Deploy the universal forwarder to macOS fleets using MDM

Silently deploy the Splunk Universal Forwarder across your macOS fleet using an MDM platform, with automated configuration, boot-start, and Full Disk Access permissions.

Use this workflow to deploy the universal forwarder across your macOS fleet using a Mobile Device Management (MDM) platform, like JAMF or Kandji. This process ensures silent, unattended installation without requiring user interaction.

Deployment architecture

To follow deployment best practices, use the following components:

  • A custom .pkg installer package containing:
    • The Universal Forwarder .tgz archive
    • Pre-configured deployment configuration files
    • A user-seed.conf file for admin credentials
  • A postinstall script that extracts and configures the forwarder
  • A LaunchDaemon for automatic startup at boot
  • (Optional) A PPPC profile for Full Disk Access permissions

Step 1: Prepare configuration files

Prepare the following configuration files:

  • deploymentclient.conf

    Create this file to configure the forwarder to connect to your agent management:

    CODE 
    [deployment-client]
clientName = $HOSTNAME [target-broker:deploymentServer] targetUri = your-deployment-server.company.com:8089
  • outputs.conf (Alternative to your agent management)

    If not using a agent management, configure direct forwarding to indexers:

    CODE 
    [tcpout] defaultGroup = splunk-indexers [tcpout:splunk-indexers] server = indexer1.company.com:9997,indexer2.company.com:9997 compressed = true
  • user-seed.conf

    Pre-configure admin credentials to avoid interactive prompts:

    CODE 
    [user_info] USERNAME = admin HASHED_PASSWORD = $6$rounds=...[generated hash]
    Note: Generate the password hash using /opt/splunkforwarder/bin/splunk hash-passwd.

Step 2: Create the post-installation script

The post-installation script, run by the .pkg installer, automates the extraction, configuration, and service initialization of the universal forwarder.

The script includes the set -e shell setting to ensure the script stops immediately if any step fails. This is a safety measure to prevent the installer from continuing if a critical configuration step is unsuccessful.

JSON 
#!/bin/bash 
# Splunk Universal Forwarder - macOS Silent Installation Script 
# This script is designed to run as a postinstall script in a .pkg installer.
# Specifies the shell setting to ensure the script stops immediately if any step fails:
set -e  

# Configures the installation paths:
SPLUNK_HOME="/opt/splunkforwarder" 
STAGING_DIR="/var/tmp/splunk_install"  

# Extracts the universal forwarder package to the /opt folder: 
echo "Extracting Splunk Universal Forwarder..." 
cd /opt 
tar xzf "${STAGING_DIR}/splunkforwarder-*.tgz"  

# Terminates any existing splunkd process: 
pkill splunkd 2>/dev/null || true sleep 2  

# Deploys the configuration files into the Splunk Enterprise /local folder:
echo "Deploying configuration files..." 
mkdir -p "${SPLUNK_HOME}/etc/system/local" cp "${STAGING_DIR}/deploymentclient.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true cp "${STAGING_DIR}/outputs.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true cp "${STAGING_DIR}/user-seed.conf" "${SPLUNK_HOME}/etc/system/local/" 2>/dev/null || true  

# Sets ownership (runs as root by default): 
chown -R root:wheel "${SPLUNK_HOME}"  

# Accepts the license and starts the universal forwarder:
echo "Starting Splunk Universal Forwarder..." 
"${SPLUNK_HOME}/bin/splunk" start --accept-license --no-prompt --answer-yes  

# Registers boot-start with the Launch Daemon system service: 
echo "Enabling boot-start..." 
"${SPLUNK_HOME}/bin/splunk" enable boot-start  

# Moves the Launch Daemon to the correct system location (the/LaunchDaemons folder) if needed:
if [ -f "/Library/LaunchAgents/com.splunk.splunkd.plist" ]; then    mv "/Library/LaunchAgents/com.splunk.splunkd.plist" "/Library/LaunchDaemons/" fi  

# Loads the Launch Daemon 
launchctl unload /Library/LaunchDaemons/com.splunk.plist 2>/dev/null || true sleep 1 launchctl load /Library/LaunchDaemons/com.splunk.plist  

# Remove the staging files to clean up the installation directory: 
rm -rf "${STAGING_DIR}"  
echo "Splunk Universal Forwarder installation complete." exit 0

Step 3: Build the Deployment Package

Use a package building tool such as Packages , JAMF Composer, or munkipkg to create a .pkg installer:

  1. Create a new package project.
  2. Add files to be installed to the /var/tmp/splunk_install/ folder:
    • splunkforwarder-<version>-darwin-universal2.tgz
    • deploymentclient.conf
    • outputs.conf (if applicable)
    • user-seed.conf
  3. Add the postinstall script to the Scripts section.
  4. Set the package identifier (e.g., com.splunk.universalforwarder).
  5. Build the package.

Step 4: Configure macOS Security Permissions (PPPC Profile)

On macOS version 10.14 and higher, the universal forwarder requires Full Disk Access to read protected log files, such as /var/log/system.log. Deploy a Privacy Preferences Policy Control (PPPC) profile through the MDM platform to grant this permission silently.

Important: Deploy this PPPC profile BEFORE or alongside the package installation to ensure permissions are in place when the forwarder starts.

Use the following PPPC Profile configuration to grant Full Disk Access (FDA) (SystemPolicyAllFilesto the universal forwarder:

XML 
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"    "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>PayloadType</key>             <string>com.apple.TCC.configuration-profile-policy</string>             <key>Services</key>             <dict>                 <key>SystemPolicyAllFiles</key>                 <array>                     <dict>                         <key>Allowed</key>                         <true/>                         <key>CodeRequirement</key>                         <string>identifier "splunkd" and anchor apple generic</string>                         <key>Identifier</key>                         <string>/opt/splunkforwarder/bin/splunkd</string>                         <key>IdentifierType</key>                         <string>path</string>                     </dict>                 </array>             </dict>         </dict>     </array>     <key>PayloadIdentifier</key>     <string>com.company.splunk.pppc</string>     <key>PayloadType</key>     <string>Configuration</string> </dict> </plist>

Step 5: Deploy the universal forwarder using the MDM platform

Following these steps using the JAMF Pro MDM platform:

  1. Upload the .pkg to JAMF Admin or directly to JAMF Pro.
  2. Create a New Policy with the following settings:
    • For Trigger, set Recurring Check-in or Enrollment Complete.
    • For Execution Frequency, set Once per computer.
    • For Scope, set Target computers or Smart Groups.
  3. Navigate to Configuration Profiles, create a new profile and add the PPPC profile configuration.
  4. Set the Scope of the the Configuration Profile to the same target machines.