Documentation

Getting started

From install to first verified telemetry — with the correct policy paths and modes.

  • Step 1

    Install TURI

    Deploy the signed TURI app bundle from your channel (TestFlight, PKG, or MDM).

  • Step 2

    Approve extensions

    System Settings → Privacy & Security → Extensions — enable Content Filter and DNS Proxy.

  • Step 3

    Enable Endpoint Security

    Grant the Endpoint Security client when macOS prompts; without it, sync enforcement cannot run.

  • Step 4

    Start in monitor

    Set enforcement mode to monitor in policy; use Observation mode in the app while tuning rules.

  • Step 5

    Verify telemetry

    Confirm telemetry appears in the TURI dashboard and open Session Replay.

  • Step 6

    Enforce

    Switch to enforce when false-positive rate is acceptable; enable supply-chain gates if using package managers.

Requirements

macOS 12+

Ventura+ recommended

Signed build

NE + App Groups entitlements

Admin approval

ES client + extensions

Quick wins

Block risky shell

Reverse shells, destructive rm, security tampering, npm→curl chains.

Protect secrets

.env & ~/.ssh reads correlated with outbound network.

Govern installs

mf wrap + workspace anchors + supply-chain verdict store.

Two different “observe” controls

enforcement_mode: monitor in macfirewall_driftcop_policy.json logs and allows most AUTH paths. Observation mode in the app (UserDefaults isObservationModeSync) simulates workflow rules but platform-integrity paths may still enforce. Always check both before assuming nothing blocks.

Verify it works

After a short agent session, confirm artifacts under the shared volume:

Shared runtime storage
Security telemetrytelemetry

Process and file activity events from the Endpoint Security extension

Network telemetrytelemetry

Connection flow events from the Network Extension

Policy configurationpolicy

Active enforcement policy with domain, IP, and behavioral settings

Verdict cacheenforce

Zero-copy bridge for real-time enforcement decisions between async and sync layers

Supply chain verdictssupply

Install-gate verdict store for package manager governance

SOC telemetry exportsiem

Rotated export for SIEM integration

Full path details provided during design partner onboarding

Running AI agents on Mac at scale? We'll tune policy with you.

Design partners →