sh /Library/Application\ Support/Cyfox/uninstall.sh

If you encounter any issues or have additional questions, our support team is here to help. Please contact us at [email protected].

Related Articles
Installing CYFOX Agent - User guide
How to re-install agent in "Server" Mode
Supported Linux Operating Systems for CYFOX Agent Installation
CYFOX EDR System Requirements
CYFOX EDR For macOS
Did this answer your question?