Skip to main content

Deploying the Vanta Device Monitor with Mosyle MDM

S
Written by Shannon DeLange
Updated yesterday

Currently, Mosyle Business’s API does not provide certain device security details, such as password manager status, screen lock detection, hard drive encryption, or antivirus information. Since this data isn’t exposed through Mosyle’s API, Vanta cannot access it directly. This is expected behavior given the current scope of the integration. To help your team maintain strong device compliance, we’ve outlined a workaround that combines Mosyle with Vanta’s Device Monitor. This approach ensures you can continue monitoring key compliance requirements while we work toward deeper integration in the future.

Vendors often prioritize API enhancements when they hear directly from customers, reach out to your Mosyle representative using our short email template (available from your Vanta CSM.)

Requirements

  • Computers must be assigned an owner in Mosyle

  • Computer owner must exist as a personnel on Vanta

  • Computer owner email must match the email address of the corresponding personnel on Vanta

Setup the Configuration Script

  • Navigate to the Management tab and select the Custom Commands option

  • Click Add new profile and fill in the following information:

    • Profile Name (example): VDM Installation Script

    • Select Enable Variables for this profile

      • This will allow the installation script to access the "%Email%" variable for the selected computer (documentation)

    # Check if VDM is already installed
    if /usr/local/vanta/vanta-cli status; then
    echo "VDM already installed"
    exit 0
    fi

    # Install VDM
    echo "Installing VDM for user %Email%"

    VANTA_OWNER_EMAIL="%Email%" \
    VANTA_KEY="ENTER_YOUR_DOMAIN_ENROLLMENT_SECRET_HERE" \
    VANTA_REGION="ENTER_YOUR_REGION_HERE" \
    bash -c "$(curl -L https://raw.githubusercontent.com/VantaInc/vanta-agent-scripts/main/install-macos.sh)"

    • Find your domain enrollment secret and region here

Please Note: it is critical to keep the code that checks if the VDM is already installed because this script will run every time the computer starts

  • Mosyle requires that you run the script at least once on a test computer before saving it

    • Learn more about the setup script here

  • In the Execution Settings tab, select Every start up of the Mac

    • This trigger allows VDM to be reinstalled if a user inadvertently uninstalls it

    • Selecting Upon Enrollment only would lead to unmonitored computers

    • Every user sign-in or Device Info update would be more frequent than necessary

  • In the Profile Assignment section, select All current and future Devices or the relevant device/user group if you have that setup for your org

  • Save your Profile

  • Select View Results to monitor the status of your deployment

Lifecycle Management Notes

  • Because of how we have set up the installation script, a computer restart is required to trigger installation.

  • To uninstall the VDM, first disable the Installation script on the target computer and run the following command: sudo /usr/local/vanta/vanta-cli uninstall (documentation)

    • If you don't disable the installation script, VDM will get reinstalled next time the computer restarts

  • Once installed, VDM will automatically manage its own software update process.

  • If a computer doesn't have an owner with an email that matches the personnel on Vanta, the installation script will fail.

Please note: We currently only support an automated test for malware detection for Windows devices. Linux and MacOS are not yet supported, but manual evidence can be uploaded as a Document.