Fleet visibility on macOS without another EDR
Developer Macs need package and MCP inventory, not kernel hooks. A passive sensor fills the gap between MDM and endpoint agents.
- macos
- fleet
- edr
Security teams evaluating macOS developer fleets face a false binary: deploy a full EDR agent, or accept blind spots.
What EDR does well
Endpoint detection and response platforms excel at:
- Process execution telemetry
- Network connection monitoring
- Threat intelligence matching on runtime behavior
- Remote response actions
They also require kernel entitlements, continuous background scanning, and privacy review cycles that many developer-heavy orgs resist.
What EDR often misses for this use case
Developer supply chain risk is frequently artifact-shaped, not process-shaped:
- A new line in
pnpm-lock.yaml - An MCP server entry in
~/.cursor/mcp.json - A Homebrew cask installed to unblock a demo
EDR may see the npm process. It rarely maintains a structured, diffable inventory of what that process wrote, especially across Python, Node, Rust, and AI tooling configs on the same machine.
MDM is not enough either
Mobile device management tells you what profiles and apps are installed at the MDM layer. It does not parse lockfiles, MCP JSON, or language-specific package trees in developer home directories.
Koban's position in the stack
Koban is deliberately narrow:
| Capability | Koban | Typical EDR | MDM |
|---|---|---|---|
| Package lockfile inventory | Yes | Partial | No |
| MCP config inventory | Yes | No | No |
| Process attribution | No | Yes | No |
| Kernel entitlements | No | Often | No |
| Remote shell / block | No | Often | Limited |
| Outbound-only sync | Yes | Varies | Varies |
It complements, does not replace, EDR for teams that need developer-workstation supply chain visibility without another kernel agent.
Who this is for
The fit is strongest when:
- Your engineers run Cursor, Claude Code, or similar agents daily
- You have MDM but no structured view of npm/pip/brew/MCP state
- EDR deployment on developer Macs is politically or technically blocked
- You want Fleet diffs and YAML rules, not another dashboard of process noise
Open core, honest scope
The agent is Apache 2.0 on GitHub. Fleet is the paid control plane for central diffs, rules, and alerting. We say what we watch and what we do not, because overselling creates the same trust problem as fear-mongering marketing.
If your question is "what packages and MCP servers landed on our Macs this week?", that is the problem we built Koban to answer.