Mac Device Agent
On-device diagnostics, scoped shell scripts, and APFS-aware disk forensics for macOS endpoints managed by Dex.
Dex ships a lightweight macOS agent that pairs to the user's Entra-registered Mac. Once installed, Dex can run baseline diagnostics, execute scoped bash/zsh for deep troubleshooting (process analysis, launchd/cron audits, cache and temp forensics), and clean caches with consent. Disk reads are APFS-aware — Dex knows /System/Volumes/Data is the volume the user actually cares about. All runs within a 30-second default script budget, scoped per-device, fully logged, and never requires opening an SSH or screen-sharing session.
What Dex does with Mac Device Agent
Dex handles both admin workflows and employee self-service — all policy-guardrailed and audit-logged.
For admins (CoAdmin)
- List a user's devices via list_user_devices and resolve the Entra device ID
- Run built-in device_state_diagnostics with a performance check for a one-call CPU, memory, and disk baseline
- Get system info (CPU count, total RAM, disk size, macOS version) with device_get_system_info
- Execute scoped bash/zsh with device_run_custom_shell — per-script timeout (default 30s, up to 120s), in system or logged-in-user context
- APFS-aware disk diagnostics: device_diagnostic_disk_space, top-level folder sizes, deep ~/Library/Caches and Containers scans, large file detection, hidden directory hunt
- Process analysis: top CPU/memory consumers, two-sample top delta for real-time CPU, suspicious shell/python/osascript audit
- launchd and cron audit: non-Apple jobs, LaunchDaemons/LaunchAgents plist inventory across system and user scopes, crontab + periodic checks
- Remediations: kill rogue process, bootout and remove rogue launchd job, clean user caches and flooded $TMPDIR, empty Trash, flush DNS cache
For employees (self-service)
- "My Mac is slow" → Dex takes the baseline, finds the CPU hog, and kills it after your approval
- "Disk is full, I can't save files" → Dex scans ~/Library/Caches, Containers, and temp, shows what's eating space, and cleans with consent
- "My fan won't stop spinning" → Dex samples CPU twice over a 3-second window to catch what's actively burning cycles right now
- "I think something weird is running in the background" → Dex audits launchd jobs, cron, and shell processes for rogue persistence
- Every remediation shows a before/after disk & CPU comparison so you can see what changed
Just ask Dex
Your team types a request in plain language. Dex investigates, plans, and executes — with the right guardrails.
Admin prompts
- >Run a full performance triage on marco@acme.com's MacBook — find any rogue processes or launchd jobs
- >Check the disk on jenna.rossi@acme.com's Mac and scan ~/Library/Caches and Containers for junk over 500MB
- >On dan@acme.com's Mac, list all non-Apple launchd jobs and flag any that reference scripts under /tmp or ~/Library
- >Kill process ID 4812 on dan@acme.com's Mac — it's a runaway python script hogging CPU
- >Clean the flooded temp folder and empty the Trash on jenna.rossi@acme.com's Mac
- >Flush the DNS cache on marco@acme.com's Mac — he can't resolve internal hostnames
Employee prompts
- >My MacBook is running slow, can you look at it?
- >I'm getting "your disk is almost full" warnings — can you clean it up?
- >My fan is spinning constantly even when I'm not doing anything
- >I keep getting "your system has run out of application memory" popups
- >I think something weird is running in the background, can you check?
Policy actions
Every action Dex can take on Mac Device Agent is declared, scoped, and guardrailed. Admins control which apply, who approves them, and whether they're limited to self-service.
| Action | What it does |
|---|---|
mac_list_user_devices | List the Macs registered to a user and resolve Entra device IDs |
mac_device_state_diagnostics | Run built-in diagnostics (CPU, memory, and disk performance baseline) |
mac_device_get_system_info | Get hardware and OS info (CPU count, RAM, disk size, macOS version) |
mac_device_diagnostic_disk_space | Report APFS volume capacity and free space (container-aware, not raw df) |
mac_device_clean_cache | Clean standard macOS cache locations |
mac_device_run_custom_shell | Run scoped bash/zsh scripts (read-only by default; allow_changes=true for writes) |
How to configure Mac Device Agent
Onboarding takes minutes. Dex validates your credentials before saving them.
Setup steps
- 1Mac Device Agent shares the same Microsoft 365 / Entra tenant authorization Dex already has — no separate credentials.
- 2Deploy the Dex macOS agent to endpoints via MDM (Intune, Jamf) or a direct installer (.pkg from download.dex365.ai/macos/DexDeviceAgent.pkg). The agent auto-registers using the machine's Entra device identity.
- 3Once the agent is installed and the device is Entra-registered, Dex can look up the device via Graph /devices and target it by Entra device ID.
- 4Diagnostic scripts run read-only by default; any remediation (kill process, clean caches, remove launchd job) requires allow_changes and is confirmed with the user first.
- 5No inbound firewall changes required — the agent polls out to the Dex backend; there's no open SSH or screen-sharing port.
No extra credentials
This integration is covered by your Microsoft 365 tenant authorization to Dex. There are no per-app credentials to create or rotate.
Requirements
- •Endpoints must be Entra-registered (so Dex can resolve an Entra device ID to target the agent)
- •Microsoft 365 / Entra tenant authorization already completed in Dex (reuses those scopes for device discovery)
- •Shell scripts default to 30-second timeout; up to 120s can be requested per call — full-disk recursive scans are avoided in favor of targeted per-folder scans
- •User $TMPDIR, ~/Library, and Trash operations require run_as_context = "logged_in_user" — system context resolves $TMPDIR and $HOME to the wrong paths
Related integrations
RMM & EndpointWindows Device Agent
On-device diagnostics, PowerShell, and full remote-desktop control for Windows endpoints managed by Dex.
Learn more →
Device ManagementMicrosoft Intune
Manage Intune-enrolled devices, compliance, and apps from plain-language requests.
Learn more →
RMM & EndpointAction1
Run Action1 patch, software, and endpoint operations from plain-language requests.
Learn more →
See Dex run Mac Device Agent
Book a 30-minute walkthrough with our team and see how autonomous IT works in your environment — or get started for free.