Why passive sensors beat blocking on agent-heavy Macs
Approval gates slow humans. Agents still install packages and MCP servers in the background. Visibility answers what actually landed on disk.
- passive-sensor
- macos
- fleet
Security teams evaluating macOS developer fleets often reach for one of two extremes: lock everything down, or audit once a year and hope. Agent-heavy environments break both models.
Blocking fails quietly
When you gate npm install or block unsigned MCP servers at the network layer:
- Legitimate agent workflows break and engineers route around controls
- Background installs still happen via cached package managers, personal machines, or VM bypasses
- You learn about violations only when someone files a ticket
Agents install faster than review. Blocking adds friction without adding certainty.
Annual audits miss the event
A quarterly or annual snapshot cannot show the package an agent added yesterday, or the MCP server that appeared in a config file last Tuesday. Supply chain incidents move in days; audit cycles move in quarters.
Passive inventory fits the reality
Koban is a menubar sensor that:
- Parses receipts, lockfiles, and AI configs from known paths
- Syncs signed snapshots outbound to Fleet
- Diffs each heartbeat and evaluates YAML policy rules
- Alerts via Slack, webhooks, or SIEM
It does not block installs, execute remote commands, or require kernel entitlements. That honest scope is the product.
When blocking still belongs
We are not arguing against blocking everywhere. Production deploy pipelines, package registries, and MDM profiles still have a role. The gap is the developer laptop between reviews, where agents write to disk continuously and central gates see the world in batch.
Passive visibility on that surface is complementary, not competitive, with your existing controls.
The practitioner test
Ask your team: "If an agent added a dependency at 2am, when would we know?"
If the honest answer is "next audit" or "when someone notices," a heartbeat diff is the missing layer.