Overview
This article lists the prerequisites and provides the steps to ensure all the requirements for the GFI LanGuard to scan and install missing patches on macOS.
Solution
LanGuard allows scanning and patching for Mac OS X 10.5 and higher version computers, with SSH service enabled, and requires root credentials for correct functionality. In order to scan and install the missing patches successfully the following requirements should be met:
-
LanGuard server must be able to resolve the name of the target computer, you can verify this with the ping.
-
SSH port (TCP 22) on the target machine should be reachable from the LanGuard server. The SSH daemon is disabled on macOS operating systems by default, refer to How to enable SSH daemon in Mac OS X for the information on how to enable it.
Once the SSH daemon is enabled, ensure that no firewall is blocking port 22 and test the ssh connectivity with putty or similar tool. If the connection allowed, you should be asked for authentication.
Note: If the SSH port has been changed for security reasons, this can be addressed from the LanGuard console. Go to Configuration, right-click on the Scanning Profiles > Scanning Profiles Management, select the Scan Profile you want to edit, and in the Scanner Options tab add the value for the Alternative SSH ports.
-
root user credentials: The superuser account is disabled by default on Mac operating systems, refer to this article for instructions on enabling the root account. A superuser root account should be used. Ensure it is able to log in remotely.
-
Patch deployment port 1072 (for LanGuard 11 - 1070): target computer should be able to communicate with the LanGuard server on this port. The default port can be changed. Check the communications from the target Mac machine:
- Open a terminal session by using Spotlight (CMD+Space) or by going to Applications > Utilities > Terminal.
- Copy and paste the command, substitute
<LanGuard_Server>
with the hostname of the server:
curl http://<LanGuard_Server>:1072/files/mac/index-leopard.merged-1.sucatalog
- If the curl test fails, this indicates that inbound connections to the LanGuard server port are not allowed and need to be enabled.