System requirements
Noxen runs on Apple Silicon and Intel Macs with macOS 14+. The
iOS companion is view-only and runs on iOS 17+. Network
requirements are SSH outbound to your hosts and HTTPS outbound
to feed.noxen.app — nothing inbound, no agent
installed on remote hosts.
macOS app
| Requirement | Detail |
|---|---|
| macOS version | 14.0 (Sonoma) or later — including 14, 15, 26 |
| Architecture | Apple Silicon (M1/M2/M3/M4) — universal binary, also runs natively on Intel |
| RAM | 4 GB minimum; 8 GB recommended for fleets > 100 hosts |
| Disk | ~150 MB for the app; ~100 MB for the CVE feed; ~500 MB working set during SQLite import on large fleets |
| Distribution | Developer ID + Sparkle (auto-update). Not on the Mac App Store — see why we ship via Developer ID. |
iOS companion
| Requirement | Detail |
|---|---|
| iOS version | 17.0 or later (incl. iOS 26) |
| Devices | iPhone, iPad — universal binary |
| Capabilities | View-only. No scanning logic on iOS — raw sockets are blocked. All scanning runs on the Mac. |
| Sync | Same iCloud account as the Mac (private CloudKit container iCloud.com.paulsnyman.noxen) |
| Push notifications | Optional — APNs delivery for critical findings discovered by scheduled scans |
App Sandbox is intentionally disabled
Noxen does not ship with App Sandbox enabled
(ENABLE_APP_SANDBOX: false in the project config).
Two reasons:
- Raw socket port scanning — the port-scan
probe uses Apple's
Network.frameworkfor TCP connect probes. Sandbox would block the wide-open port range we need. - SSH config import —
reading
~/.ssh/configfrom the user's home directory directly is more reliable thanNSOpenPanelsecurity-scoped bookmarks.
The trade-off: Noxen ships via Developer ID with Sparkle for updates, not the Mac App Store. We notarise every release. Full reasoning →
Permissions Noxen requests
- Outgoing network — required, granted at first launch. Used for the CVE feed download, Sparkle update check, and SSH/TCP/HTTP probes against your enrolled hosts.
- Background item — optional, granted if you
enable scheduled scans.
Registers
NoxenAgentas a per-user LaunchAgent. - Notifications — optional, granted if you want a Mac-side toast on scheduled-scan completion. APNs push to iOS is configured separately on the iOS companion.
- iCloud (CloudKit) — optional, used only when you enable iCloud sync. Without it, Noxen runs fully offline and the iOS companion can't see your fleet.
Network requirements (outbound)
| Destination | Why | Frequency |
|---|---|---|
feed.noxen.app:443 | Signed CVE feed manifest + snapshot | Once per UTC-day on Live Feed; per-release on Noxen 1.x |
noxen.app/appcast.xml:443 | Sparkle update check | Per launch (cached 24 h) |
your hosts:22 (or custom) | SSH inventory + scan probes | Per scan |
your hosts:<port> | TCP / HTTP / TLS probes | Per scan, only on open ports |
| Webhook URLs (Slack/Discord/Teams/custom) | Critical-finding alerts | Per new finding ≥ minimum severity |
Remote host requirements
- SSH server — OpenSSH on Linux, macOS, or
BSD.
dropbearworks for connection but the SSH inventory probe expects standardcat /etc/os-release+ dpkg/rpm output. - SSH key auth — Ed25519 only in v1.0. RSA and ECDSA land in v1.1.
- Read access — the SSH user only needs
read access; Noxen never writes.
dpkg -l/rpm -qaare non-root commands on most distros. - Disk & CPU — negligible. The
per-scan footprint on the remote host is a handful of
cat+ package-list reads.
Supported distros for CVE matching
Out of the box: Ubuntu (LTS lines), Debian, Rocky Linux, AlmaLinux. Other distros can still be enrolled and scanned for network exposures (port scan, TLS, HTTP headers, admin surfaces) — only the CVE-vs-package match is distro-gated. OpenSUSE, Alpine, and FreeBSD support is on the roadmap.