macOS Installation
Enterprise Edition Only: macOS support requires the Enterprise Edition of Aquilon DLP.
This guide covers installing Aquilon DLP on macOS using the PKG installer, including the required Full Disk Access configuration.
Prerequisites
Before installing Aquilon DLP, ensure you have:
- macOS 11.0 (Big Sur) or later
- osquery 5.0.1 or later - Download from GitHub releases
- Administrator privileges
Install osquery
Download and install osquery from the official releases:
# Download the PKG installer from osquery.io
# Then install:
sudo installer -pkg osquery-5.10.2.pkg -target /
Verify the installation:
osqueryd --version
# Expected: osqueryd version 5.10.2 (or later)
Installation
Step 1: Download the Installer
Download the signed PKG installer for macOS from the Aquilon Security portal:
- File:
aquilon-dlp-enterprise-VERSION.pkg
Step 2: Install via GUI or Command Line
GUI Installation: Double-click the PKG file and follow the installation wizard.
Command Line Installation:
sudo installer -pkg aquilon-dlp-enterprise-VERSION.pkg -target /
Step 3: Verify Installation
Check that all components were installed correctly:
# Verify app bundle
ls -la /opt/aquilon/aquilon-dlp.app
# Verify configuration directory
ls -la /etc/aquilon/
# Verify data directory
ls -la /var/aquilon/dlp/
# Verify extension registered with osquery
cat /var/osquery/extensions.load
What Gets Installed:
| Component | Location |
|---|---|
| App bundle | /opt/aquilon/aquilon-dlp.app |
| Configuration | /etc/aquilon/ |
| Database | /var/db/aquilon/ |
| Logs | /var/log/aquilon/ |
| osquery extension | Registered in /var/osquery/extensions.load |
Endpoint Security Setup
Aquilon DLP uses Apple’s Endpoint Security framework for real-time file monitoring. This requires granting Full Disk Access permission.
Grant Full Disk Access
- Open System Settings (or System Preferences on older macOS)
- Navigate to Privacy & Security > Full Disk Access
- Click the lock icon and authenticate
- Click + to add an application
- Navigate to
/opt/aquilon/aquilon-dlp.appand add it - Ensure the toggle is enabled
Verify Endpoint Security
After granting Full Disk Access, verify the extension loads correctly:
# Check osquery sees the extension
osqueryi --connect /var/osquery/osquery.sock 'SELECT * FROM osquery_extensions;'
# Query DLP tables
osqueryi --connect /var/osquery/osquery.sock 'SELECT * FROM aquilon_dlp_alerts LIMIT 5;'
MDM Deployment (Enterprise)
For enterprise environments, automate Full Disk Access grants via MDM using PPPC (Privacy Preferences Policy Control) profiles:
Supported MDM Platforms:
- Jamf Pro
- Microsoft Intune
- Kandji
- SimpleMDM, FileWave, Mosyle
Quick Setup:
- Upload the PPPC profile from
deployment/mdm/to your MDM - Deploy profile to target devices
- Deploy the Aquilon DLP PKG
See the Deployment Guide for platform-specific MDM instructions.
Post-Installation
Initial Configuration
The installer creates a default configuration at /etc/aquilon/config.toml. Edit this file to customize:
sudo nano /etc/aquilon/config.toml
Key configuration options:
- Watch paths: Directories to monitor for sensitive data
- Enabled policies: HIPAA, PCI DSS, SOX, ISO 27001, GDPR, CCPA
- Removable media scanning: Auto-scan USB drives on mount
See the Configuration Guide for complete options.
Verify DLP is Working
Test that Aquilon DLP is detecting files:
# Create a test file with sensitive data
echo "SSN: 223-41-1189" > /tmp/test-sensitive.txt
# Wait a moment for scanning, then query alerts
osqueryi --connect /var/osquery/osquery.sock 'SELECT * FROM aquilon_dlp_alerts;'
Upgrading
To upgrade to a new version:
# Download new PKG installer
# Install over existing installation
sudo installer -pkg aquilon-dlp-enterprise-NEW_VERSION.pkg -target /
Your configuration in /etc/aquilon/config.toml is preserved during upgrades.
Uninstalling
To completely remove Aquilon DLP:
# Remove the application
sudo rm -rf /opt/aquilon
# Remove configuration (optional - preserves settings)
sudo rm -rf /etc/aquilon
# Remove data and logs (optional)
sudo rm -rf /var/aquilon /var/log/aquilon
# Remove from osquery extensions
sudo sed -i '' '/aquilon/d' /var/osquery/extensions.load
Troubleshooting
Common Issues
“Unsupported macOS version”
Aquilon DLP requires macOS 11.0 or later. Check your version:
sw_vers -productVersion
“Unsupported osquery version”
Aquilon DLP requires osquery 5.0.1 or later. Upgrade from osquery releases.
“Signature verification failed”
The PKG may be corrupted. Re-download from the official source and verify:
spctl -a -v aquilon-dlp-enterprise.pkg
Extension not loading in osquery
-
Verify Full Disk Access is granted (see Endpoint Security Setup)
-
Restart osqueryd:
sudo launchctl unload /Library/LaunchDaemons/io.osquery.agent.plist sudo launchctl load /Library/LaunchDaemons/io.osquery.agent.plistNote: OSQuery 5.0.1+ uses
io.osquery.agent.plist. Older versions usecom.facebook.osqueryd.plist. -
Check logs:
tail -f /var/log/aquilon/aquilon-dlp.log
“Installation already in progress”
Another installation is running. If a previous installation crashed, automatic stale lock detection should clean up. If not:
sudo rm -rf /var/run/aquilon-install.lock
Getting Help
- Documentation: Troubleshooting Guide
- Community Support: GitHub Issues
- Enterprise Support: Contact your account representative