Enterprise Deployment Through MDM

The following sections describe recommended procedures for deploying the SysTrack Agent automatically through MDM software to the endpoint devices.  Some MDM software varies so the procedures may have to be modified specific to the environment. 

Certificates

Before deploying the SysTrack Agent, a secure connection from the endpoint system to the SysTrack Server is required. The macOS agent requires SSL (Secure Socket Layer) Certificate Verification in order to securely connect to the Server. This type of security protocol requires a valid SSL certificate, installed and trusted, on the macOS endpoint system.

A certificate payload can be configured through the MDM server to automatically install and trust the SSL certificate on enrolled macOS devices. For more information, see Apple's Support document.

Cloud Edition deployments do not require a certificate payload given the use of a publicly trusted Certificate Authority (CA) for authentication and encryption.

Privacy Preferences Policy Control

Full Disk Access

To enable Full Disk Access for the SysTrack Agent on enrolled macOS devices, a Privacy Preferences Policy Control payload can be configured within the MDM server. These payload settings will change the Security and Privacy settings on the endpoint device.  For more information, see Apple's Support document.

Create a payload with the following settings:

Field

Value
Identifier Type

Path

Identifier Name

/Library/Application Support/Lakeside Software/lsiagentd

Allow or Deny

Allow

Code Signing Requirement

identifier "com.lakesidesoftware.lsiagentd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = SQL6SRUA2Y

Setting Required

System Policy All Files

System Policy administrator files

Accessibility permission

NOTE: This applies to SysTrack Agent version 11.5 and later. If you are installing an earlier version of the macOS Agent, no Accessibility permission is required.

The SysTrack macOS Agent uses a background process SysTrack Management User to monitor and report when applications become unresponsive. Detection logic aligns with macOS Activity Monitor, providing consistent validation of application responsiveness. Because this process runs in the user context, it requires Accessibility permission in macOS to function correctly.

If this permission is not granted, Application Hang events will not be collected. The agent will silently check for Accessibility permission and log a warning if it is missing. The log file is located at /Library/Application Support/Lakeside Software/Users/SysTrackManagementUser_XXX.log where XXX is a user UID.

To grant Accessibility permission for the SysTrack Agent on enrolled macOS devices, a Privacy Preferences Policy Control payload can be configured within the MDM server. These payload settings will change the Security and Privacy settings on the endpoint device.  For more information, see Apple's Support document.

Add the following settings for the payload:

Field

Value
Identifier Type

Path

Identifier Name

/Library/Application Support/Lakeside Software/Utilities/SysTrack Management User

Allow or Deny

Allow

Code Signing Requirement

identifier "com.lakesidesoftware.SysTrack Management User" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = SQL6SRUA2Y

Setting Required

Accessibility

Suppress “Background Item Added” Prompt for SysTrack Agent

To prevent macOS Ventura and later from showing the “Background Item Added” alert when the SysTrack Agent is installed, add a new Managed Login Items rule in your MDM profile with the following values:

Field

Value
Rule Type

Bundle Identifier

Rule Value

com.lakesidesoftware.lsiagentd

Team Identifier

SQL6SRUA2Y

SysTrack Deployment

We recommend you complete the following steps to deploy SysTrack through MDM software. For on-premises deployments, you can simply deploy the Install-SysTrack.pkg along with a post-install script to run the Agent control script. For Cloud Edition deployments, you are required to create a new deployment package that contains lsiagent.cfg, Install-SysTrack.pkg, and a post-install script.

On-Premises Deployment

Follow these steps:

  1. The Install-SysTrack.pkg file can be deployed as-is and can be found in the release media.

  2. Add a post-install script to the deployment policy with the following command:

sudo /Library/Application\ Support/Lakeside\ Software/lsiagentctl setup <Server_FQDN> <script_parameters>

Cloud Edition Deployment

Follow these steps:

  1. Create a new flat .pkg file that contains Install-SysTrack.pkg and lsiagent.cfg within a tmp directory.

  2. Add a post-install script to the deployment package with the following commands:

    • Run a silent install of the SysTrack Installer:

      sudo installer -pkg /tmp/Lakeside/Install-SysTrack.pkg -target /

    • Run the lsiagentctl control script with the appropriate script parameters:

      sudo /Library/Application\ Support/Lakeside\ Software/lsiagentctl setup <script_parameters>

Enterprise Upgrades

For SysTrack upgrades with MDM software, you can deploy the updated Install-SysTrack.pkg as-is without any post-install scripts. The SysTrack Agent should automatically update, restart, and connect back to the SysTrack Server with the updated version.