Skip to main content

Install cnspec on macOS

info

The environment variable MONDOO_REGISTRATION_TOKEN allows you to pass a registration token to the installation package. If provided, the client will register automatically during the installation.

note

If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.

Install using the automated install script

The Mondoo automated installation script installs the mondoo package using either the Homebrew package manager or a .pkg installer if Homebrew is unavailable.

# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
bash -c "$(curl -sSL https://install.mondoo.com/sh)"

Install directly via Homebrew

Mondoo supports installation using the Homebrew package manager on macOS.

Add the Mondoo tap
brew tap mondoohq/mondoo
Install mondoo package with brew
brew install mondoo
Upgrade mondoo package with brew
brew upgrade mondoo

Install using the universal binary package

Mondoo releases a signed and notarized universal binary package (.pkg) for Intel & ARM (M1/M2) platforms available at releases.mondoo.com that installs cnspec on hosts.

Additionally, the package installs, but does not start or enable, a launchd configuration for running cnspec continuously as a service for endpoint security. This package is ideal for deployment by MDM solutions.

For more information on running Mondoo as a service on macOS, see Running Mondoo as a service.

To install the PKG non-interactively use the installer utility in a Terminal:

installer -pkg ./mondoo_(version)_darwin_universal.pkg -target /Library

Mitigate hostname changes

Sometimes when changing locations and networks, macOS devices can change their hostname. When this happens, you see two or more entries for the same workstation in the Mondoo Console. To mitigate this problem, open the Mondoo configuration file located at ~/.config/mondoo/mondoo.yml and add this line:

id-detector: machine-id

Learn more