Untested (at this time) - An Apple macOS-focused deployment script for the installation of Qualys Cloud Agent and setting up the required disk access via the Datto RMM platform.
What does the script deliver?
Datto RMM script with the .mobileconfig embedded directly, running as root, Datto default, to be installed as a macOS script component.
This will:
✅ Auto-detect Intel vs. Apple Silicon
✅ Downloads the correct .PKG
✅ Installs the agent
✅ Deploys the embedded .mobileconfig Profile for Full Disk Access + System Extension
✅ Activates the agent
✅ Silently cleans up
If you create a variable within Datto, for example, QualysActivationID, you can use this in the script below, but swap the ACTIVATION_ID="your_activation_ID" with the # one and thus ACTIVATION_ID="%QualysActivationID%" and of course popping a # in front of the other one:
#!/bin/bash
# === CONFIGURATION ===
ACTIVATION_ID="your_activation_id"
# ACTIVATION_ID="%QualysActivationID%"
CUSTOMER_ID="your_customer_id"
SERVER_URI="https://qagpublic.qg2.apps.qualys.eu/CloudAgent/"
QUALYS_PKG_X64="https://cybertecsecuritytools.com/qualys/macos/x64/QualysCloudAgent.pkg"
QUALYS_PKG_ARM64="https://cybertecsecuritytools.com/qualys/macos/silicon/QualysCloudAgent.pkg"
QUALYS_PKG_PATH="/tmp/QualysCloudAgent.pkg"
MOBILECONFIG_PATH="/tmp/QualysAgent.mobileconfig"
QUALYS_APP="/Applications/QualysCloudAgent.app"
QUALYS_SCRIPT="$QUALYS_APP/Contents/MacOS/qualys-cloud-agent.sh"
# === STEP 0: Detect CPU Architecture ===
ARCH=$(uname -m)
if [[ "$ARCH" == "arm64" ]]; then
echo "Apple Silicon (ARM64) detected"
QUALYS_DOWNLOAD_URL="$QUALYS_PKG_ARM64"
else
echo "Intel (x86_64) detected"
QUALYS_DOWNLOAD_URL="$QUALYS_PKG_X64"
fi
# === STEP 1: Install MDM Profile (FDA + KEXT Approval) ===
echo "Writing embedded MDM profile to disk..."
cat > "$MOBILECONFIG_PATH" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDisplayName</key>
<string>Qualys Cloud Agent Privacy & Extension Profile</string>
<key>PayloadIdentifier</key>
<string>com.cybertec.qualys.agentprofile</string>
<key>PayloadUUID</key>
<string>F04A0A7E-1234-4B43-A1C1-BE8512341234</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>Cyber Tec Security</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.cybertec.qualys.fda</string>
<key>PayloadUUID</key>
<string>FDA-QUALYS-AGENT-UUID</string>
<key>PayloadDisplayName</key>
<string>Qualys Full Disk Access</string>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>/Applications/QualysCloudAgent.app</string>
<key>IdentifierType</key>
<string>path</string>
<key>Authorization</key>
<string>Allow</string>
</dict>
</array>
</dict>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.cybertec.qualys.sysex</string>
<key>PayloadUUID</key>
<string>SYSEX-QUALYS-AGENT-UUID</string>
<key>PayloadDisplayName</key>
<string>Qualys System Extension</string>
<key>AllowedSystemExtensions</key>
<array>
<dict>
<key>TeamIdentifier</key>
<string>9PTGMPNXZ2</string>
<key>BundleIdentifier</key>
<string>com.qualys.kext</string>
</dict>
</array>
<key>AllowedTeamIdentifiers</key>
<array>
<string>9PTGMPNXZ2</string>
</array>
</dict>
</array>
</dict>
</plist>
EOF
echo "Installing MDM profile..."
profiles install -type configuration -path "$MOBILECONFIG_PATH"
rm -f "$MOBILECONFIG_PATH"
# === STEP 2: Download and Install Agent ===
echo "Downloading Qualys Agent from $QUALYS_DOWNLOAD_URL..."
curl -L --silent -o "$QUALYS_PKG_PATH" "$QUALYS_DOWNLOAD_URL"
if [[ ! -f "$QUALYS_PKG_PATH" ]]; then
echo "Error: Failed to download Qualys Agent package."
exit 1
fi
echo "Installing Qualys Agent..."
/usr/sbin/installer -pkg "$QUALYS_PKG_PATH" -target /
rm -f "$QUALYS_PKG_PATH"
# === STEP 3: Activate Agent Properly ===
if [[ -x "$QUALYS_SCRIPT" ]]; then
echo "Registering Qualys Agent with platform..."
"$QUALYS_SCRIPT" ActivationId="$ACTIVATION_ID" CustomerId="$CUSTOMER_ID" ServerUri="$SERVER_URI"
else
echo "Error: qualys-cloud-agent.sh script not found at $QUALYS_SCRIPT"
exit 2
fi
# === STEP 4: Launch Agent Service ===
echo "Starting Qualys Agent..."
launchctl load /Library/LaunchDaemons/com.qualys.cloud.agent.plist 2>/dev/null
# === STEP 5: Verification ===
sleep 3
AGENT_INFO=$("$QUALYS_APP/Contents/MacOS/qagent" info 2>/dev/null)
if [[ "$AGENT_INFO" == *"Agent ID"* ]]; then
echo "Qualys Agent successfully registered and running."
echo "$AGENT_INFO"
exit 0
else
echo "Agent installation complete, but registration may have failed."
exit 3
fi
Just to let you know, we accept no responsibility for the outcomes of this script and recommend that you complete appropriate testing before using it across a large deployment base.