macOS¶
Installation¶
Requires at least OSX 12.0 (Monterey).
-
Install the homebrew package manager if you don't already have it.
Tip
We default to suggesting installation via homebrew because of the ease of updates, but if you don't want to install homebrew, see our manual install guide.
-
Install Enclave
You will likely be prompted to provide local credentials.brew install enclave
-
Once installed, enrol your system with your Enclave Organisation
You will be asked for a valid Enrolment Key from your Portal account.sudo enclave enrol
Info
Enclave stores the generated private keys for your local Enclave identity in a way that prevents easy access without local admin privileges, which is why this command runs under sudo.
-
Depending on the type of enrolment key you used to enrol your new system, it might be held waiting for an Administrator to provide enrolment approval in your account Portal. Log in to authorise the enrolment of your new system if you need to, and configure additional options like DNS.
You're all set! You've successfully enrolled a new system to your Enclave account.
Starting and stopping¶
The installer creates a lightweight supervisor service set to run at system start which is responsible for starting the Enclave fabric. The supervisor service exists to start, stop and restart Enclave fabric in the background as daemon child processes.
The supervisor service responds to the Enclave CLI verbs start
and stop
to control the Fabric.
Updating¶
You can run
brew upgrade enclave
to install the latest version of enclave; your existing enrolment will be preserved.
Uninstalling¶
To remove Enclave, you can run:
brew uninstall enclave
This will stop all Enclave processes, and remove the binaries from your system, but your Enclave configuration, private keys and log files will be left in-place.
If you wish to fully clear Enclave from your system, run:
brew uninstall enclave --zap
This will remove all configuration, private keys and log files from your system along with the Enclave binaries.
Warning
Enclave does not backup a system's private keys. Lost or deleted private keys are not recoverable. If a system's configuration and private keys are lost, to use that system with Enclave again it must be re-enrolled.
Installing without Brew¶
If you are unable to deploy using homebrew, you can also install Enclave using a .pkg
file, or script the installation for non-interactive deployment (more commonly used with RMM tooling).
Interactive¶
To install interactively, follow these steps:
-
Download the latest installer
.pkg
file: -
Once the installer is complete, to make the
enclave
cli command available from your terminal, create a symbolic link from/usr/local/bin/enclave
to the installation directory in order to makeenclave
available in the terminal for interactive sessions by running the following command:sudo ln -sf /Applications/enclave/enclave /usr/local/bin/enclave
-
Finally, enrol your system:
sudo enclave enrol
Unattended¶
Enclave can be deployed non-interactively from the terminal with this script.
Be sure to change the enrolment key below to match those configured in your Enclave tenant:
#!/bin/zsh
export ENCLAVE_ENROLMENT_KEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
export ENCLAVE_VERSION="$(curl https://install.enclave.io/latest/osx-homebrew-version.txt)"
curl https://release.enclave.io/enclave_osx-installer-x64-stable-$ENCLAVE_VERSION.pkg -o enclave-installer.pkg
sudo installer -pkg enclave-installer.pkg -target /
sudo ln -sf /Applications/enclave/enclave /usr/local/bin/enclave
/Applications/enclave/enclave version
sudo /Applications/enclave/enclave enrol $ENCLAVE_ENROLMENT_KEY
NinjaRMM has two capabilities that help streamline unattended installations:
-
Automatic Logging: All script output (via echo commands) is captured in the NinjaRMM console, providing quick visibility into deployment progress without accessing individual devices.
-
Secure Credential Management: Sensitive data like the Enclave Enrolment Key can be securely stored as organisation-scoped variables using Ninja RMM's Custom Fields capability, removing the need to hardcode credentials or manually configure environment variables.
The following script uses the ninjarmm-cli
tool to retrieve the Enclave Enrolment Key from a Custom Field called enclaveEnrolmentKey
. Custom Fields are typically defined as camelCase key-value pairs defined at the organisation level, providing a centralised and consistent way to manage deployment-specific configuration data across multiple tenants.
#!/bin/zsh
echo 'Attempting to read Enclave enrolment key from NinjaRMM CLI tooling.'
ENCLAVE_ENROLMENT_KEY=$(/Applications/NinjaRMMAgent/programdata/ninjarmm-cli get enclaveEnrolmentKey)
if [[ -n ${ENCLAVE_ENROLMENT_KEY} ]]
then
echo 'Enclave enrolment key found:' ${ENCLAVE_ENROLMENT_KEY}
else
echo 'Enrolment key not found.'
exit
fi
echo 'Attempting to determine latest Enclave agent version.'
export ENCLAVE_VERSION="$(curl https://install.enclave.io/latest/osx-homebrew-version.txt)"
echo "Attempting to download Enclave installer v$ENCLAVE_VERSION."
curl https://release.enclave.io/enclave_osx-installer-x64-stable-$ENCLAVE_VERSION.pkg -o enclave-installer.pkg
if [[ -e enclave-installer.pkg ]]
then
echo 'Download Completed.'
else
echo 'Download Failed.'
exit
fi
echo 'Attempting to install Enclave.'
sudo installer -pkg enclave-installer.pkg -target /
# Symlink the binary to place it onto the PATH env var for interactive sessions.
echo 'Attempting to create application symlink.'
sudo ln -sf /Applications/enclave/enclave /usr/local/bin/enclave
# Capture Enclave version to stdout.
echo 'Enclave version:'
/Applications/enclave/enclave version
# Check for an existing enrolment. This script assumes enclave
# was enrolled using the default profile name, Universe.
if [[ -e /etc/enclave/profiles/Universe.profile ]]
then
echo 'Enclave is already enrolled on this system, will not re-enrol.'
# Alternatively, to force re-enrolment uncomment this section.
#echo 'Enclave is already enrolled on this system, forcing re-enrolment:'
#sudo /Applications/enclave/enclave enrol $ENCLAVE_ENROLMENT_KEY --force
else
echo 'Attempting to enrol Enclave.'
sudo /Applications/enclave/enclave enrol $ENCLAVE_ENROLMENT_KEY
fi
Enclave Gateway¶
When macOS is connected to an Enclave Gateway, you may wish to use Enclave's capability to forward DNS questions to the Enclave Gateway to control name resolution. On macOS, search domains must be manually configured. The following script provides an example of how to configure Enclave to pass queries for the domain example.com
to a connected Enclave Gateway.
#!/bin/zsh
sudo mkdir -p /etc/resolver
# Collect the local Enclave IP address. Note that if Enclave is enrolled to more than one tenant on
# this system, you may also need to specify the appropriate profile name (e.g. --profile Universe)
export ENCLAVE_IP=$(enclave get-ip)
sudo sh -c "echo 'nameserver $ENCLAVE_IP' > /etc/resolver/example.com"
Note
The default macOS shell doesn't permit multi-line paste, so if you're not copying into a file, you may need to work line-by-line.
Updating¶
You can update a macOS deployment made via our .pkg
file by running the latest pkg file interactively, or re-running the unattended install script.
The new version of Enclave will install over the top, preserving the existing settings and profile.
Uninstalling¶
To uninstall a macOS deployment made via our .pkg
file, you should run the provided uninstall script from your terminal:
sudo /Applications/enclave/uninstall.sh
This will automatically remove the Enclave application and it's associated settings.
Warning
Enclave does not backup a system's private keys. Lost or deleted private keys are not recoverable. If a system's configuration and private keys are lost, to use that system with Enclave again it must be re-enrolled.
Last updated April 25, 2025