For Security & IT Teams

Rollout Plan

Beacon gives security and IT teams local endpoint visibility into supported agent harnesses. It captures supported activity, normalizes it into a stable endpoint event schema, and writes JSONL for local inspection, Wazuh, Elastic, Datadog Agent custom log collection, Sumo Logic HTTP Source forwarding, optional Splunk HEC or Falcon LogScale HEC forwarding, or customer-managed forwarding. Beacon is local-only by default. The endpoint agent does not require a Beacon-hosted account, remote policy fetch, or external network dependency during normal collection.

Operational workflow

Deploy the endpoint agent

Use the signed and notarized macOS .pkg for MDM deployment, or install the CLI directly for local evaluation. Production MDM deployments use system mode and write events to /var/log/beacon-agent/runtime.jsonl.

Inventory and validate health

Track Beacon version, collector service health, runtime log freshness, configured harnesses, and log writability through your device-management platform.

Review content handling

Confirm supported runtime scope, local log access, and downstream destination permissions match your approved telemetry collection policy.

Forward endpoint events

Use Wazuh localfile ingestion, Elastic/Filebeat, Datadog Agent custom log collection, Sumo Logic HTTP Source forwarding, optional Splunk HEC or Falcon LogScale HEC collector forwarding, or a customer-managed log shipper to forward Beacon JSONL to your SIEM or data pipeline.

Guides

Enterprise security review

Answer procurement and security review questions about local collection, data inventory, content handling, endpoint behavior, and disclosure policy.

MDM deployment

Plan managed macOS rollout with the packaged system agent.

Jamf

Deploy and inventory Beacon with Jamf Pro policies and extension attributes.

Fleet

Deploy Beacon with Fleet software, policies, queries, and scripts.

SIEM forwarding

Forward Beacon events to Wazuh, Splunk HEC, Falcon LogScale, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or a customer-managed SIEM pipeline.

Endpoint event schema

Review the normalized JSONL contract used for endpoint events.

Also review Agent harness integrations to confirm supported runtimes, deployment modes, storage paths, and forwarding boundaries.

What to monitor

Area	Recommended signal
Install coverage	Beacon package or binary version is present
Collector health	`com.beacon.endpoint.collector` is running
Event freshness	Last runtime event age is within your expected window
Runtime configuration	Configured harnesses match the approved deployment scope
Forwarding readiness	Runtime log exists and is writable; Wazuh, Splunk HEC, Falcon LogScale HEC, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or customer-managed forwarding is configured when required

Boundaries

Beacon currently focuses on endpoint telemetry for supported agent harnesses and local endpoint configuration context. It does not provide kernel or process monitoring, shell history collection, cloud audit ingestion, browser or SaaS telemetry, credential-use attribution, Datadog API export from Beacon, Sumo Logic API export from Beacon, Rapid7 API export from Beacon, or automatic mutation of Factory Droid shell profiles. Use Wazuh, Splunk HEC, Falcon LogScale HEC, Elastic/Filebeat, Datadog Agent custom log collection, Sumo Logic HTTP Source forwarding, Rapid7 Custom Logs webhook forwarding, or customer-managed forwarding for SIEM destinations.

​Rollout Plan

​Operational workflow

​Guides