Rollout Path
Pilot
Start with a small macOS group that represents the agent harnesses and teams you want to observe. Decide which runtimes are in scope, whether events stay local at first, and which MDM group owns the initial package rollout.
Validate
Confirm install coverage, collector health, runtime log freshness, configured harness scope, and expected event coverage before expanding.
Expand
Deploy the signed and notarized macOS package through Jamf Pro, Fleet, or another MDM. Production deployments use system mode and write events to
/var/log/beacon-agent/runtime.jsonl.Deployment Decisions
Before broad rollout, document these decisions:| Decision | What to define |
|---|---|
| Runtime scope | Which supported harnesses are approved for collection and whether optional runtime integrations are in scope. |
| Install mode | Local evaluation, root-managed system install, or MDM package rollout. |
| Event destination | Local JSONL only, Wazuh localfile, supported forwarding destination, object storage, or customer-managed pipeline. |
| Access and retention | Who can read local logs, how long downstream systems retain events, and which teams own review. |
| Managed handoff | Whether the rollout now needs centralized visibility, policy controls, investigations, SSO/RBAC, or private infrastructure. |
Validation Signals
Track these signals in your device-management platform or operations dashboard:| Area | Recommended signal |
|---|---|
| Install coverage | Beacon package or binary version is present |
| Collector health | com.beacon.endpoint.collector is running |
| Event freshness | Last runtime event age is within your expected window |
| Runtime configuration | Configured harnesses match the approved deployment scope |
| Forwarding readiness | Runtime log exists and is writable; downstream forwarding is configured when required |
Guides
Enterprise security review
Answer procurement and security review questions about local collection, data inventory, content handling, endpoint behavior, and disclosure policy.
MDM deployment
Plan managed macOS rollout with the packaged system agent.
Jamf
Deploy and inventory Beacon with Jamf Pro policies and extension attributes.
Fleet
Deploy Beacon with Fleet software, policies, queries, and scripts.
SIEM forwarding
Forward Beacon events to Wazuh, Splunk HEC, Falcon LogScale, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or a customer-managed SIEM pipeline.
Endpoint event schema
Review the normalized JSONL contract used for endpoint events.
When to Move to Managed
Open Source works well when your team wants local endpoint telemetry and controls the downstream destination. Consider Asymptote Managed when you need:- centralized ingest, retention, search, and detections
- fleet-wide visibility across endpoints, users, and teams
- policy controls, identity mapping, approvals, and investigation workflows
- SSO, RBAC, audit trails, onboarding, and rollout support