Skip to main content
This guide applies to Mac computers and Windows devices
The Endpoint Detection and Response add-on is required to use the EDR Library Item.

About Iru Endpoint EDR

Iru Endpoint EDR is a security tool that monitors enrolled devices for malware and potentially unwanted programs (PUPs). It is integrated into the Iru Endpoint platform and managed through the same web app you use for device management. EDR is deployed as a Library Item called EDR in Iru Endpoint Blueprints. Once you enable it in a Blueprint, it deploys and activates automatically on enrolled devices. On macOS, EDR can terminate processes and quarantine files when Protect posture is enabled, supports response actions such as device isolation from the Detections page, and supports custom allow and block lists based on file hashes or paths. Admins can view detected threats, quarantine actions, and security events on the Detections page in the Iru Endpoint Web App. See Understanding the Detections Page for dashboard widgets, filters, and device record views.

Platform Capabilities

Iru Endpoint EDR monitors Mac computers using file-based and behavioral detection. It runs on enrolled Macs through Apple’s Endpoint Security framework and analyzes files and processes against threat intelligence and detection models. EDR uses Apple’s native frameworks for monitoring without significant performance impact.Core capabilities:
  • File-based detection — Categorizes files as malware, PUPs, benign, or unknown
  • Behavioral detection — Identifies malicious or suspicious process activity
  • Automated threat response — Terminates processes and quarantines files in Protect mode
  • Custom allow and block lists — Override default threat intelligence using file hashes or paths
  • Posture modes — Configure independent Detect or Protect modes for malware, PUPs, and malicious behavior
  • Device isolation — Quarantine compromised devices from the network during active incidents
For behavioral detection tuning, see Behavioral Detection Rule Groups.The Endpoint Detection and Response add-on is also required for the Accessory & Storage Access Library Item. You do not need to assign the EDR Library Item to the Blueprint to deploy the Accessory & Storage Access Library Item.

Posture Modes

The EDR agent supports Detect and Protect posture modes, configured independently for Malware, PUPs, and Malicious behavior.
ModeBehavior
DetectScans and reports known malicious items. No automatic quarantine.
ProtectScans, reports, and automatically quarantines known malicious items.
For configuration steps, see Configure the EDR Library Item.

Considerations

  • Platform scope: File-based and behavioral detection with malicious behavior posture
  • Posture configuration: Configure Malware, PUP, and malicious behavior posture modes independently
  • Response actions: Configure process termination, file quarantine, custom allow and block lists, and device isolation from the threat detail view
  • EDR deployment: EDR is deployed as the EDR Library Item in Blueprints and activates automatically on enrolled devices
  • Testing: Validate your deployment using the EICAR test file; see Testing EDR Malware Detection

Next Steps