Watchman-Plugins

A collection of custom plugins for Watchman Monitoring

Activation Lock

Activation Lock can be a major block for managed fleets of Macs. This plugin allows you to see the status of both Activation Lock and Find My Mac. It also reports the current user's iCloud account details, and whether or not the iCloud account is managed or personal.

All Clear

No iCloud account is signed in and Find My Mac and Activation Lock are disabled:

An unmanaged iCloud account is signed in, but Find My Mac and Activation Lock are disabled:

Informational

Activation Lock is disabled, but Find My Mac is enabled and unmanaged iCloud account is signed in:

Pre-T2 chip Mac, or pre-Catalina macOS that doesn't support Activation Lock:

Warning

Activation Lock is enabled and an unmanaged iCloud account is signed in:

macOS Updates

This plugin aims to replicate the functionality of the Windows Update plugin, but for macOS. It reports the status of available updates for the Macs in your fleet, showing the names up available updates or an All Clear status if the computer is up to date.

All Clear

macOS is up to date (within the major release installed):

Informational

An error occurred while checking for updates:

Warning

There are updates available:

macOS User Accounts

This plugin aims to replicate the functionality of the User Accounts plugin for Windows. It reports all of the user accounts on macOS, including account type and SecureToken status. This plugin always reports All Clear.

All Clear

A list of all user accounts on the computer:

MDM

This plugin shows the MDM enrollment status of a computer, whether it was enrolled through DEP, and what MDM server it's enrolled with. Both MDM enrollment and Enrolled via DEP have configurable exit codes via the _mdm_settings.plist file. By default, this plugin will will return exit code 20 (Informational) if the computer is not enrolled in MDM, and return exit code 0 (OK) if it's not enrolled via DEP.

To change the exit codes, simply push these commands to your fleet (or use the scripts in the plugin-settings folder):

MDM: /usr/libexec/PlistBuddy -c "Set :MDM_Warning 2" /Library/MonitoringClient/PluginSupport/_mdm_settings.plist (sets MDM not enrolled to Warning)

DEP: /usr/libexec/PlistBuddy -c "Set :DEP_Warning 20" /Library/MonitoringClient/PluginSupport/_mdm_settings.plist (sets not enrolled via DEP to Informational)

All Clear

Computer is enrolled in MDM:

Informational

Computer is not enrolled in MDM:

SentinelOne

This plugin shows the status of the SentinelOne agent installed on an endpoint. There are versions for both macOS and Windows. It reports the version, ready status, protection status, infection status, and UUID of the endpoint.

All Clear

SentinelOne is ready and enabled:

Informational

SentinelOne is either not ready, not enabled, or not installed:

Warning

The endpoint is reporting an infection

Umbrella DNS

This plugin reports the status of the Cisco Umbrella DNS agent installed on macOS. It reports the enabled status, VPN status, last enabled date, Org ID, and Device ID. The first time the plugin is run, it will create a settings file that contains the grace period setting, which can be customized later via editing the file or sending a terminal command (see the Watchman documentation for remotely updating plugin settings). The plugin will report a warning if Umbrella has been disabled for longer than the specified grace period (the default is 24 hours).

All Clear

Umbrella is enabled:

Informational

Umbrella status is unknown:

Warning

Umbrella has been disabled for longer than the specified grace period:

Created by Ella Hansen for Ignition, Inc., a California corporation https://www.ignitionit.com