Installing a macOS universal forwarder
Install manually and automate deployment of the Splunk Universal Forwarder on macOS.
Deploy the Splunk Universal Forwarder on your macOS systems with this guide, which provides instructions for manual installation and enterprise-scale automated deployment using Mobile Device Management (MDM) platforms like JAMF Pro, Kandji, or Mosyle.
The universal forwarder for macOS is available in the following formats to support different deployment scenarios:
| Package Format | Best For | Notes |
|---|---|---|
| .tgz (tar archive) | MDM/Automated Deployment | Recommended for silent, scripted installs |
| .dmg (disk image) | Manual Installation | Contains .pkg, requires user interaction |
Important: For enterprise deployments to 50+ Macs, the .tgz package with scripted installation is strongly recommended to enable fully silent, unattended deployment.
Prerequisites
Ensure the following requirements are met:
-
Your environment meets the following system requirements:
- macOS 10.14 (Mojave) or later (Intel or Apple Silicon)
- Minimum 1 GB available disk space
- Administrative privileges for installation
- Network connectivity to agent management or indexers
-
You have gathered the following information from the Splunk admin:
- Agent management hostname and port (default: 8089)
- Indexer/Receiver hostname and port (default: 9997)
- Any required SSL certificates for secure communication
- Desired admin credentials for the forwarder (username/password)