197 words
1 minute
macOS XProtect Security Status Monitoring
Table of contents
Understanding XProtect Status
Perfect! No output means XProtect is properly configured - both launch scans and background scans are enabled. The command only alerts when there’s a security issue.
Monitoring XProtect Status
If you want to see the actual status for monitoring/logging purposes, here’s a version that always shows output:
xp=$(xprotect status 2>/dev/null) && launch=$(echo "$xp" | awk -F': ' '/launch scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && bg=$(echo "$xp" | awk -F': ' '/background scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && echo "XProtect Status: Launch=$launch, Background=$bg, Compliant=$([[ "$launch" == "enabled" && "$bg" == "enabled" ]] && echo "YES" || echo "NO") ($(date -Iseconds))"XDR Integration with JSON Output
For XDR integration with JSON output:
xp=$(xprotect status 2>/dev/null) && launch=$(echo "$xp" | awk -F': ' '/launch scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && bg=$(echo "$xp" | awk -F': ' '/background scans/ {gsub(/^[ \t]+|[ \t]+$/, "", $2); print $2}') && echo "{\"timestamp\":\"$(date -Iseconds)\",\"component\":\"xprotect\",\"launch_scans\":\"$launch\",\"background_scans\":\"$bg\",\"compliant\":$([[ "$launch" == "enabled" && "$bg" == "enabled" ]] && echo "true" || echo "false")}"Best Practices
The original silent version is actually ideal for automated security monitoring - it follows the Unix philosophy of “no news is good news” and only alerts on security policy violations.
macOS XProtect Security Status Monitoring
https://mranv.pages.dev/posts/xprotect-macos-security-check/