Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

MDM Deployment

Beacon’s macOS package is designed for security and IT rollout through MDM. A signed and notarized .pkg installs Beacon under /opt/beacon, creates system endpoint configuration, loads the local collector LaunchDaemon, and writes endpoint events to /var/log/beacon-agent/runtime.jsonl. Optional Splunk HEC settings add a collector destination while preserving the local runtime log. The package installs and inventories a local-only endpoint agent. Beacon does not require a hosted account, remote policy fetch, or MDM API credentials for normal collection.

Package layout

The macOS package includes Beacon binaries, endpoint scripts, and MDM assets: 
/opt/beacon/bin/beacon
/opt/beacon/bin/beacon-otelcol
/opt/beacon/scripts/install-endpoint.sh
/opt/beacon/scripts/uninstall-endpoint.sh
/opt/beacon/jamf/extension-attributes/*.sh
/opt/beacon/jamf/scripts/*.sh
/opt/beacon/fleet/queries/*.sql
/opt/beacon/fleet/scripts/*.sh
The endpoint install creates system configuration and runtime state: 
/Library/Application Support/Beacon/Endpoint/config.json
/Library/Application Support/Beacon/Endpoint/otelcol.yaml
/Library/LaunchDaemons/com.beacon.endpoint.collector.plist
/var/log/beacon-agent/runtime.jsonl

Deployment model

1

Deploy to a pilot group

Upload the signed and notarized .pkg to your MDM and scope it to a pilot group, team, or label.
2

Confirm the system agent

Verify that the LaunchDaemon is running and that beacon endpoint wazuh validate writes a validation event.
3

Add inventory signals

Track version, collector service health, log freshness, retention mode, configured harnesses, and runtime log writability.
4

Scope repair workflows

Use the packaged repair scripts for endpoints where inventory reports a stale or unhealthy install.
5

Roll out in stages

Broaden deployment after inventory and validation stay healthy for the pilot population.
Environment variables take precedence over MDM script parameters:
Environment variableDefault
BEACON_ENDPOINT_HARNESSESclaude,codex
BEACON_CONTENT_RETENTIONfull
BEACON_OTLP_GRPC_PORT4317
BEACON_OTLP_HTTP_PORT4318
BEACON_COLLECTOR/opt/beacon/bin/beacon-otelcol when present
BEACON_NO_STARTaccepts 1, true, or yes
BEACON_SPLUNK_HEC_ENDPOINTunset
BEACON_SPLUNK_HEC_TOKENunset
BEACON_SPLUNK_INDEXunset
BEACON_SPLUNK_SOURCEbeacon-endpoint-agent when configured
BEACON_SPLUNK_SOURCETYPEbeacon:endpoint when configured
BEACON_SPLUNK_INSECURE_SKIP_VERIFYaccepts 1, true, or yes; use only for testing
BEACON_SPLUNK_CA_FILEunset
When Splunk HEC is configured, Beacon writes the endpoint config and collector config with restricted permissions because they contain the HEC token.
Cursor hook installation is separate from the base system package because Cursor configuration is per user. Run the Cursor hook helper only when an interactive console user is present.

Uninstall and rollback

Use the vendor uninstall helper to remove endpoint service files. Set BEACON_KEEP_LOGS=1 or the first uninstall argument to preserve runtime logs during removal. Set BEACON_KEEP_CONFIG=1 or the second uninstall argument to preserve harness telemetry configuration. 
/opt/beacon/jamf/scripts/uninstall.sh "$@"
/opt/beacon/fleet/scripts/uninstall.sh "$@"
The endpoint uninstall removes service and configuration state. Package payload removal remains under the MDM or package receipt lifecycle.

Jamf

Deploy and inventory Beacon with Jamf Pro policies and extension attributes.

Fleet

Deploy Beacon with Fleet software, policies, queries, and scripts.

SIEM forwarding

Forward Beacon events into Wazuh, Splunk HEC, or customer-managed pipelines.