Deploy the universal forwarder to macOS fleets using MDM
Silently deploy the Splunk Universal Forwarder across your macOS fleet using an MDM platform, with automated configuration, boot-start, and Full Disk Access permissions.
Use this workflow to deploy the universal forwarder across your macOS fleet using a Mobile Device Management (MDM) platform, like JAMF or Kandji. This process ensures silent, unattended installation without requiring user interaction.
Deployment architecture
To follow deployment best practices, use the following components:
- A custom .pkg installer package containing:
- The Universal Forwarder .tgz archive
- Pre-configured deployment configuration files
- A user-seed.conf file for admin credentials
- A postinstall script that extracts and configures the forwarder
- A LaunchDaemon for automatic startup at boot
- (Optional) A PPPC profile for Full Disk Access permissions
Step 1: Prepare configuration files
Prepare the following configuration files:
- deploymentclient.conf
Create this file to configure the forwarder to connect to your agent management:
CODE[deployment-client] clientName = $HOSTNAME [target-broker:deploymentServer] targetUri = your-deployment-server.company.com:8089 - outputs.conf (Alternative to your agent management)
If not using agent management, configure direct forwarding to indexers:
CODE[tcpout] defaultGroup = splunk-indexers [tcpout:splunk-indexers] server = indexer1.company.com:9997,indexer2.company.com:9997 compressed = true - user-seed.conf
Pre-configure admin credentials to bypass the interactive setup prompts that occur during the initial launch of the application (First Time Run sequence) by taking these steps:
-
On a single reference machine where the universal forwarder is already installed, run the hash-passwd command to generate a SHA-512 crypt hash of your password:CODE
/opt/splunkforwarder/bin/splunk hash-passwd <your-chosen-password>It generates the password hash string.
Note: You only need to perform this step once. You will reuse this same hash for all devices in your fleet. - Copy the entire output of the password hash string, which begins with
$6$.Note: Do not modify or manually construct the hash string. The Splunk platform manages this format internally. -
Configure the user-seed.conf file as follows, pasting the entire output of the password hash string as the
HASHED_PASSWORDvalue:PYTHON[user_info] USERNAME = admin HASHED_PASSWORD = <paste the entire output from splunk hash-passwd command> -
Distribute this user-seed.conf file to your target machines.
Important: The universal forwarder only consumes the user-seed.conf file during its initial launch (the First Time Run sequence). Upon startup, the Splunk platform reads the file, creates the admin account in $SPLUNK_HOME/etc/passwd, and then ignores the seed file. This ensures all devices in your fleet receive the same initial admin credentials.
Step 2: Create the post-installation script
The post-installation script, run by the .pkg installer, automates the extraction, configuration, and service initialization of the universal forwarder.
The script includes the set -e shell setting to ensure the script stops immediately if any step fails. This is a safety measure to prevent the installer from continuing if a critical configuration step is unsuccessful.
#!/bin/bash
# Splunk Universal Forwarder - macOS Silent Installation Script
# This script is designed to run as a postinstall script in a .pkg installer.
# Specifies the shell setting to ensure the script stops immediately if any step fails:
set -e
# Configures the installation paths:
SPLUNK_HOME="/opt/splunkforwarder"
STAGING_DIR="/var/tmp/splunk_install"
# Extracts the universal forwarder package to the /opt folder:
echo "Extracting Splunk Universal Forwarder..."
cd /opt
tar xzf "${STAGING_DIR}/splunkforwarder-*.tgz"
# Terminates any existing splunkd process:
pkill splunkd 2>/dev/null || true sleep 2
# Deploys the configuration files into the Splunk Enterprise /local folder:
echo "Deploying configuration files..."
mkdir -p "${SPLUNK_HOME}/etc/system/local" cp "${STAGING_DIR}/deploymentclient.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true cp "${STAGING_DIR}/outputs.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true cp "${STAGING_DIR}/user-seed.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true
# Sets ownership (runs as root by default):
chown -R root:wheel "${SPLUNK_HOME}"
# Accepts the license and starts the universal forwarder:
echo "Starting Splunk Universal Forwarder..."
"${SPLUNK_HOME}/bin/splunk" start --accept-license --no-prompt --answer-yes
# Registers boot-start with the Launch Daemon system service:
echo "Enabling boot-start..."
"${SPLUNK_HOME}/bin/splunk" enable boot-start
# Moves the Launch Daemon to the correct system location (the/LaunchDaemons folder) if needed:
if [ -f "/Library/LaunchAgents/com.splunk.splunkd.plist" ]; then mv "/Library/LaunchAgents/com.splunk.splunkd.plist" "/Library/LaunchDaemons/" fi
# Loads the Launch Daemon
launchctl unload /Library/LaunchDaemons/com.splunk.plist 2>/dev/null || true sleep 1 launchctl load /Library/LaunchDaemons/com.splunk.plist
# Remove the staging files to clean up the installation directory:
rm -rf "${STAGING_DIR}"
echo "Splunk Universal Forwarder installation complete." exit 0Step 3: Build the Deployment Package
Use a package building tool such as Packages , JAMF Composer, or munkipkg to create a .pkg installer:
- Create a new package project.
- Add files to be installed to the /var/tmp/splunk_install/ folder:
- splunkforwarder-<version>-darwin-universal2.tgz
- deploymentclient.conf
- outputs.conf (if applicable)
- user-seed.conf
- Add the postinstall script to the Scripts section.
- Set the package identifier (for example, com.splunk.universalforwarder).
- Build the package.
Step 4: Configure macOS Security Permissions (PPPC Profile)
On macOS version 10.14 and higher, the universal forwarder requires Full Disk Access to read protected log files, such as /var/log/system.log. Deploy a Privacy Preferences Policy Control (PPPC) profile through the MDM platform to grant this permission silently.
Use the following PPPC Profile configuration to grant Full Disk Access (FDA) (SystemPolicyAllFiles to the universal forwarder:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.TCC.configuration-profile-policy</string> <key>Services</key> <dict> <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier "splunkd" and anchor apple generic</string> <key>Identifier</key> <string>/opt/splunkforwarder/bin/splunkd</string> <key>IdentifierType</key> <string>path</string> </dict> </array> </dict> </dict> </array> <key>PayloadIdentifier</key> <string>com.company.splunk.pppc</string> <key>PayloadType</key> <string>Configuration</string> </dict> </plist>Step 5: Deploy the universal forwarder using the MDM platform
Following these steps using the JAMF Pro MDM platform:
- Upload the .pkg to JAMF Admin or directly to JAMF Pro.
- Create a New Policy with the following settings:
- For Trigger, set Recurring Check-in or Enrollment Complete.
- For Execution Frequency, set Once per computer.
- For Scope, set Target computers or Smart Groups.
- Navigate to Configuration Profiles, create a new profile and add the PPPC profile configuration.
- Set the Scope of the the Configuration Profile to the same target machines.