Mimecast Web Security: Installing the Mimecast Security Agent (Mac)

Document created by user.oxriBaJeN4 Employee on Sep 11, 2018Last modified by user.oxriBaJeN4 Employee on May 22, 2019
Version 23Show Document
  • View in full screen mode

This document provides instructions to deploy the Mimecast Security Agent (MSA) on roaming Mac devices, to work in conjunction with the Mimecast Web Security feature. In addition, it covers how to:

  • Validate the agent installation.
  • Test policy blocking.
  • Enable / disable the agent.
  • Uninstall the software.




Before installing the Mimecast Security Agent on Mac devices, ensure the following requirements are met:

  • The minimum supported OS version is macOS Sierra (10.12).
  • Administration privileges are available on the macOS.
  • Mimecast Web Security locations are defined as the egress IP address of a network. View the Mimecast Web Security: Configuring Locations page for further information.

  • The local DNS resources have "Exceptions" defined as required, so your trusted domains and IPs bypass the Mimecast Web Security functionality. View the Mimecast Web Security: Managing Exceptions page for further information.

    An exception for your local domain must be created if you have Active Directory or a Local DNS server. If the local domain is not included as an exception you won't be able to access local resources such as IP Phones and Print Servers etc.
  • Mimecast Web Security policies have been configured. View the "Policy Configuration Recommendations" section below and the Mimecast Web Security: Configuring Policies page for further information.

  • Mimecast Security Agent Settings have been configured. View the Mimecast Web Security: Mimecast Security Agent Settings page for further information.
  • For proper function of the Mimecast Security Agent, ensure that the managed endpoint systems are using a Network Time Provider, resulting in accurate system clocks.


Browser Recommendations


We recommend the browser uses macOS Trust Store for Certificate of Authority. View the lists of available trusted root certificates in macOS in the Apple Support section. 

The security agent software will automatically install the Mimecast SSL Certificate into macOS’s keychain. However if you aren't using the endpoint software, you'll need to install the Mimecast certificate for "Network Level Protection". 

Policy Configuration Recommendations

You'll need to ensure that Mimecast Web Security policies are defined and ready. Your current policy configuration will be used during testing to block a known collection of domains. Location based policies are never applied to an MSA protected endpoint, even if it's on a protected network.

Do not test with explicit sites, which when viewed are against your company policy. We recommend blocking with a safe site such as cnn.com during testing.

Policy type recommendations include: 

  • A Domain Filtering policy with explicit blocks and allows set.
  • A Category Filtering policy with known categories blocked and allowed. This policy should apply as follows:
    MSA AuthenticationApplies To
    User logs into the MSA
    • Individual Users 
    • Groups containing the User
    • Everyone
    User does not log into the MSA
    • Everyone
When a policy component is changed, if the system DNS cache and browser DNS cache are not cleared, the policy change will not take effect. Cache clearing updates can take up to 20 minutes, therefore you won't see the policy change take effect until this completes. 

Installing the Mimecast Security Agent (macOS)

During the installation process, you may be prompted and required to install additional software including Visual C++.

To install the security agent on a Mac:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A dropdown menu is displayed.
  3. Click on the Web Security | Agent Settings menu item. The Mimecast Security Agent "Installation" tab displays by default.
  4. Click on the Download for Mac button. The installer files download to your browser's download location with a file name of "Mimecast Security Agent.ZIP". When unzipped, a .PKG file is displayed with the key located in a "Mimecast Security Agent Configuration" folder.
    There can be a significant delay before the browser indicates the file download is complete. 
  5. Launch the Mimecast Security Agent installer to start the setup wizard. 
    The installer must be run as an administrator.
  6. Click on the Continue button.
  7. On theDestination Select tab, select the local disk for installation of the Mimecast Security Agent software.
  8. Click on the Continue button.
  9. On the Installation Type tab, select the local folder for installation of the Mimecast Security Agent software. Click on the Change Install Location button if required.
  10. Click on the Install button. 
  11. Enter your Mac administration credentials in the User Name and Password fields.
  12. Click on the Install Software button. The Installer runs the new software on the local system.
    During installation, the Mimecast Security Agent icon displays on the menu bar with an exclamation point.
  13. Once the security agent is successfully installed, its status is displayed as "Protected".
  14. Click on the Close button to exit the wizard.


Apple System ExtensionApple High Sierra OS


If you've the Apple High Sierra OS or higher, an authorization process is used when installing third-party kernel extensions (kexts) for the first time. If the security agent hasn't previously been installed on your Mac, you must authorize the installation. You can preauthorize the kext on behalf of your users via the MDM solution of choice.


If you have unmanaged Macs, the following steps must be followed:

  1. The System Extension Blocked dialog is displayed.
  2. Click on the OK button to continue.
  3. Click on the Allow button to unblock the system software.
    If you don't follow this step, the security agent runs in unprotected mode, and won't filter DNS requests. You'll also be periodically prompted to authorize the installation. See the "Prepare for Changes to Kernel Extensions in macOS High Sierra" page in the Apple help for further details.

Validating the Mimecast Security Agent Installation


Verify that the MSA has been installed correctly via the methods below. If any errors display, gather and send diagnostics data as outlined in the Mimecast Security Agent: Diagnostic Data page.


Check the Activity Monitor


Open the Activity Monitor, filter for Mimecast and check for the following processes:

Mac Activity Monitor


Confirm the MSA User Interface is Running


MSA ProtectedTo confirm the MSA User Interface is running:

  1. Check that the MSA icon MSA Icon is displayed in the menu bar. 
  2. Click on the MSA icon to display the home drop down menu. Ensure the following:
    • A green tick displays.
    • The status is ‘Protected’.


Check the MSA Diagnostics


To check the MSA diagnostics:

  1. Click on the MSA Icon in the menu bar. The home dropdown menu displays.

  2. Click on the Diagnostics | Show Live Diagnostics menu item. 

  3. Check that all of the basic diagnostics checklist ticks display green.

  4. Click the Refresh button a few times and confirm that the updates display times increment as expected.


View the Protected Device

MSA Protected Devices


To view the newly protected device:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A dropdown menu is displayed.
  3. Click on the Web Security | Protected Devices menu item. 
  4. Confirm the view shows an entry for the protected machine name.


Testing Policy Blocking


With the Mimecast Security Agent installed and running correctly, the next step is to test that your configured policies work to block or allow sites as expected.


Machine Level Testing


Machine level blocking occurs when:

  • The MSA is not logged into by an authenticated user.
  • Configured policy definitions apply to "Everyone".


To test machine level blocking:

  1. Ensure you aren't logged into the MSA. 
  2. Confirm that a Mimecast block page is properly displayed by browsing to a domain where:
    • The policy you're testing defines a block.
    • The policy you're testing applies to "Everyone".
  3.  Navigate to a domain which should be allowed and ensure that it's accessible and does not generate a block page.

User Level Testing


User level blocking occurs when:

  • The MSA is logged into by an authenticated user.
  • Configured policy definitions apply to "Groups" or "Users".

    MSA MAC Authentication

To test user level blocking:

  1. Click on the Mimecast Security Agent icon in the menu bar. The home dropdown menu displays.

  2. Click on the Log In menu item. 
  3. Enter the Email Address of the user specified during the policy setup.
  4. Click on the Next button.
  5. From the Authentication Type menu select either:
    • Domain to use Active Directory for authentication.
    • Cloud to use Mimecast credentials for authentication.
      The authentication type available to the user will be the Mimecast support type enabled for the account. That could be SAML / SSO, Cloud / Domain, or either single or multi-factor authentication.
  6. Enter the user's credentials.
  7. Click on the Next button to log in.
  8. MSA Mac ProtectedOnce authenticated you're taken back to the MSA home menu. Confirm that the:
    • Client ID displays the authenticated user.
    • Log Out menu item displays.
  9. Confirm the Administration Console now shows an entry for the associated user, by navigating to the Web Security | Protected Devices menu item.


Enabling / Disabling the Security Agent


To control your agent settings on macOS:

  1. Click on the Mimecast Security Agent icon in the menu bar. The home dropdown menu displays.
  2. MSA Mac DisableClick on the Preferences menu item.
  3. Click on either the:
    •  Enable Agent button to enable protection on the agent.
    • Disable Agent button to disable protection on the agent. 
  4. A popup dialog displays for you to enter the Tamper Protection Password. To obtain the password:
    1. Tamper ProtectionLog on to the Administration Console.
    2. Select the Administration | Web Security | Agent Settings menu item.
    3. Click on the Settings tab.
    4. Click on theCopy Password button under Tamper Protection to copy the password. Alternatively, click on the Generate Password button if one does not exist.
  5. Click on the OK button.


Uninstalling the Security Agent


Remove MSA MacTo uninstall the security agent on macOS:

  1. Navigate to the Applications folder.
  2. Alongside the agent's interface, locate the Remove Mimecast Security Agent application.
  3. Launch the application and follow the guide to remove the software. 


See Also...