197 words
1 minute
macOS XProtect Security Status Monitoring

Table of contents#

Understanding XProtect Status#

Perfect! No output means XProtect is properly configured - both launch scans and background scans are enabled. The command only alerts when there’s a security issue.

Monitoring XProtect Status#

If you want to see the actual status for monitoring/logging purposes, here’s a version that always shows output:

Terminal window
xp=$(xprotect status 2>/dev/null) && launch=$(echo "$xp" | awk -F': ' '/launch scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && bg=$(echo "$xp" | awk -F': ' '/background scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && echo "XProtect Status: Launch=$launch, Background=$bg, Compliant=$([[ "$launch" == "enabled" && "$bg" == "enabled" ]] && echo "YES" || echo "NO") ($(date -Iseconds))"

XDR Integration with JSON Output#

For XDR integration with JSON output:

Terminal window
xp=$(xprotect status 2>/dev/null) && launch=$(echo "$xp" | awk -F': ' '/launch scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && bg=$(echo "$xp" | awk -F': ' '/background scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && echo "{\"timestamp\":\"$(date -Iseconds)\",\"component\":\"xprotect\",\"launch_scans\":\"$launch\",\"background_scans\":\"$bg\",\"compliant\":$([[ "$launch" == "enabled" && "$bg" == "enabled" ]] && echo "true" || echo "false")}"

Best Practices#

The original silent version is actually ideal for automated security monitoring - it follows the Unix philosophy of “no news is good news” and only alerts on security policy violations.

macOS XProtect Security Status Monitoring
https://mranv.pages.dev/posts/xprotect-macos-security-check/
Author
Anubhav Gain
Published at
2025-01-28
License
CC BY-NC-SA 4.0