macOS Endpoint Intelligence Gathering

Problem Overview

When troubleshooting, auditing, or tracking a lost or stolen macOS device, IT professionals and MSPs need quick access to key system and network details. Manually retrieving this data can be tedious, especially in urgent situations. This script automates the collection process, providing a full system snapshot in seconds.

Description

This script gathers essential details about a macOS device, including:

• System Information – Runs system_profiler SPHardwareDataType SPSoftwareDataType to collect OS details, hardware specs, and uptime.
• Local Network Data – Uses ifconfig to list network adapters, local IPs, and MAC addresses.
• Public IP Address – Fetches the external IP with geo DNS lookup.
• Wi-Fi Networks – Lists all visible Wi-Fi networks using airport -s.
• ARP Table – Displays active ARP cache entries to identify devices on the local network.

With one execution, this script provides a detailed overview of the device’s network and system state, making it an invaluable tool for security audits, network troubleshooting, and asset tracking.

Script

#!/bin/bash

# This resource is provided as a convenience for Level users. We cannot 
# guarantee it will work in all environments. Please test before deploying 
# to your production environment. We welcome contributions to our community 
# library

# Level Library
# https://level.io/library/script-macos-endpoint-intelligence-gathering

# Get System Details
system_profiler SPSoftwareDataType

# Get Local IP
ifconfig

# Get Remote IP
curl https://ip.level.io/json

# Get list of all visible wireless networks
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

# Get ARP table
arp -a

Use Cases

• Lost or Stolen macOS Device Recovery – Pair with automation workflows to retrieve device location details and erase endpoint.
• Security & Compliance Audits – Gather system and network data for security assessments.
• Troubleshooting Network Issues – Identify misconfigured or conflicting network settings.
• Asset Management & Inventory – Collect system details for IT documentation.
• Incident Response – Quickly gather endpoint intelligence during a security event.

Recommendations

• Pair with Lost/Stolen Endpoint Automation – Automate script execution when a device is marked as missing.
• Test Before Deployment – Run in a test environment to ensure expected output.
• Schedule for Routine Audits – Automate periodic execution for continuous monitoring.

FAQ

• How do I run this script?
  ‍Execute it directly from Level.

• Can this script help locate a stolen macOS device?
  ‍It gathers key network details and provides a geo DNS based lookup on the endpoint. Pairing with Level’s lost/stolen endpoint automation is recommended.

• Is this script compatible with all macOS versions?
  ‍Yes, it works on macOS Big Sur, Monterey, Ventura, and newer versions.

• Do I need to install any dependencies?
  ‍No, all commands use built-in macOS utilities.

• Can I modify this script to collect additional data?
  ‍Yes! You can extend the script by adding more macOS commands to fit your needs.