Watchman-Plugins
A collection of custom plugins for Watchman Monitoring
Activation Lock
Activation Lock can be a major block for managed fleets of Macs. This plugin allows you to see the status of both Activation Lock and Find My Mac. It also reports the current user's iCloud account details, and whether or not the iCloud account is managed or personal.
All Clear
No iCloud account is signed in and Find My Mac and Activation Lock are disabled:
An unmanaged iCloud account is signed in, but Find My Mac and Activation Lock are disabled:
Informational
Activation Lock is disabled, but Find My Mac is enabled and unmanaged iCloud account is signed in:
Pre-T2 chip Mac, or pre-Catalina macOS that doesn't support Activation Lock:
Warning
Activation Lock is enabled and an unmanaged iCloud account is signed in:
macOS Updates
This plugin aims to replicate the functionality of the Windows Update plugin, but for macOS. It reports the status of available updates for the Macs in your fleet, showing the names up available updates or an All Clear status if the computer is up to date.
All Clear
macOS is up to date (within the major release installed):
Informational
An error occurred while checking for updates:
Warning
There are updates available:
macOS User Accounts
This plugin aims to replicate the functionality of the User Accounts plugin for Windows. It reports all of the user accounts on macOS, including account type and SecureToken status. This plugin always reports All Clear.
All Clear
A list of all user accounts on the computer:
MDM
This plugin shows the MDM enrollment status of a computer, whether it was enrolled through DEP, and what MDM server it's enrolled with. Both MDM enrollment
and Enrolled via DEP
have configurable exit codes via the _mdm_settings.plist file. By default, this plugin will will return exit code 20 (Informational) if the computer is not enrolled in MDM, and return exit code 0 (OK) if it's not enrolled via DEP.
To change the exit codes, simply push these commands to your fleet (or use the scripts in the plugin-settings
folder):
MDM: /usr/libexec/PlistBuddy -c "Set :MDM_Warning 2" /Library/MonitoringClient/PluginSupport/_mdm_settings.plist
(sets MDM not enrolled to Warning)
DEP: /usr/libexec/PlistBuddy -c "Set :DEP_Warning 20" /Library/MonitoringClient/PluginSupport/_mdm_settings.plist
(sets not enrolled via DEP to Informational)
All Clear
Computer is enrolled in MDM:
Informational
Computer is not enrolled in MDM:
SentinelOne
This plugin shows the status of the SentinelOne agent installed on an endpoint. There are versions for both macOS and Windows. It reports the version, ready status, protection status, infection status, and UUID of the endpoint.
All Clear
SentinelOne is ready and enabled:
Informational
SentinelOne is either not ready, not enabled, or not installed:
Warning
The endpoint is reporting an infection
Umbrella DNS
This plugin reports the status of the Cisco Umbrella DNS agent installed on macOS. It reports the enabled status, VPN status, last enabled date, Org ID, and Device ID. The first time the plugin is run, it will create a settings file that contains the grace period setting, which can be customized later via editing the file or sending a terminal command (see the Watchman documentation for remotely updating plugin settings). The plugin will report a warning if Umbrella has been disabled for longer than the specified grace period (the default is 24 hours).
All Clear
Umbrella is enabled:
Informational
Umbrella status is unknown:
Warning
Umbrella has been disabled for longer than the specified grace period:
Created by Ella Hansen for Ignition, Inc., a California corporation https://www.ignitionit.com