macOS Endpoint Enrollment Posture

Status

Implemented for OP-061. macOS endpoints can use the existing enrollment and identity-bound telemetry runtime with agent_class=endpoint and platform=darwin.

What Was Implemented

Enrollment exchange accepts optional platform=darwin and os_version.
Darwin enrollment is restricted to agent_class=endpoint.
Agent identity responses expose platform and OS version metadata.
Runtime-lite enrollment emits agent.macos.enrolled alongside the generic agent.enrolled event.
Identity-bound heartbeat normalizes darwin telemetry into the existing macOS asset posture.
The Assets console shows enrolled agent platform/OS metadata when present.

Security / Tenant Isolation

The implementation reuses ADR-0009/OP-032R tenant-scoped enrollment tokens, CSR exchange, identity records, and OP-052 telemetry binding. Heartbeat still requires a service-account actor bound to the enrolled agent or collector. Raw CSR and token values remain out of audit/events/read models.

Validation

make validate-contracts
make typecheck-python
make lint
make test-sqlite
npm --prefix frontend run typecheck
npm --prefix frontend test -- --run
make docs-build

Known Limitations

No standalone Go agent binary.
No osquery/Fleet/OTel bridge.
No remote command, SSH, patching, software deployment, or device-control behavior.
No deployment, CI, Terraform, Helm, or AWS changes.

Status​

What Was Implemented​

Security / Tenant Isolation​

Validation​

Known Limitations​

Status

What Was Implemented

Security / Tenant Isolation

Validation

Known Limitations