Overview
Use this guide to install Beacon on managed Macs and forward Claude Code runtime and inventory telemetry to Google Cloud Storage without asking users to configure the endpoint. The deployed state is:- Beacon and Vector are installed under
/opt/beacon. com.beacon.endpoint.collectorruns the system endpoint.- Claude Code hooks are installed for the logged-in console user.
- Runtime and inventory events are written to
/var/log/beacon-agent/runtime.jsonland/var/log/beacon-agent/inventory_state.jsonl. com.beacon.endpoint.gcs-forwarderuploads both streams under one root prefix:
beacon-prod, not beacon-prod/runtime or
beacon-prod/inventory. The installer normalizes those older suffixes, but new
deployments should use the root layout.
1. Prepare Google Cloud
Set placeholders in an administrator shell:roles/storage.objectCreator can create objects but cannot list, read, overwrite,
or delete them. A successful writer therefore cannot validate delivery by
running gcloud storage ls or cat.
Create a separate read-only identity for validation and downstream consumers:
2. Deliver The Writer Credential
Vector0.56 supports a service-account JSON file through
GOOGLE_APPLICATION_CREDENTIALS and GCE metadata credentials. Managed Macs do
not normally have GCE metadata, and interactive gcloud auth application-default login credentials or Workload Identity Federation are not
a reliable launchd authentication contract for this Vector version.
Create a key only when your organization permits service-account keys:
/opt/beacon or
/Library/Application Support/Beacon. Beacon upgrades, repair, and cleanup own
those trees. On the Mac, enforce restrictive permissions:
/Library/Application Support/Beacon/Forwarders/gcs-vector.env; the JSON stays
in the externally managed location.
3. Configure The Jamf Policy
Upload the signed Beacon endpoint package, which includes:| Parameter | Label | Example |
|---|---|---|
| 4 | GCS bucket | example-security-logs |
| 5 | GCS prefix root | beacon-prod |
| 6 | GCS storage class | STANDARD |
| 7 | Vector runtime read position | end |
| 8 | Managed credential file path | /Library/Application Support/Your Organization/Secrets/beacon-gcs-writer.json |
end to avoid an unexpected historical upload. Inventory
starts at beginning so an initial snapshot created before Vector starts is not
missed.
4. Validate A Managed Mac
Check services, files, and the non-secret configuration:roles/iam.serviceAccountTokenCreator on the reader account. Alternatively,
validate with your existing security operations reader identity.
Grant that role to a designated validator:
Credential Rotation
Create and deliver a new key before deleting the old one:root:wheel and mode 0600, then restart the
forwarder:
Troubleshooting
Check launchd and Vector stderr:GOOGLE_APPLICATION_CREDENTIALS is missing or unreadable: confirm the path ingcs-vector.env, the external file, and root read permission.403 Forbidden: confirm the credential belongs to the expected service account and that account hasroles/storage.objectCreatoron the target bucket. Confirm any CMEK key also permits encryption.- Uploads succeed but
gcloud storage lsfails under the writer: expected;objectCreatorcannot inspect objects. Use the reader identity. - No recent runtime objects: runtime starts at
end; write a validation event after the forwarder is running. - No inventory objects: force an inventory heartbeat and inspect
/var/log/beacon-agent/inventory_state.jsonl.

