macOS - Configuration - Start Rapid7 Insight Agent Service

What the Rapid7 Insight Agent service starter does

This Automox Worklet™ keeps the Rapid7 Insight Agent service active on macOS endpoints. The Worklet checks for the presence of the Rapid7 service (identified by the launch agent identifier com.rapid7.ir_agent), then verifies it is currently running.

If the service is found but not running, the Worklet uses the launchctl start command to restart it. After the restart attempt, the Worklet confirms the process is running again.

If Rapid7 Insight Agent is not installed on the endpoint, the Worklet exits without making changes. This means the Worklet functions safely across mixed fleets where the agent may not yet be deployed.

Why maintain the Rapid7 Insight Agent service

The Rapid7 Insight Agent is a critical component of your vulnerability management strategy. It continuously scans endpoints for outdated software, missing patches, and known vulnerabilities that could be exploited by attackers.

When the service stops running, your endpoints become blind to security threats. No new vulnerabilities are detected, no compliance status is reported, and gaps remain unidentified. This exposes your organization to preventable risks.

By automating service restarts through Automox, you eliminate the need for manual intervention and maintain continuous visibility into your macOS fleet's security posture. This is especially important for CyberEssentials compliance, which requires ongoing vulnerability assessment.

How Rapid7 service restart works

1. Evaluation phase: The Worklet queries the system using launchctl list to check whether the Rapid7 Insight Agent service (com.rapid7.ir_agent) is registered. It then confirms the agent process is running using pgrep ir_agent. If the service is running, the endpoint passes evaluation and no further action is needed.

2. Remediation phase: If the service is installed but not running, the Worklet executes launchctl start com.rapid7.ir_agent to restart the agent. The Worklet then verifies the process is active again using pgrep ir_agent. A successful restart exit indicates remediation is complete.

Rapid7 Insight Agent service requirements

• Rapid7 Insight Agent must be installed on the endpoint

• macOS 10.13 (High Sierra) or later

• FixNow compatible on macOS endpoints (RunNow support)

• No additional configuration or parameters required; the Worklet runs automatically

Expected Rapid7 service state after remediation

After the Worklet completes successfully, the Rapid7 Insight Agent service is guaranteed to be running on the endpoint. You can verify the configuration by checking System Settings or examining the relevant preference files. Vulnerability scans resume immediately, and the endpoint once again reports its security status to Rapid7 Insight.

You can verify the service is active by checking the endpoint's launch agent status using launchctl list | grep com.rapid7.ir_agent or by confirming the ir_agent process appears in Activity Monitor. If the restart fails, the Worklet exits with an error code and flags the endpoint for manual review.

How to validate start rapid7 insight agent service changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for start rapid7 insight agent service.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, else, launchctl, then rerun evaluation for compliance.