We’ve received scattered reports of folks with a BES Agent on macOS that has stopped reporting. It was fine, then it wasn’t. We’ve not found much useful information other than, in at least one case, something seems to have shut down the client:
At 12:58:52 -0400 - Patches for Mac OS X (http://sync.bigfix.com/cgi-bin/bfgather/macpatches)
BackgroundAdviceEvaluation::FinishDataLoop side line file Configuration.fxf
At 12:58:54 -0400 - Patches for Mac OS X (http://sync.bigfix.com/cgi-bin/bfgather/macpatches)
BackgroundAdviceEvaluation::FinishDataLoop side line file OS X 106.fxf
At 12:59:24 -0400 -
Client shutdown (Service manager stop request)
In addition to asking what could be doing something like this or how I could find it, does anyone understand the exact process flow for the starting and stopping of macOS services (system/com.bigfix.BESAgent in particular)? Where should/could I be looking? What should/could I be looking for?
Thanks!
So far as I know, we haven’t seen that.
Memory congestion? Extremely low battery? Can’t reach a relay and eventually gives up?
As far as I can tell, everything else about these computers is fine. The users are continuing to use them regularly and other tools like Jamf Pro and CrowdStrike continue to operate normally (though sometimes they go dark as well).
As a related question, as macOS evolves, we’re seeing other tools require specific rights explicitly granted but the user or by “configuration profile”, but I’ve not seen any such recommendation or requirement for BigFix. Does the BigFix Agent on macOS not need things like “Full Disk Access” or “App Management” rights in order to function properly?
We do… but I’d say its not particularly well known. There’s a small note at the bottom of the Mac client installation instructions page here → Installing the Client on Mac
Note: The BESAgent service can access all of the user’s private files and folders in the Mac system only if you add full disk access permission to it. It can be done manually by the user from the Privacy tab of the Security & Privacy Preferences panel or by using MDM services. For a BigFix MCM Device this can be done automatically at installation time, see Deploy BigFix Agent for more information.
1 Like
This may need to be revisited (and perhaps reinforced). The latest version of macOS (v13 aka Ventura) has added an “App Management” privacy control that must be granted in order to “Allow the applications below to update or delete other applications”. Even as root, apps can’t mess with objects in the /Applications directory without this right. I’m surprised it hasn’t come up already…
Agreed. I think we should update our docs to better reflect these changes/requirements. That note is very easy to miss. I’ll let the appropriate people know. Thanks!
2 Likes
This is what we’re delivering via a PPPC profile. To my knowledge we’re able to do all the things I’d expect the agent to do.
We’re not using BigFix as an MDM (yet) and there’re no Profiles in our Jamf Pro instance to permit BigFix to do anything special. I’ll have to look into changing that…
We’re not using BigFix’ MDM/MCM, as we have another MDM thinger which predates BigFix’s own.
That said, moving our Macs from that other MDM thinger to JAMF Pro is a thing being discussed. Because reasons.
