Skip to main content
The Endpoint Detection and Response add-on is required to use the Accessory & Storage Access Library Item. However, you do not need to assign the EDR Library Item to the Blueprint in order to deploy the Accessory & Storage Access Library Item.

About Iru Endpoint EDR

Iru Endpoint EDR is a security tool that monitors Mac computers for malware and potentially unwanted programs (PUPs) using file-based and behavioral detection mechanisms. It’s integrated into the Iru Endpoint platform and managed through the same web app you use for device management.

How It Works

Iru Endpoint EDR runs on enrolled Mac computers using Apple’s Endpoint Security framework. It analyzes files and processes against threat intelligence and detection models to identify suspicious activity. EDR uses Apple’s native frameworks for monitoring without significant performance impact. EDR is deployed as a library item called EDR in Iru Endpoint Blueprints. Once you enable it in a Blueprint, it deploys and activates automatically on enrolled devices. When EDR detects a threat, it can terminate the process and quarantine the file. You can configure these response actions and create custom allow/block lists based on file hashes or paths. Admins can view detected threats, quarantine actions, and security events in the Iru Endpoint web app’s Threats page.

Understanding the Threats Page

You can access the Threats page by clicking Threats in the left-hand navigation bar of the Iru Endpoint web app. This page lists the total number of Threat events affecting your Mac computers across the designated Blueprints containing the EDR Library Item, along with information such as device impacted, threat name, classification, the process responsible for the Threat event, detection date, and threat status. Iru Endpoint EDR categorizes file detections as malware, PUPs, benign, or unknown and behavioral detections as malicious or suspicious.

Threats Over Time

The Threats over Time graph displays a chronological overview of security threats detected by Iru Endpoint EDR within a specified timeframe. By default, the graph shows data for the past 30 days, but you can adjust this period using the dropdown menu above the graph to view anywhere from 24 hours up to 90 days. For more specific analysis, you can select a custom date range.
If you choose a date range exceeding 90 days, the system will automatically limit the display to 90 days.
The graph also offers three visualization options to control the level of detail displayed:
  • Granular: Shows every individual threat detection, providing the most detailed view
  • Smooth: Displays general trends and patterns, offering a high-level overview
  • Balanced: The default setting that provides a middle ground between detailed detection data and trend visualization
These granularity options allow you to customize the graph based on whether you need to examine specific incidents or understand broader threat patterns over time.

Devices Under Threat

The Devices under threat metric shows how many devices currently have active security threats. If a device has any threats detected (whether file-based or behavioral) it gets counted here. You can adjust the timeframe for this data using the date filter, just like with other dashboard elements. This data is refreshed every time the page is refreshed.
The Threats page also provides quick filters by classification and threat status.

Threat Detail View

Click on any Threat event to reveal additional information, including detection and quarantined dates, path, file hash, and user information. Similar data is available on the device record page for individual devices.

Understanding Device Record Pages

The device record page shows the total number of threat events found on a specific device. To see the actual threat events, select the Threats tab.
Select any threat entry to display comprehensive details including detection timestamp, quarantine date, file location, cryptographic hash, and related user account information.
For more details about how device views work, check out the Device Views Overview support article.

Considerations

  • EDR Deployment: EDR is deployed as the EDR library item in Iru Endpoint Blueprints and activates automatically on enrolled devices
  • Performance Impact: EDR uses Apple’s native Endpoint Security framework for monitoring without significant performance impact on managed devices
  • Threat Classification: File detections are categorized as malware, PUPs, benign, or unknown, while behavioral detections are classified as malicious or suspicious
  • Response Actions: Configure threat response actions including process termination and file quarantine, with custom allow/block lists based on file hashes or paths
  • Dashboard Monitoring: Use the Threats page to monitor security events, view threat trends over time, and track devices under threat
  • Data Visualization: Leverage the three granularity options (Granular, Smooth, Balanced) to customize threat analysis based on your specific needs
  • Time Range Analysis: Adjust timeframes from 24 hours to 90 days for threat analysis, with automatic 90-day limits for longer periods
  • Device-Specific Views: Access detailed threat information for individual devices through the device record page Threats tab
  • Threat Intelligence: EDR analyzes files and processes against threat intelligence and detection models to identify suspicious activity
  • Integration Benefits: EDR is fully integrated into the Iru Endpoint platform, providing seamless security management alongside device management capabilities