Home Privilege Management for Mac 21.6 Administration Guide PDF

Privilege Management for Mac 21.6 Administration Guide

Document preview
File info: application/pdf · 69 pages · 1.35MB

Privilege Management for Mac 21.6 Administration Guide

Administering Privilege Management Policy

Privilege Management, mac, policy, administration, guide

If you are only managing Windows machines with Privilege Management and ... https://developer.apple.com/documentation/devicemanagement/systemextensions.

Privilege Management for Mac 22.5 ...

Privilege Management for Mac 22.5 Administration Guide

Mac 21.6 Administration Guide

Original Document

If the viewer doesn’t load, open the PDF directly.

Extracted Text

Privilege Management for Mac 21.6 Administration Guide

�2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Table of Contents

Privilege Management for Mac Administration

6

Install the Privilege Management Policy Editor

7

Install the Privilege Management for Mac Client

8

Install Privilege Management for Mac

8

Uninstall Privilege Management for Mac

9

Upgrade the Privilege Management Mac Client

10

Launch the Privilege Management Policy Editor

11

Navigate the Privilege Management Policy Editor

11

Automatic Save

11

Policies and Templates

12

Users

12

Policies

12

Edit Group Policy

12

Privilege Management Settings

12

Create

13

Delete

13

Export

13

Import

13

Import Template

13

Digitally Sign

14

Save Report

14

Set Challenge/Response Shared Key

14

Show Hidden Groups

14

View

14

License

14

Privilege Management for Mac Response Code Generator

14

Templates

15

macOS QuickStart

15

QuickStart Policy Summary

16

macOS Workstyles

16

macOS Application Groups

17

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

2 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

macOS Messages

18

Customize the QuickStart Policy

18

Mac Specific

18

Multiple Mac Policies

18

Mac Application Templates

19

Mac Audit Logs

19

Unified Logging

20

Add Privilege Management for Mac Settings to a Mac Client Computer

22

Mac Sudo Command Arguments Not Supported

22

Use Centrify

23

Third Party Licensing Information

23

Privilege Management for Mac Policies

25

Workstyles

25

Workstyle Wizard

25

Create Workstyles

26

Disable or Enable Workstyles

27

Workstyle Precedence

28

Workstyle Summary

28

Overview

28

Application Rules

28

Filters

29

Account Filters

29

Computer Filters

30

Application Groups

31

Create Application Groups

31

View or Edit the Properties of an Application Group

31

Delete an Application Group

31

Duplicate an Application Group

32

Rule Precedence

32

Application Definitions

32

Application Requests Authorization

33

Command Line Arguments

33

File or Folder Name Matches

34

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

3 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

File Hash (SHA-1 Fingerprint)

35

Changes to File Hash Auditing

35

File Version Matches

36

Parent Process Matches

37

Publisher Matches

37

Source

38

URI

38

Install Action Matches

39

Delete Action Matches

39

Management of Disk Mounted Images

39

Configuration of the defendpoint.plist File

40

Management of System Applications

42

Manage the Privilege Management Finder Extension

42

Insert a Binary

42

Insert a Bundle

43

Insert a Package

44

Insert a Script

44

Insert a Sudo Command

46

Sudo Switches

47

Edit -e Switch

48

Insert a System Preference Pane

48

Insert Applications from Templates

49

Use the Add Apps to Template Menu

49

Messages

49

Create Messages

50

Multi-factor Authentication using an Identity Provider

50

Message Name and Description

52

Message Design

52

Message Header Settings

53

User Reason Settings

53

Authentication and Authorization Settings

54

Sudo User Authorization

55

Image Manager

56

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

4 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Message Text

56

Challenge / Response Authorization

58

Use TouchID Authentication with Allow Messages

59

Mac Deployment

61

Add Privilege Management for Mac Settings to a Mac Client Computer

61

Mac Policy Structure and Precedence

61

Audits and Reports

63

Events

63

Use Smart Card Authentication

64

ServiceNow User Request Integration

66

Troubleshoot

69

Check Privilege Management for Mac is Installed and Functioning

69

Check Settings are Deployed

69

Check Privilege Management for Mac is Licensed

69

Check Workstyle Precedence

69

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

5 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Privilege Management for Mac Administration
Privilege Management for Mac combines privilege management and application control technology in a single lightweight agent. This scalable solution allows global organizations to eliminate admin rights across the entire business. Actionable intelligence is provided by an enterprise class reporting solution with endpoint analysis, dashboards, and trend data for auditing and compliance.
Achieve Least Privilege on Mac
There are many functions that require an admin account to run. While most Mac users typically use an admin account to gain the flexibility they need, this represents a large security risk in the enterprise. Privilege Management for Mac allows users to log in with standard user accounts without compromising productivity or performance, by allowing the execution of approved tasks, applications and installations as required, according to the rules of your policy.
Empower Users and Gain Control
Allow and block the use and installation of specific binaries, packages, and bundles. By taking a simple and pragmatic approach to allowlisting, you can gain greater control of applications in use across the business. This immediately improves security by preventing untrusted applications from executing.
Unlock Privileged Activity
Even privileged applications and tasks that usually require admin rights are able to run under a standard user account. With Privilege Management for Mac, you can unlock approved system preferences such as date and time, printers, network settings, and power management without needing admin credentials.
Take a Pragmatic Approach with Broad Rules
Broad catch-all rules provide a solid foundation, with exception handling options to handle unknown activity. Define the application and set its identification options such as filename, hash, publisher, or URI. Then assign the application to the users who require enhanced rights and set up any additional options, such as end user messaging and auditing.
Achieve Compliance
You will have the knowledge to discover, monitor, and manage user activity from the entire enterprise, drawing upon actionable intelligence to make informed decisions. Graphical dashboards with real-time data will provide a broad range of reports to aid troubleshooting and provide the information you need to proactively manage your policy on an ongoing basis.
Apply Corporate Branding
You can add your own branding to messages and prompts, with reusable messaging templates that make it easy to improve the end user experience. You have control over text configuration.
Customizable Messaging
Working seamlessly with macOS, Privilege Management for Mac can suppress standard, restrictive messages and allows you to create your own customized authorization prompts to handle exceptions and enable users to request access. Set up access request reasons, challenge / response codes, or password protection to add additional security layers, or simply improve prompts to reduce helpdesk inquiries.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

6 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Simple, Familiar Policy Design Firewall-style rules based on Application Groups make set up and management simple. Using the same Privilege Management interface and client as for Windows, you can create flexible Workstyles based on the requirements of individuals and groups of users.
Install the Privilege Management Policy Editor
Using an administrator account, log in to the Windows computer where you want to manage Privilege Management for Mac.
Note: Ensure you have the relevant Group Policy management tools installed on the desktop or server where you wish to install Privilege Management Policy Editor.
To install Privilege Management Policy Editor, run the appropriate installation package: l For 32-bit (x86) systems, run PrivilegeManagementPolicyEditor_x86.exe. l For 64-bit (x64) systems, run PrivilegeManagementPolicyEditor_x64.exe.
Install Privilege Management Policy Editor: 1. The installation detects if any prerequisites are needed. Click Install to install any missing prerequisites. This may take a few minutes. 2. Once the prerequisites have been installed, the Welcome dialog box appears. Click Next to continue. 3. After reading the license agreement, select I accept the terms in the license agreement and click Next. 4. Enter your name and the name of your organization, and click Next. 5. If you want to change the default installation directory, click Change and select a different installation directory. Click Next. 6. If you are only managing Windows machines with Privilege Management and want to evaluate it for use with McAfee ePolicy Orchestrator, check the McAfee ePolicy Orchestrator Integration box. Otherwise, leave it unchecked and click Next. 7. Click Install to start installing Privilege Management Policy Editor. 8. Once installed, click Finish. Privilege Management Policy Editor has now been successfully installed.
Note: To use the Event Import Wizard, you must install the Microsoft SQL Server Native Client. For installation instructions and to download this component, please see Installing SQL Server Native Client at https://docs.microsoft.com/enus/sql/relational-databases/native-client/applications/installing-sql-server-native-client.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

7 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Install the Privilege Management for Mac Client
The Privilege Management for Mac client enables Privilege Management settings to be applied to Mac computers. To install Privilege Management for Mac, download and run the client installer package (*.pkg). Privilege Management for Mac may be installed manually, but for larger installations we recommend you use a suitable third party software deployment system.
Note: There is no license to add during the client installation, as this is deployed with the Privilege Management Workstyles, so the client may be installed silently.
Install Privilege Management for Mac
To upgrade to Privilege Management for Mac, we recommend the following order of operations: 1. Update System Preferences to enable system extensions using the configuration profile (.mobileconfig file) provided by BeyondTrust with your MDM. 2. Upgrade the Privilege Management for Mac client.
Note: If you do not use an MDM, then update System Preferences after upgrading the client.
MacOS System Settings Privilege Management for Mac client uses system extensions for application control where available. Configure the following macOS system settings for Privilege Management for Mac:
l System extensions require authorization l System extensions require Full Disk Access permission A macOS configuration profile (.mobileconfig file) is available with the Privilege Management for Mac download to apply these settings. For convenience, we recommend importing the configuration profile into MDM to enable the new functionality. The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.
Authorization There are two ways to configure authorization on the system extensions:
l Manually: Configure Security & Privacy in System Preferences. l MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to
auto authorize system extensions on a system.
For more information, please see SystemExtensions at https://developer.apple.com/documentation/devicemanagement/systemextensions.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

8 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Full Disk Access The system extensions need to be granted Full Disk Access in Security & Privacy in System Preferences:
For more information, please see Change Privacy preferences on Mac at https://support.apple.com/en-gb/guide/machelp/mh32356/mac.
Uninstall Privilege Management for Mac
Note: The uninstall scripts must be run from their default locations.
Uninstall Privilege Management To uninstall Privilege Management locally on a Mac, run the following command:
sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh
Uninstall the Privilege Management ePO Adapter To uninstall the Privilege Management ePO Adapter locally on a Mac, run the following command:
sudo /usr/local/libexec/avecto/ePOAdapter/1.0/uninstall_epo_adapter.sh
Uninstall Privilege Management and the Privilege Management ePO Adapter To uninstall Privilege Management and the Privilege Management ePO Adapter locally on a Mac, run the following command.
sudo /usr/local/libexec/avecto/ePOAdapter/1.0/uninstall_epo_deployment.sh
Uninstall the Mac Adapter To uninstall the Mac adapter, run the following command. After running the uninstall script some related directories remain if they are not empty, such as /Library/Application Support/Avecto/iC3Adapter.
sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh
Remove the Privilege Management Policy To remove the policy once you have uninstalled Privilege Management, run the following command:
sudo rm -rf /etc/defendpoint
Note: Do not remove the Privilege Management policy unless you have already uninstalled Privilege Management.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

9 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Note: The uninstall scripts must be run from their default locations.
Upgrade the Privilege Management Mac Client
This process applies to PMC. For ePO, you can manage the upgrade through ePO Server. To upgrade Privilege Management for Mac:
1. Uninstall Privilege Management (or unload daemon). 2. Install the new version of Privilege Management for Mac. 3. Install the new version of the PMC Mac adapter. Your events for PMC are migrated as part of this process.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

10 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Launch the Privilege Management Policy Editor
The Privilege Management Policy Editor is accessed as a snap-in to the Microsoft Management Console (MMC.exe). From your administrator account, run MMC.exe. Type MMC into the Search Box from the Start Menu and press the Enter key. We will now add Privilege Management for Mac as a snap-in to the console.
1. Select File from the menu bar and select Add/Remove Snap-in. 2. Scroll down the list and select the Privilege Management Settings snap-in. Click Add and then click OK. 3. Optionally, select File > Save as and save a shortcut for the snap-in to the desktop as Privilege Management. 4. Select the Privilege Management Settings node in the left-hand pane and select the operating system node to display the main
screen in the details pane.
Navigate the Privilege Management Policy Editor
The left-hand pane containing the Privilege Management Settings item is referred to as the tree pane. The folders beneath Privilege Management Settings in the tree pane are referred to as nodes. The middle pane, which displays content relevant to the selected node, is referred to as the details pane.

If you expand the Privilege Management Settings node, you will see three nodes:
l Windows: Create Privilege Management for Windows endpoints. l OS X: Create Privilege Management for macOS endpoints. l Licensing: Manage Privilege Management licenses.
If you expand the OS X node you will see three nodes:
l Workstyles: Assign privileges to applications. l Application Groups: Define logical groupings of applications. l Messages: Define end user messages.
Once a Workstyle has been created and selected in the tree pane, the Workstyle tabs will be displayed in the details pane.
Automatic Save
By default, the Privilege Management Settings editor will automatically save any changes back to the appropriate GPO or local XML file if you are using the standalone console. Automatic saving can be disabled, by deselecting the Auto Commit Settings menu option on the Privilege Management Settings node, but is not recommended unless you have performance issues. If you deselect the Auto Commit Settings option, then you must select the Commit Settings menu option to manually save any changes back to the GPO. The Auto Commit Settings option is persisted to your user profile, so it will be set for all future editing of Privilege Managementfor Mac settings.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

11 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Policies and Templates
A Privilege Management for Mac policy is made up of one or more items from the following groups. Each of these groups can be a node in Privilege Management Settings:
l Workstyles: A Workstyle is part of a policy. It's used to assign Application Rules for users. You can create Workstyles by using the WorkStyle Wizard or by importing them.
l Application Groups: Application Groups are used by Workstyles to group applications together to apply certain Privilege Management for Mac behavior.
l Messages: Messages are used by Workstyles to provide information to the end user when Privilege Management for Mac has applied certain behavior you have defined and needs to notify the end user.
Users
Disconnected users are fully supported by Privilege Management for Mac. When receiving policies from McAfee ePO, Privilege Management for Mac automatically caches all the information required to work offline, so the settings will still be applied if the client is not connected to the corporate network. Any changes made to the policy will not propagate to the disconnected computer until the McAfee Agent reestablishes a connection to the ePO Server.
Policies
Privilege Management for Mac policies are applied to one or more endpoints. The Policy Summary screen summaries for the number of Workstyles, Application Groups, and Messages in the policy. As this is a blank policy, all summaries will be zero. Each item summary includes an Edit <Item> button, which allows you to jump to that section of the policy. Privilege Management for Mac incorporates an autosave, autosave recovery, and concurrent edit awareness feature to reduce the risk or impact of data loss and prevent multiple users from overwriting individual polices. A Privilege Management for Mac template is a configuration that is merged with your existing policy. A template also consists of any number of Workstyles, Application Groups, Content Groups, Messages, and Custom Tokens.
Edit Group Policy
To edit policy, we recommend you use the Group Policy Management snap-in. Once you have installed the Privilege Management Policy Editor, the Privilege Management for Mac settings are available in the Group Policy Management snap-in. The Group Policy Management snap-in can be accessed from the Microsoft Management Console or Group Policy Management editor.
Note: If you want to create local policy to administer your endpoints, you can use the Privilege Management snap-in in the Microsoft Management Console or the Local Group Policy Editor. This will create a local policy only.
Privilege Management Settings
You can right-click on the Privilege Management Settings node to access the following commands. You can click Tools in the right-hand panel to access the Response Code Generator. By default, Auto Commit Settings is selected. This means any changes made here are saved and applied using Group Policy. Alternatively, you can clear Auto Commit Settings and select Commit Settings when you specifically want those settings to apply.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

12 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

For more information, please see "Privilege Management for Mac Response Code Generator" on page 14.
The following options are also available:
Create
Creates a new Privilege Management for Mac policy. This will delete any existing policy for all operating systems. If you have an existing policy, you are prompted to remove all existing settings when you click Create. Click Yes to delete your existing policy and create a new one or No to keep your existing policy.
Delete
Deletes your existing Privilege Management for Mac policy. You are prompted to remove all existing settings when you click Delete. Click Yes to delete your existing policy or No to keep your existing policy.
Delete Items and Conflict Resolution Some items within Privilege Management Settings are referenced in other areas, such as Application Groups and Messages. These items can be deleted at any time, and if they are not referenced elsewhere, they delete without any further action required. When an item is deleted, Privilege Management Policy Editor will check for any conflicts which may need to be resolved. If the item you attempt to delete is already in use elsewhere in your settings, then a conflict will be reported and must be resolved. You can review each detected conflict and observe the automatic resolution which will take place if you proceed. If more than one conflict is reported, use the Next conflict and Previous conflict links to move between conflicts. If you want to proceed, click Resolve All to remove the item from the areas of your Privilege Management Settings where it is currently in use.
Export
Privilege Management for Mac policies can be imported to and exported from Group Policy as .XML files, in a format common to other editions of Privilege Management, such as the Privilege Management ePO Extension. This allows for policies to be migrated and shared between different deployment mechanisms. To export a policy, click Export and give the file a name. Click Save.
Import
Privilege Management for Mac policies can be imported to and exported from Group Policy as .XML files, in a format common to other editions of Privilege Management, such as the Privilege Management ePO Extension. This allows for policies to be migrated and shared between different deployment mechanisms. To import a policy, click Import, navigate to the policy XML you want to import, and click Open.
Import Template
Allows you to import template policies.
For more information, please see "Templates" on page 15.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

13 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Digitally Sign
You can digitally sign the Privilege Management for Mac settings. Privilege Management for Mac can audit the loading of any valid policy.
Save Report
You can obtain a report of your Windows policy which can be saved locally, if required.
Set Challenge/Response Shared Key
This allows you to set the Challenge/Response Shared Key for the policy. This is encrypted once you have set it. This key is then required by the challenge/response generator to generate response codes. The only way to change the Challenge/Response Shared Key is by setting a new one.
Show Hidden Groups
You can show or hide Application Groups in Privilege Management for Mac. To show groups that have been hidden by default, right-click on the Privilege Management Settings node and select Show Hidden Groups. You can hide the groups again by clearing Show Hidden Groups.
View
This allows you to view the Workstyles Editor (default). You can review each detected conflict and observe the automatic resolution which will take place if you proceed. If more than one conflict is reported, use the Next conflict and Previous conflict links to move between conflicts. If you want to proceed, click Resolve All to remove the item from the areas of your Privilege Management Settings where it is currently in use.
License
Privilege Management for Mac requires a valid license code to be entered in the Privilege Management Policy Editor. If multiple Privilege Management for Mac policies are applied to an endpoint, you need at least one valid license code for one of those policies. For example, you could add the Privilege Management for Mac license to a Privilege Management for Mac policy that is applied to all managed endpoints, even if it doesn't have any Workstyles. This ensures all endpoints receive a valid Privilege Management license if they have Privilege Management for Mac installed. If you are unsure, then we recommend you add a valid license when you create the Privilege Management for Mac policy.
Insert a License
1. Click No License. Click to enter a license code to enter a license if one doesn't already exist, or Valid License if you want to enter an additional license code.
2. Paste your Privilege Management for Mac license code and click Add. The license details are shown.
Privilege Management for Mac Response Code Generator
The Response Code Generator allows you to generate a response code using the PGChallengeResponseUI utility. To generate a Response Code from Privilege Management Settings:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

14 TC: 11/3/2021

1. Click the Tools link from the right-hand panel of Privilege Management Settings.
2. Click Launch Response Code Generator.
3. Enter your shared key and the challenge code. The response code is shown in the third text field.

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Templates
Templates can be imported into your Privilege Management for Mac settings. You can choose to merge them into your existing policy; otherwise, the template overwrites your existing policy.
macOS QuickStart
The QuickStart for macOS policy contains Workstyles, Application Groups, and Messages configured with Privilege Management for Mac and Application Control. The QuickStart policy has been designed from BeyondTrust's experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization. This template policy contains the following elements: Workstyles
l All Users l High Flexibility l Medium Flexibility l Low Flexibility
Application Groups
l (Default) Authorize - Delete from /Applications l (Default) Authorize - Install to /Applications l (Default) Authorize - System Trusted l (Default) General - Any Application l (Default) General - Any Applications Requiring Authorization l (Default) Passive - System Trusted l Any Other Sudo Commands l Authorize - High Flexibility l Authorize - Controlled OS Functions l Authorize - General Business Applications l Authorize - Low Flexibility

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

15 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Authorize - System Preferences l Authorize Sudo Commands - General l Authorize Sudo Commands - High Flexibility l Block - Applications l Block - Delete from /Applications l Block - Installation to /Applications l Passive - General Business Applications
Messages
l Allow Authorize (Delegated Authorizer) l Allow Authorize (User Authorizer) l Allow Message (Audit) l Allow Message (Enter Reason) l Allow Message (with Challenge) l Block (OK) l Block - Delete (OK) l Block - Installation (OK) l Delete Message (Audit) l Install Message (Audit)
QuickStart Policy Summary
By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Privilege Management for Mac configuration. After the QuickStart policy has been deployed to groups within your organization, you can start to gather information on your users' behavior. This will provide you with a better understanding of the applications being used within your organization, and whether they require admin rights, need to be blocked, or need authorization for specific users. This data can then be used to further refine the QuickStart policy to provide more a tailored Privilege Management for Mac solution for your organization.
macOS Workstyles
The QuickStart policy contains four Workstyles that should be used together to manage all users in your organization.
All Users
This Workstyle contains a set of default rules that apply to all standard users regardless of what level of flexibility they need. The All Users Workstyle contains rules to:
l Block any applications that are in the Block Applications group. l Allow BeyondTrust Support tools. l Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with
admin rights.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

16 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Allow approved standard user applications to run passively. l Allow and authorize the install and delete of bundles to the /Applications/ directory.
High Flexibility This Workstyle is designed for users that require a lot of flexibility such as developers. The High Flexibility Workstyle contains rules to:
l Allow known allowed business applications and operating system functions to run. l Allow users to run signed applications with admin rights. l Allow users to run unknown applications with admin rights once they have confirmed the application should be elevated. l Allow unknown business application and operating system functions to run on-demand.
Medium Flexibility This Workstyle is designed for users that require some flexibility such as sales engineers. The Medium Flexibility Workstyle contains rules to:
l Allow known allowed business applications and operating system functions to run. l Allow users to run signed applications with admin rights once they have confirmed the application should be elevated. l Prompt users to provide a reason before they can run unknown applications with admin rights. l Allow unknown business application and operating system functions to run on-demand. l Restricted OS functions that require admin rights are prevented and require support interaction.
Low Flexibility This Workstyle is designed for users that don't require much flexibility such as helpdesk operators. The Low Flexibility Workstyle contains rules to:
l Prompt users to contact support if a trusted or untrusted application requests admin rights. l Prompt users to contact support if an unknown application tries to run with support authorization. l Allow known approved business applications and operating system functions to run.
macOS Application Groups
The Application Groups prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered. l (Default) Authorize - System Trusted: Contains operating system functions that are authorized for all users. l (Default) General - Any Application: Contains all application types and is used as a catch-all for unknown applications. l (Default) General - Any Application Requiring Authorization: This group contains applications types that request admin rights. l (Default) Passive - System Trusted: This group contains system applications that are allowed for all users. l Any Other Sudo Commands: Contains all sudo commands and is used as a catch-all for unknown sudo commands. l Authorize - High Flexibility: Contains the applications that require authorization that should only be provided to the high flexibility users.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

17 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Authorize - Controlled OS Functions: This group contains OS functions that are used for system administration and trigger an authorization prompt when they are executed.
l Authorize - General Business Applications: Contains applications that are authorized for all users, regardless of their flexibility level.
l Authorize - Low Flexibility: Contains the applications that require authorization that should only be provided to the low flexibility users.
l Authorize - System Preferences: This group contains system preferences that trigger an authorization prompt when they are executed.
l Authorize Sudo Commands: General. Contains sudo commands that are allowed for all users. l Authorize Sudo Commands: High Flexibility. Contains sudo commands that should only be provided to the high flexibility users. l Block - Applications: This group contains applications that are blocked for all users. l Passive - General Business Applications: This group contains applications that are allowed for all users
macOS Messages
The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:
l Allow Authorize (Delegated Authorizer): Asks the user to enter the username and password of another user before the application is authorized to run.
l Allow Authorize (User Authorizer): Asks the user to enter their password before the application is authorized to run. l Allow Message (Audit): Asks the user to confirm that they want to proceed to authorize an application to run. l Allow Message (Enter Reason): Asks the user to provide a reason and enter their password before the application is authorized
to run. l Allow Message (with Challenge): Presents the user with a challenge code and asks them to obtain authorization from the
support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request. l Block (OK): Warns the user that an application has been blocked.
Customize the QuickStart Policy
Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template. At a minimum you need to:
l Configure the users or groups that can authorize requests that trigger messages. l Customize the messaging with you company logo and wording l Assign users and groups to the high, medium, and low flexibility Workstyles. l Populate the Block Applications Application Group with any applications you want to block for all users. l Set your shared key so you can generate a Privilege Management for Mac Response code.
Mac Specific
Multiple Mac Policies
For Mac estates being managed by ePO, multiple policies being applied simultaneously is supported, for example:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

18 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
l epo.xml l epo001.xml l epo002.xml In the example above, if the policy precedence is set for ePO policies, then rules processing will first check the rules in epo.xml. If no rules are found for the process in this policy, then it will go through the epo001.xml. Each policy is processed in an alpha-numeric/C locale order. This continues until the process hits a rule or the dppolicyserverd reads all of the policies without finding a match. If multiple policies are loaded, only one of them requires a Privilege Management for Mac license. We recommend you do not use multiple licenses in this configuration. Each policy can have a different Challenge-Response key. Copy and pasted policies with altered rules are still processed, the dppolicyserverd log outputs whether it replaced GUIDs when loading them into memory if it was a duplicate.
Mac Application Templates
Privilege Management for Mac ships with some standard application templates to simplify the definition of applications that are part of the operating system. The standard application templates are split into categories:
l System Preference Panes l Bundles l Binaries Each category then has a list of applications for that category. Picking an application will cause the application to be prepopulated with the appropriate information.
Mac Audit Logs
How to log events to a file: 1. When Privilege Management for Mac is installed, it checks to see if the following path and file is present. If it's not, it creates it: /var/log/defendpoint/audit.log 2. This file cannot be edited during output. If this file is deleted, Privilege Management for Mac recreates it dynamically. If the folder structure is deleted, Privilege Management for Mac recreates it when the endpoint is restarted. 3. To view the log file, run the following command in Terminal. By default, Standard users are not permitted to run this sudo command. You must configure a policy to allow this. Optionally, you can use the CaptureConfig utility. Please contact BeyondTrust Technical Support to get a copy.
sudo cat /var/log/defendpoint/audit.log
4. The log file is maintained by the core macOS service newsyslog. The newsyslog.conf file contains various log files and associated settings and is maintained by the core macOS. The newsyslog.conf file is located at /etc/newsyslog.conf.
Note: This part of the set up must be done by a user who can write to this location or by using a mobile device management (MDM) solution.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

19 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

5. In the newsyslog.conf file, the settings are outlined and have column headers: l logfilename l mode l count l size l when l flags
6. For the purposes of the maintenance of the audit.log file, you must populate the logfilename, mode, count, size and/or when, and flags attributes in the newsyslog.conf file. l logfilename: Path and filename l mode: File mode. For example, settings for read/write for each user type (POSIX file permissions) l count: Count for amount of archived files (count starts from 0) l size: Threshold for log size in KB l when: Threshold for log size in terms of time. For example, new log everyday at X, or every month l flag: Instruction for processing the archived/turn-over file. This is most likely to be JN or ZN
An example of a line in the newsyslog.conf for Privilege Management for Mac:
/var/log/defendpoint/audit.log 644 5 1000 * JN
This indicates that:
l The filename is audit.log l It can be viewed by all user types but can only be edited by the root user l It has an archive count of 5 (6 archived files, not including the current log) l It has a threshold of 1MB for turn-over/archiving l It doesn't have a date turn over l For archiving, files are to be compressed into a bzip file
Note: The threshold relies on the newsyslog service. This service is "low" priority in macOS and only reads the .conf file approximately every 30mins. Using the example line above, the log can become greater than 1MB prior to the service reading the newsyslog.conf file due to it being a `threshold' value, rather than each log file being of equal size.
7. After you apply the newsyslog.conf by adding the audit.log line to it, you can run sudo newsyslog -nv in the Terminal to see the state of the logging, when the next roll over is, and whether there are any syntax issues.
Unified Logging
Unified logging is available in macOS 10.12 and later and supersedes Apple System Logger (ASL). Prior to macOS 10.12, log messages were written to specific disk locations. Unified logging means the log messages are stored in memory or in a data store and can viewed in the Console application and the log command line tool. To view the debug logs of a process on the endpoint:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

20 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

1. Open the Console app. By default, debug and info messages are not displayed. You can select an event in the main window to view the logs for it.
2. Click Now in the top left of the tool bar to see new messages in real time. 3. Select Actions > Include Info Messages and Actions > Include Debug Messages to add these to the log. 4. Using the search bar on the top-right, you can enter the name of a process that you want to filter on. For example, defendpointd
for Privilege Management for Mac or PMCAdapter for PMC Adapter log messages. 5. You can further manipulate the filter from the search bar or by right-clicking on the process and selecting an additional filter option.
For more information about unified logging, please see Logging at https://developer.apple.com/documentation/os/logging.
Obtain Debug Logs from the Endpoint Unified logging does not store info or debug strings on the hard disk. They are only displayed while the Console application is open. You must use the log config command to create plist files for each Privilege Management for Mac daemon and change the logging file. These plists are created in the /Library/Preferences/Logging directory.
Note: In lieu of using the method below, you can obtain debug logs from the endpoint using the CaptureConfig utility. Please contact BeyondTrust Technical Support to obtain it.
1. To create plists and change the logging level for the Privilege Management for Mac daemons, run the following commands in the terminal:
sudo log config --subsystem com.avecto.defendpointd --mode persist:debug sudo log config --subsystem com.avecto.custodian --mode persist:debug sudo log config --subsystem com.avecto.dppolicyserverd --mode persist:debug sudo log config --subsystem com.avecto.Defendpoint --mode persist:debug
2. Once these commands have been run, you have two options: l Obtain a centralized log you can send to BeyondTrust Technical Support. This is the recommended approach.
IMPORTANT!
You would ideally collect the logs into a central log file using the following command, however this logs every process on the endpoint, not just the Privilege Management for Mac processes.
sudo log collect ---last <num><m/h/d>
Note: You must replace the <num> value with an integer and then append m for months, h for hours, or m for minutes depending on how long it took to replicate the issue. This will produce a .logarchive file in the current user's directory.
l Alternatively, you can create a log for each Privilege Management for Mac daemon by using the following commands. This process outputs .log files in the user's home directory that can be edited or moved as required. As this information is split across multiple log files, it is not the recommended approach, however it can be used when the first approach is not viable.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

21 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

log show --predicate 'subsystem == "com.avecto.custodian"' --style json --debug --last 1h > ~/Documents/Custodian.logarchive log show --predicate 'subsystem == "com.avecto.defendpointd"' --style json --debug --last 1h > ~/Documents/defendpointd.logarchive log show --predicate 'subsystem == "com.avecto.dppolicyserverd"' --style json --debug --last 1h > ~/Documents/dppolicyserverd.logarchive log show --predicate 'subsystem == "com.avecto.Defendpoint"' --style json --debug --last 1h > ~/Documents/Defendpoint.logarchive
Note: We strongly recommend you delete the .plists after use and disable debug level of logging persistence, especially on an SSD.
Anonymous Logging By default, Privilege Management for Mac will include user and computer specific information in all audit events. You can set your Application Rules to not log this information for events associated with your rules by setting the Raise an Event option to On (Anonymous) on each rule. You can also set whether user or computer information is kept anonymous for audit events that are not associated with a rule, such as events raised for having an invalid license. To enable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:
<key>AnonymousLogging</key> <string>true</string>
To disable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:
<key>AnonymousLogging</key> <string>false</string>
Add Privilege Management for Mac Settings to a Mac Client Computer
Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file be replaced using the following command. In this example, the source XML file is located on your Desktop:
sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml
Privilege Management for Mac will apply the new settings immediately, and does not require any restart.
Note: If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.
Mac Sudo Command Arguments Not Supported
The following arguments are not supported by Privilege Management for Mac when you're using sudo:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

22 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Option (single dash)

Option (double dash)

-A

--askpass

-C num

--close-from=num

-E

--preserve-env

-g group

--group=group

-H

--set-home

-h host

--host=host

-K

--remove-timestamp

-k

--reset-timestamp

-l

--list

-n

--non-interactive

-P

--preserve-groups

-p prompt

--prompt=prompt

-U user

--other-user=user

-u user

--user=user

-v

--validate

Description
use a helper program for password prompting close all file descriptors >= num preserve user environment when running command run command as the specified group name or ID set HOME variable to target user's home dir run command on host (if supported by plugin) remove timestamp file completely invalidate timestamp file list user's privileges or check a specific command; use twice for longer format non-interactive mode, no prompts are used preserve group vector instead of setting to target's use the specified password prompt in list mode, display privileges for user run command (or edit file) as specified user name or ID update user's timestamp without running a command

Use Centrify If you are using Centrify to bind MacOS endpoints to Active Directory, contact BeyondTrust Technical Support for assistance.

Third Party Licensing Information
We use the following third party software:
l Sudo l SwiftyJSON l Google Protobuf
Sudo Copyright Notice
Sudo is distributed under the following license:
Copyright (c) 1994-1996, 1998-2019
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

23 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6
ADMINISTRATION GUIDE
Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512.
SwiftyJSON Copyright Notice
The MIT License (MIT)
Copyright (c) 2017 Ruoyu Fu
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Google Protobuf Copyright Notice
Copyright 2008 Google Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

24 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Privilege Management for Mac Policies
A Privilege Management for Mac policy is built up with the following optional components:
l Workstyles: A Workstyle is part of a policy. It's used to assign Application Rules for users. You can create Workstyles using the WorkStyle Wizard or by importing them.
l Application Groups: Application Groups are used by Workstyles to group applications together to apply certain Privilege Management for Mac behavior.
l Messages: Messages are used by Workstyles to provide information to the end user when Privilege Management for Mac has applied certain behavior you have defined and needs to notify the end user.
Note: Using .MPKG (multiple package) format or launching multiple .PKG files at once is not supported and is blocked by Privilege Management for Mac.

Note: Mac Policies are not applied to the root user.

For more information, please see the following sections: l "Workstyles" on page 25 l "Application Groups" on page 31 l "Messages" on page 49
Workstyles
Privilege Management for Mac Workstyles are used to assign Application Groups for a specific user or group of users. The Workstyle Wizard can generate Application Rules depending on the type of Workstyle you choose.
For more information, please see the following sections: l "Application Groups" on page 31 l "Create Workstyles" on page 26
Workstyle Wizard
The Workstyle Wizard guides you through the process of creating a Privilege Management for Mac Workstyle. The options you select determine the function of the Workstyle.
1. Navigate to the OS X > Workstyles node. 2. Right-click the Workstyles node, and then click Create Workstyle on the top-right. The Workstyle Wizard is displayed. 3. You can optionally enter a license code at this stage or you can enter it later once the Workstyle has been created. 4. You can choose from Controlling or Blank for your Workstyle. A controlling Workstyle allows you to apply rules for access to
privileges and applications. A blank Workstyle allows you to create an empty Workstyle without any predefined elements. If you selected a blank Workstyle, the next screen is Finish as there is nothing to configure.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

25 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

5. Filtering (Controlling Workstyle only). This determines who will receive this Workstyle. You can choose from Standard users only or everyone. If you apply it to everyone, it will apply to Administrators. You can modify the filters and apply more detailed filtering once the Workstyle has been created.
6. Capabilities (Controlling Workstyle only). Allows you to choose Privilege Management, Application Control, or both. If you don't select either capabilities, the next screen is Finish. This Workstyle would only contain filtering information.
7. Privilege Management (Controlling Workstyle with the Privilege Management capability). Allows you to choose how you manage Authorization prompts including sudo control and Installer privileges.
Note: If you select Present users with a challenge code from the dropdown, you are prompted to configure the challenge and response functionality at the end of creating your Workstyle, if your policy doesn't already have one.
8. Application Control (Controlling Workstyle with the Application Control capability). Allows you to choose: l How you want to apply application control. You can choose from an allowlist or blocklist approach. We recommend you use an allowlist approach. o As an allowlist: How you want to handle non-allowed applications. o As a blocklist: How you want to handle blocked applications.
9. Finish. Allows you to enter a Name and Description for your new policy. If the Workstyle has been configured to use a Challenge / Response message and the policy doesn't have an existing key, you will be asked to set a key. You can check the box on this screen to activate this Workstyle immediately or you can clear the box to continue configuring the Workstyle before you apply it to your endpoints.
Depending on the type of Workstyle you created and any capabilities that have been included, Privilege Management for Mac will autogenerate certain Application Groups (containing rules) and Messages. Filters are applied and subsequently configured as part of the Workstyle.
For more information, please see the following sections: l "Challenge / Response Authorization" on page 58 l "Application Groups" on page 31 l "Messages" on page 49
Create Workstyles
The Workstyle Wizard guides you through the process of creating a Privilege Management for Mac Workstyle. The options you select determine the function of the Workstyle.
1. Navigate to the OS X > Workstyles node. 2. Right-click the Workstyles node, and then click Create Workstyle on the top-right. The Workstyle Wizard is displayed. 3. You can optionally enter a license code at this stage or you can enter it later once the Workstyle has been created. 4. You can choose from Controlling or Blank for your Workstyle. A controlling Workstyle allows you to apply rules for access to
privileges and applications. A blank Workstyle allows you to create an empty Workstyle without any predefined elements. If you select a blank Workstyle, the next screen is Finish as there is nothing to configure. 5. Filtering (Controlling Workstyle only). This determines who will receive this Workstyle. You can choose from Standard users only or everyone. If you apply it to everyone, it will apply to Administrators. You can modify the filters and apply more detailed filtering once the Workstyle has been created.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

26 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
6. Capabilities (Controlling Workstyle only). Allows you to choose Privilege Management, Application Control, or both. If you don't select either capabilities, the next screen is Finish. This Workstyle would only contain filtering information.
7. Privilege Management (Controlling Workstyle with the Privilege Management capability). Allows you to choose how you manage Authorization prompts including sudo control and Installer privileges.
Note: If you select Present users with a challenge code from the dropdown, you are prompted to configure the challenge and response functionality at the end of creating your Workstyle, if your policy doesn't already have one.
8. Application Control (Controlling Workstyle with the Application Control capability). Allows you to choose: l How you want to apply application control. You can choose from an allowlist or blocklist approach. We recommend you use an allowlist approach. o As an allowlist: How you want to handle non-allowed applications. o As a blocklist: How you want to handle blocked applications.
9. Finish. Allows you to enter a Name and Description for your new policy. If the Workstyle has been configured to use a Challenge / Response message and the policy doesn't have an existing key, you will be asked to set a key. You can check the box on this screen to activate this Workstyle immediately or you can clear the box to continue configuring the Workstyle before you apply it to your endpoints.
Depending on the type of Workstyle you create and any capabilities that have been included, Privilege Management for Mac will autogenerate certain Application Groups (containing rules) and Messages. Filters are applied and subsequently configured as part of the Workstyle.
For more information, please see the following sections: l "Challenge / Response Authorization" on page 58 l "Application Groups" on page 31 l "Messages" on page 49
Disable or Enable Workstyles
You can enable or disable Workstyles to stop them from being processed by Privilege Management for Mac. To enable or disable a Workstyle:
1. Navigate to the policy and select the Workstyles node. You can see which policies are disabled and enabled in the list.
2. Right-click on the Workstyle and click Disable Workstyle to disable it or Enable Workstyle to enable it.
In the above example, the General Rules Workstyle is enabled and the High Flexibility Workstyle is disabled.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

27 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Workstyle Precedence
If you have multiple Workstyles, they are evaluated in the order they are listed. Workstyles that are higher in the list have a higher precedence. Once an application matches a Workstyle, no further Workstyles are processed for that application, so it is important you order your Workstyles correctly, because an application could match more than one Workstyle. To change the precedence of a Workstyle:
1. Select the Workstyles node in the left pane. 2. Right-click and choose from the options:
l Move Top l Move Up l Move Down l Move Bottom
Workstyle Summary You can view a summary of the Workstyles, Application Groups, and Messages in your policy for Mac by clicking the OS X node in the policy editor. Some of these tabs may not be displayed if they have not been configured in your policy.
Overview
The Overview tab allows you to quickly access the following features of your policy: l General: Allows you to edit the description of your Workstyle and enable or disable it. l Totals: Allows you to configure Application Rules. l Filters: Allows you to configure filters.
Application Rules
Application Rules are applied to Application Groups. Application Rules can be used to enforce allowlisting, monitoring, and assigning privileges to groups of applications. They are a set of rules that apply to the applications listed in the Application Group. You need an Application Group before you can create an Application Rule. Application Rules are color coded in the interface:
l Green: The default action is Passive (No Change) or Allow. l Orange: The default action is Block.

For more information, please see "Application Groups" on page 31.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

28 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Insert an Application Rule

Click Application Rules to view, create, or modify the following for each Application Rule:

Option
Target Application Group Default Action
Default End User Message

Description
Select from the Application Groups list.
Select from Passive (No Change), Allow Execution, or Block Execution. This is what will happen if the application in the targeted Application Group is launched by the end user.
Select if a message will be displayed to the user when they launch the application. We recommend using Messages if you're blocking the execution of the application so the end user has some feedback on why the application doesn't launch.

Auditing Raise an Event

Whether or not you want an event to be raised if this Application Rule is triggered. This will forward to the local event log file.

BeyondInsight Reporting Options BeyondInsight Events Privilege Management Reporting

When configured, sends BeyondInsight events to BeyondInsight.
When configured, sends Privilege Management Reporting events to BeyondInsight.

For more information, please see "Application Groups" on page 31.

Application Rule Precedence If you add more than one Application Rule to a Workstyle, then entries that are higher in the list will have a higher precedence. Once an application matches an Application Rule, no further rules or Workstyles will be processed. If an application could match more than one Workstyle or rule, then it is important you order both your Workstyles and rules correctly. You can move Application Rules up and down to change the precedence.
Filters
The Filters tab of a Workstyle can be used to further refine when a Workstyle will be applied. By default, a Workstyle will apply to all users and computers who receive it. However, you can add one or more filters that will restrict the application of the Workstyle:
Account Filters
Account filters specify the users and groups the Workstyle will be applied to.
Note: When a new Workstyle is created, a default account filter will be added to target either Standard users only or Everyone (including administrators), depending on your selection in the Workstyle Wizard.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

29 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

To restrict a Workstyle to specific groups or users, you can filter on the Account Name, UID/GID, or both.
1. Expand the appropriate Workstyle in the left pane and click Filters. 2. Select Add a new local OS X account or Add a new domain account if you want to use Windows AD to create your filters. If
you choose this option, you need to create a mapping between your Windows SID macOS UID/GUID. You can choose to filter by User or Group.
l For User, you can match on the Account Name, the User ID, or both. In the instance of both, they both must match for the filter to be applied. The Account Name is not case sensitive.
l For Group you can match on the Group Name, the Group ID, or both. In the instance of both, they both must match for the filter to be applied. The Group Name is not case sensitive.
3. Click OK to finish configuring your filter.
By default, an account filter will apply if any of the user or group accounts in the list match the user. If you have specified multiple user and group accounts within one account filter, and want to apply the Workstyle only if all entries in the account filter match, then check the box at the top of the screen that says All items below should match. You can add more than one account filter if you want the user to be a member of more than one group of accounts for the Workstyle to be applied. If an account filter is added, but no user or group accounts are specified, a warning will be displayed advising No accounts added, and the account filter will be ignored.
Note: If All items below should match is selected, and you have more than one user account listed, the Workstyle will never apply, as the user cannot match two different user accounts.
For more information, please see Clarification regarding the status of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016 Technical Preview and beyond at https://docs.microsoft.com/enus/archive/blogs/activedirectoryua/identity-management-for-unix-idmu-is-deprecated-in-windows-server.
Computer Filters
A computer filter can be used to target specific computers. You can specify a computer using either its host name, or by an IP address. To restrict the Workstyle to specific computers by IP address:
1. Select the Filters tab, and then click Add a new filter. 2. Click Add a Computer Filter > Add a new IP rule. The Add IP rule dialog box appears. 3. Enter the IP address manually, in the format 123.123.123.123. 4. Click Add.
Note: You can also use the asterisk wildcard (*) in any octet to include all addresses in that octet range, for example, 192.168.*.*. Alternatively, you can specify a particular range for any octet, for example, 192.168.0.0-254. Wildcards and ranges can be used in the same IP Address, but not in the same octet.
To restrict the Workstyle to specific computers by hostname:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

30 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

1. Select the Filters tab, and then click Add a Filter. 2. Click Add a Computer Filter > Add a new hostname rule. The Add hostname rule dialog box appears. 3. Enter a hostname, or alternatively browse for a computer. You can use the * and ? wildcard characters in hostnames. 4. Click Add.
Note: By default, a computer filter is applied if any of the computers or IP Addresses in the list match the computer or client. If you specified multiple entries, and want to apply the Workstyle only if all entries in the computer filter match, then check the option All items below should match.
If a computer filter is added, but no host names or IP addresses are specified, a warning is displayed advising No rules added, and the computer filter is ignored.
Application Groups
Application Groups are used to define logical groupings of applications. Application Groups are assigned to Workstyles, so you must define Application Groups for all of the applications you want to assign to a Workstyle.
Create Application Groups
To create an Application Group:
1. Navigate to the OS X > Application Groups node. 2. Right-click the Application Groups node, and then click New Application Groups on the top-right. The Workstyle Wizard is
displayed. 3. Enter a name and a description (if required) for the new Application Group. Click OK to save your new Application Group.
View or Edit the Properties of an Application Group
Each Application Group has a name, an optional description, and can be hidden from the policy navigation tree. You can edit these in the properties for the Application Group. To view the properties of an Application Group:
1. Navigate to the OS X > Application Groups node. 2. Right-click the Application Groups and click Properties to view the properties. Make any changes you require and click OK to
save the new properties.
Delete an Application Group
Application Groups are usually mapped to one or more Application Rule in a Workstyle. If you attempt to delete an Application Rule that is mapped to an Application Group, you are notified of this before you continue. If you continue to delete the Application Group, the associated Application Rule in the Workstyle is also deleted. To delete an Application Group:
1. Navigate to the OS X > Application Groups node. 2. Right-click on the Application Group you want to delete and click Delete.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

31 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

3. If there aren't any Application Rules in the Workstyle using that Application Group, then it is deleted. If there are Application Rules in the Workstyle referencing that Application Group, then you are prompted to check the reference before you continue. If you click OK, then both the Application Group and the Application Rule referencing it are deleted from your policy. If you don't want to do this, click Cancel.
Duplicate an Application Group
You can duplicate an Application Group if you need a new Application Group containing the same applications as an existing Application Group. You can edit a duplicated Application Group independently of the Application Group it was duplicated from. To duplicate an Application Group:
1. Navigate to the OS X > Application Groups node. 2. Right-click on the Application Group you want to duplicate and click Copy. 3. Select the Application Groups node, right-click, and select Paste. This will make a new copy of the Application Group and all the
Application Rules it contained. 4. A new duplicate Application Group with an incremental number in brackets appended to the name will be created that you can
add applications to.
Rule Precedence
If you add more than one Application Rule or content rule to a Workstyle, then entries higher in the list will have a higher precedence. Once a target matches a rule, no further rules or Workstyles will be processed for that target. If a target could match more than one Workstyle or rule, then it is important you order both your Workstyles and rules correctly. To change the precedence of a rule within a Workstyle:
1. Expand the relevant Workstyle and then select the rule type tab: Application, On-Demand, or Content. 2. Right click on the rule and use the following options to change the rule precedence:
l Move Top l Move Up l Move Down l Move Bottom
Application Definitions
Note: All matching criteria are case sensitive on macOS.
Application definitions allow you to target applications based on specific properties. When an application is executed, Privilege Management for Mac will query the properties of the application and attempt to match them against the matching criteria in the definition. If a match is made, then the rule is applied. If any of the matching criteria do not match, then neither will the definition, and Privilege Management for Mac will attempt to match against subsequent definitions in the Application Group. Privilege Management for Mac will continue this process for subsequent Application Groups defined in Application Rules until a successful match is made and the rule is applied. If no matches are made, then no rule will be applied to the application, and it will run as normal. Privilege Management for Mac must match every definition you configure before it will trigger a match. The rules are combined with a logical AND.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

32 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Application definitions requiring a match can also be negated. To target applications that do not match the definition, select does NOT match from the dropdown.
Application Requests Authorization
The application requires authorization, so you need to approve that request. This applies to anything in macOS that has a padlock on the dialog box or where the system requires authorization to change something. The URIs are unique to the application. The Auth Request URIs are generic and any Auth Request URIs can be requested by any application. When an application triggers an authorization request, the application will use a unique Auth Request URI. This URI will be different to the URI of the application itself. This matching criteria allows you to target any authorization request by matching the Auth Request URI, allowing you to target that specific Auth Request URI and apply your own controls. This matching criteria can be used in combination with other criteria to target authorization requests from specific applications if more than one application uses the same Auth Request URI. When this matching criteria is used in a definition, it will only match the authorization request of the application, and not the execution of the application. If you want to apply rules to both the application execution and application authorization request, then separate definitions must be created for each. If you want to apply different rules to application execution and application authorization requests, then definitions must be added to different Application Groups and applied to different Application Rules. Mac Packages are always configured to match exactly against the system.install.software request URI. You cannot set Auth Request URI or Perform Match Using options. This matching criteria can be used with the following application types:
l Binaries l Bundles l Packages l System Preferences
Command Line Arguments
The Command Line Arguments matching criteria allows you to target a binary or sudo command based on the arguments passed to the command being executed on the command line. Command Line Arguments can be executed either through the Terminal, or through a script. With this matching criteria, you can apply a specific action (such as block, allow, or audit) to specific Command Line Arguments, rather than only applying actions to the use of the binary or sudo command. The Command Line Arguments matching criteria will match specifically the arguments passed to the binary or sudo command. The following example shows a command for listing the contents of the /Applications directory:
MyMac:~ standarduser$ ls -la /Applications
l ls is the binary being executed, and is targeted by using the File or Folder Name matching criteria in a Binary definition. l -la /Applications are the arguments being passed to ls, and is targeted by using the Command Line Arguments matching criteria
in a Binary definition.
Note: Privilege Management for Mac will only match the command line arguments, which will not include the beginning binary or sudo command being executed. If you want to match both the binary and sudo command, as well as the command line, then

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

33 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

both the File or Folder Name and the Command Line Arguments matching criteria must be enabled and populated in the definition.
This matching criteria allows you to target all, or just parts of the command line being used. This is achieved by inserting wildcards into the Command Line Arguments string, defining which part of the command line you want to match, or by using a regular expression. This matching criteria includes the following matching options:
l Command Line Arguments (for example, -la /Applications) l Exact Match l Starts With l Ends With l Contains l Regular Expressions
This matching criteria can be used with the following application types:
l Binaries l Scripts l Sudo Commands
Note: You can match on any command line argument with the exception of those listed in "Mac Sudo Command Arguments Not Supported" on page 22.
File or Folder Name Matches
This matching criteria allows you to target applications based on their name / path on disk. It is an effective way of automatically allowlisting applications located in trusted areas of the filesystem (for example, /Applications or /System), and for targeting specific applications based on their full path. This matching criteria can be used in combination with other criteria in a definition, giving you more granularity over which applications you can target based on their properties. Although you may enter relative file names, we strongly recommended you enter the full path to a file. Applications can be matched on the file or folder name. You can choose to match based on the following options:
l File or Folder Name (for example, /Applications/iTunes.app) l Exact Match l Starts With l Ends With l Contains l Regular Expressions
You can match on the file path containing or starting with the /AppTranslocation/ folder, however we recommend you block all applications attempting to run from this location to ensure unsigned applications are not run. Instead, we recommend you run applications from the /Applications/ folder.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

34 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Note: Targeting bundles with an Exact Match path applies only to the main binary in the Contents/MacOS directory as specified in the bundle's plist.
This matching criteria can be used with the following application types:
l Binaries l Bundles l Packages l System Preferences l Sudo Commands l Scripts
File Hash (SHA-1 Fingerprint)
This definition ensures the contents of the application (which can normally be edited by any user) remain unchanged, as changing a single character in the script will cause the SHA-1 hash to change. A file hash is a digital fingerprint of an application, generated from the contents of application binary or bundle. Changing the contents of an application results in an entirely different hash. Every application, and every version of the same application, has a unique hash. Privilege Management for Mac uses hashes to compare the application being executed against a hash stored in the configuration. File hash matching is the most specific criteria, as it can be used to ensure the application being run is the exact same application used when creating the definition, and that it has not been modified. This matching criteria includes the following matching options:
l File Hash
This matching criteria can be used with the following application types:
l Binaries l Bundles l Packages l System Preferences l Sudo Commands l Scripts
Note: Although file hash is the more reliable matching criteria for matching a specific application, you must ensure definitions are kept up to date. When updates are applied to the endpoint, new versions of applications may be added, and so their SHA-1 hashes will be different. Applications on different versions of macOS also have different SHA-1 hashes.
Changes to File Hash Auditing
Prior to Privilege Management for Mac 21.6, the file hash audited depends on the context, for example, whether the application is a bundle or whether it's code signed:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

35 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Signed applications report the code directory hash (CDHash). l Unsigned single files (binaries, scripts) and signed packages report a SHA-1. l Unsigned bundles report a recursively generated SHA-1 of all their contents. In a worst case scenario, this can take several
minutes to generate. In Privilege Management for Mac 21.6, what is audited is simplified to provide support for reputation services such as VirusTotal:
l Single files report a SHA-1. l Bundles report the SHA-1 of their main binary, as specified by their Info.plist.
Changes to File Hash Matching Criteria Support for matching signed applications using their CDHash is continuing, and we also now support matching against the audited SHA-1. Support for recursive SHA-1 matching for unsigned bundles will be removed once Apple Silicon is widely adopted by businesses, as unsigned code is not allowed to run on these devices. It can cause significant performance issues.
How to Determine a File's Hash for Matching Criteria If you have audit events available through reporting, then you can find the appropriate SHA-1 file hash there. This is not as secure as using a CDHash for bundles. Signed application (bundle, binary, script):
codesign -dvvv <path to bundle or file> 2>&1 | egrep "^CDHash"
Unsigned files (binary, script) and both signed and unsigned packages:
shasum -a 1 <path to file>
Unsigned bundle:
shasum -a 1 <path to bundle's main binary>
File Version Matches
If the application you entered has a File Version property, then it is automatically extracted. You can choose to Check Min Version, Check Max Version, and edit the version number fields. Alphanumeric characters are supported in the version of applications. For application types with defined versions, you can optionally use the File Version matching criteria to target applications of a specific version or range of versions. This allows you to apply rules and actions to certain versions of an application, for example, blocking an application if it's version is less than the version defined in the definition. File Version matching can be applied either as a minimum required version, as a maximum required version, or you can use both to define a range of versions (between a minimum and a maximum). This matching criteria includes the following matching options:
l File Min Version l File Max Version This matching criteria can be used with the following application types:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

36 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Bundles l System Preferences
Parent Process Matches
This option can be used to check if an application's parent process matches a specific Application Group. You must create an Application Group for this purpose or specify an existing Application Group in the Parent Process group. Setting match all parents in tree to True will traverse the complete parent and child hierarchy for the application, looking for any matching parent process. Setting this option to False only checks the application's direct parent process. When a new application executes, it is executed by another process, or parent process. In most cases on macOS, the parent process will be launchd. However, sometimes applications like binaries and bundles are executed by other applications. For example, binaries like curl can be executed from Bash, and will be created as a child of the Terminal process. However, curl can also be used by applications. The Parent Process matching criteria allows you to the target applications based on their parent process, so you can apply different rules and actions depending on where the application is being executed from. In the example above, you can use Parent Process matching to allow curl to be used by an authorized application, but still block users from executing it directly in the Terminal. Parent Processes are defined as an Application Group, so you can identify multiple parents without having to create multiple definitions. This also means the parent process can be defined as any type of application (binary, bundle, system preference, or package) using any of the relevant matching criteria for each application. This matching criteria includes the following matching options:
l Parent Process Group (dropdown menu of all Application Groups existing in the configuration)
This definition can be used with the following application types:
l Binaries l Bundles l Sudo Commands l Scripts
Publisher Matches
This option can be used to check for the existence of a valid publisher. If you have browsed for an application, then the certificate subject name will automatically be retrieved, if the application has been signed. By default, a substring match is attempted (Contains). Alternatively, you may choose to pattern match based on either a wildcard match (? and *) or a Regular Expression. The available operators are identical to the File or Folder Name definition. Some applications are digitally signed with a certificate, giving a guarantee the application is genuine and from a specific vendor. The certificate also ensures the application has not been tampered with by an unauthorized source. The vendor who owns the certificate can be identified from certain properties of the certificate, which are referred to as Authorities. A certificate typically contains several Authorities linked together in a chain of trust. To check if an application has been digitally signed and what the certificate Authorities are, use the following command example to check the certificate of the iTunes.app application bundle:
Codesign -dvvv /Applications/iTunes.app/
If the application has a certificate, there will be one or more Authorities listed in the output:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

37 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA
In the output, the first Authority listed is the authority most specific to the application. In this example, you can see Apple uses the certificate Authority Software Signing to digitally sign iTunes.app. With the Publisher matching criteria, you can target applications based on the publisher information contained in its certificate. This matching criteria can also be used in combination with other matching criteria, as a way of ensuring the application is a genuine application from the vendor.
Note: All apps downloaded from the Apple Store will have certificates with the same authority, as Apple resigns all applications before making them available in the Apple Store.
This matching criteria includes the following matching options:
l Publisher (For example, the Publisher for Apple applications is Software Signing) l Exact Match l Starts With l Ends With l Contains l Regular Expressions
This definition can be used with the following application types:
l Binaries l Bundles l Packages l System Preferences l Sudo Commands
Source
If an application was downloaded using a web browser, this option can be used to check where the application or installer was originally downloaded from. The application is tracked by Privilege Management for Mac at the point it is downloaded, so if a user decided to run the application or installer at a later date, the source can still be verified. By default, a substring match is attempted (Contains). Alternatively, you can choose to pattern match based on either a wildcard match (? and *) or a Regular Expression. The available operators are the same as the File or Folder Name definition. This definition can be used with the following application types:
l Bundles l System Preferences
URI
Every macOS application bundle has a defined Uniform Resource Identifier (URI), a property that uniquely identifies the application to the system. URI's follow a specific structure, typically referencing the vendor and application. For example, the URI for Apple iTunes is

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

38 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

com.apple.iTunes. The URI matching criteria provides an effective way of targeting applications where the filename or file path may not always be known. It is also an effective way of targeting applications from a specific vendor. This matching criteria can also be used in combination with other matching criteria, as a way of ensuring the application is a genuine application from the vendor. This is the Unique Request Identifier for the application bundle. You can choose to match based on the following options:
l URI (for example, com.apple.iTunes) l Exact Match l Starts With l Ends With l Contains l Regular Expressions This definition can be used with the following application types: l Bundles
Install Action Matches
This definition can be used to allow installation of bundles to the /Applications directory. This matching criteria can be used in combination with other criteria to allow or deny installation of the matched bundle. You can choose from the following options to allow installation to the /Applications directory:
l Yes l No This definition can be used with the following application type: l Bundles
Delete Action Matches
This definition can be used to allow deletion of bundles from the /Applications directory. This matching criteria can be used in combination with other criteria to allow or deny deletion of the matched bundle. You can choose from the following options to allow deletion from the /Applications directory:
l Yes l No This definition can be used with the following application type: l Bundles
Management of Disk Mounted Images
Privilege Management for Mac examines each Disk Mounted Image (DMG) when Privilege Management for Mac is running with a valid license. If there are one or more bundles of applications in the Disk Image, where the policy is contained within an allow rule for the

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

39 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Workstyle, and the install action is also set to Yes in the Application Rule, the user is allowed to copy those bundles to the System Applications folder on the endpoint. If the applications do not have a Privilege Management Allow rule, the copying of the bundle defaults to normal macOS functionality where admin credentials are required to copy the bundle to the System Applications folder. Standard macOS functionality is used if anything other than an Allow rule is associated with the application bundle in the DMG, such as Block or Passive.
Note: Previously to trigger copy functionality, the bundle from the DMG had to be in an Application Group with a Privilege Management Allow rule. As of version 5.4, the same condition applies, however, the bundle must also have Install Action match set to Yes in the Application matching criteria, within the Application Groups settings to right-click and Install with Defendpoint. Existing policies must be altered to reflect the changes in functionality. For more information, please see "Management of System Applications" on page 42.
Configuration of the defendpoint.plist File
Management of DMGs is controlled by default, but it can be turned off by editing the defendpoint.plist file. The location for the defendpoint.plist file is /Library/Application Support/Avecto/Defendpoint/defendpoint.plist. The MountAssist key should be set to false to turn off the Privilege Management for Mac management of DMG files (it is set to true by default):
<key>MountAssistant</key> <false/>
You must restart the defendpointd daemon after you have edited the defendpoint.plist file for any changes to take effect. This can either be done by restarting the machine or by running these commands from your terminal:
sudo launchctl unload /Library/LaunchDaemons/com.avecto.defendpointd.plist sudo launchctl load /Library/LaunchDaemons/com.avecto.defendpointd.plist
Note: If you specify the -w parameter in the command line, it will disable the daemon and a reboot will not turn it back on. Not including the parameter will allow the daemon to restart after a reboot of the endpoint.
Format of Messages Within the defendpoint.plist file, you can also modify the string used for the messaging in the key tag. The format of the messages is a key and string tag:
<key>MountMessageAllow</key> <string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>
The following placeholders can be used: l [APP_NAME]: Replaced by the Application Name. l [MOUNT_NAME]: Replaced by the Volume Name of the mounted DMG.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

40 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

When you enter your own strings for the above keys, the formatting is 'what you see is what you get'. For example, if you press Enter, then you will get a new line.
You can configure the message displayed to the user at the endpoint in the following scenarios:

l MountMessageAllow: Message that appears when a DMG containing an allowed bundle, is mounted.
l MountMessageNoteSame: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed, but the same version exists in the destination.
l MountMessageNoteNewer: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but a newer version of the bundle exists in the destination.
l MountMessageNoteOld: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but an older version of it exists in the destination.
l MountNotificationSuccess: Message that appears in the macOS notification center when the copying process succeeds.
l MountNotificationFailure: Message that appears in the macOS notification center when the copying process fails.

If the message keys above have not been set, Privilege Management for Mac uses the default values and strings. If you enter the <key> but do not specify the <string>, then the message will be empty.
You must use escaped characters for valid XML, such as in the examples below:

Symbol
" & ` < >

Escaped Form
&quot" &amp" &apos" &lt" &gt"

Example: The following examples show sample messages in the defendpoint.plist file.
<key>MountMessageAllow</key> <string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>
<key>MountMessageNoteSame</key> <string>Note: same version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountMessageNoteNewer</key> <string>Note: a newer version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountMessageNoteOlder</key> <string>Note: an older version of the item named "[APP_NAME]" already exists in this location.</string>
<key>MountNotificationSuccess</key> <string>"[APP_NAME]" was successfully copied from "[MOUNT_NAME]" into the Applications older.</string>
<key>MountNotificationFailure</key>

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

41 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

<string>"[APP_NAME]" was not successfully copied from "[MOUNT_NAME]" into the Applications folder.</string>
Management of System Applications Privilege Management for Mac examines each application and, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Install Action match of Yes, the user can right-click the application and select Install with Privilege Management. This will install the bundle in the /Applications folder on the endpoint. Similarly, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Delete Action match of Yes, the user can right-click the application and select Uninstall with Privilege Management. This will uninstall the bundle in the /Applications folder on the endpoint. If the applications do not have a Privilege Management Allow rule with an Install Action match or Delete Action match of Yes, the management of the bundle defaults to normal macOS functionality where admin credentials are required to manage the bundle in the /Applications folder. Standard macOS functionality is used if anything other than an Allow rule with an Install Action match or Delete Action match of Yes is associated with the application bundle, such as Block or Passive.
Note: You cannot use File Hash matching criteria to install or uninstall unsigned bundles.
Note: Per system functionality, applications that are running or protected by System Integrity Protection (SIP) cannot be uninstalled.
For more information, please see the following: l "Install Action Matches" on page 39 l "Delete Action Matches" on page 39
Manage the Privilege Management Finder Extension
To use Install with Privilege Management and Uninstall with Privilege Management menu functionality to manage the System Applications folder, the Privilege Management Finder Extension must be enabled under System Preferences > Extensions > Finder Extensions. Insert a Binary
Note: Matching criteria is case sensitive.
1. Select the Application Group you want to add the binary control to. 2. Right-click and select Insert Application > Binary. 3. Enter a File or Folder Name, or click Template to choose a template. 4. Enter a description or accept the default and click Next . You can leave the Description blank to match on all binaries.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

42 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

5. You must configure the matching criteria for the binary. You can configure: l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Application Requests Authorization l Command Line Arguments l Publisher Matches l Parent Process Matches
6. Click Finish. The binary is added to the Application Group.
For more information, please see the following: l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Application Requests Authorization" on page 33 l "Command Line Arguments" on page 33 l "Publisher Matches" on page 37 l "Parent Process Matches" on page 37
Insert a Bundle
Note: Matching criteria is case sensitive.
1. Select the Application Group you want to add the bundle control to. 2. Right-click and select Insert Application > Bundle. 3. Enter a File or Folder Name, or click Template to choose a template. 4. Enter a description or accept the default and click Next . You can leave the Description blank to match on all bundles. 5. You must configure the matching criteria for the bundle. You can configure:
l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Source l File Version Matches l URI l Application Requests Authorization l Publisher Matches l Parent Process Matches 6. Click Finish. The bundle is added to the Application Group.
For more information, please see the following:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

43 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Source" on page 38 l "File Version Matches" on page 36 l "URI" on page 38 l "Application Requests Authorization" on page 33 l "Publisher Matches" on page 37 l "Parent Process Matches" on page 37

Insert a Package
Note: Matching criteria is case sensitive.
1. Select the Application Group you want to add the package to. 2. Right-click and select Insert Application > Package. 3. Enter a File or Folder Name, or click Template to choose a template. 4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all packages. 5. You must configure the matching criteria for the package. You can configure:
l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Application Requests Authorization l Publisher Matches 6. Click Finish. The package is added to the Application Group.
For more information, please see the following: l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Application Requests Authorization" on page 33 l "Publisher Matches" on page 37

Insert a Script
You can control scripts using the Script application type. System administrators can apply Application Rules on scripts to allow installation and management of development tools; for example, Homebrew. Supported script types include:
l bash (.sh) l ruby (.rb) l python (.py - xattr)

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

44 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Note: Matching criteria is case sensitive.
1. Select the Application Group you want to add the script control to. 2. Right-click and select Insert Application > Script . 3. Enter a File or Folder Name. 4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all scripts. 5. You must configure the matching criteria for the binary. You can configure:
l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Command Line Arguments l Parent Process Matches 6. Click Finish. The script is added to the Application Group.
For more information, please see the following:
l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Command Line Arguments" on page 33 l "Parent Process Matches" on page 37
Install Homebrew
The Homebrew installer is a shell script which users can download to their machine and run. This script internally uses sudo to create folders on the system and set their ownership/permissions to be accessible by the installing user, reducing the need for further privileged sudo operations when users want to install packages.
Allow Standard Users to Install Homebrew via Privilege Management for Mac
Prepare a script The current installation script for Homebrew must be modified slightly to work with Privilege Management for Mac. To achieve this, create a script that contains the following:
#!/bin/bash # Remember the current directory so we can return to it when removing temporary files readonly basedir=$(pwd) # Download the latest brew install script using curl curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh -o install.sh # The following command modifies the install.sh script, creating a backup of the original # as install.sh.bak, and does the following modifications # - replaces occurrences of "/usr/bin/sudo" with just "sudo" to allow customers using # the non-Apple sudo to continue # - Inserts a line "HAVE_SUDO_ACCESS=0" near the top of the file. This bypasses the

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

45 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

# built-in have_sudo_access feature with the expectation that the PMFM plugin policy is # correctly configured to match this script sed -i .bak -e 's^/usr/bin/sudo^sudo^g' -e $'s^set -u^set -u\\\nHAVE_SUDO_ACCESS=0^' install.sh source install.sh cd "${basedir}" rm install.sh rm install.sh.bak
If you make no modifications to the script above, this results in a shasum with value ea2ce4fe687a82fb63a0bb14486352d4f7148a85.
Add the Script to Policy To create a rule to match this script in the Policy Editor:
1. Create an Application Group to add the script control. 2. Right-click and select Insert Application > Script. 3. Enter * as the file or folder name, as you're matching explicitly on hash. 4. Enter a description of User Homebrew Installation. 5. Set the File Hash value to ea2ce4fe687a82fb63a0bb14486352d4f7148a85.
Ensure this file hash is the same as the script you prepared earlier, in case you made any custom modifications. 6. Click Finish. The script is added to the Application Group.
Add a sudo Command for Homebrew to Policy In the same Application Group:
1. Right-click and select Insert Application > Sudo Command. 2. Enter * to represent any sudo command. 3. Enter a description or accept the default, and click Next. 4. Configure the Parent Process Matches to be the group which you are editing.
This keeps the configuration of Homebrew isolated within the policy and easier to navigate. Alternatively, you can separate the Script and Sudo application definitions. 5. Click Finish. The sudo command is added to the Application Group.
Set Up an Application Rule for Homebrew
1. Select the Workstyle that is appropriately filtered for users you want to allow to install Homebrew. 2. Create an application assignment for the Application Group that contains the sudo command, of type Allow Execution, with your
messaging and auditing preferences.
Insert a Sudo Command
Note: Matching criteria is case sensitive.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

46 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

1. Select the Application Group you want to add the sudo command to. 2. Right-click and select Insert Application > Sudo Command. 3. Enter a File or Folder Name, or click Template to choose a template. 4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all sudo commands. 5. You can leave the Description blank to match on all sudo commands. 6. You must configure the matching criteria for the sudo command. You can configure:
l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Command Line Arguments l Publisher Matches l Parent Process Matches 7. Click Finish. The sudo command is added to the Application Group.
For more information, please see the following:
l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Command Line Arguments" on page 33 l "Publisher Matches" on page 37 l "Parent Process Matches" on page 37
Sudo Switches
Privilege Management for Mac supports running sudo commands with the following switches:
l -b, --background l -e, --edit l -i, --login l -S, --stdin l -s, --shell l -V, --version
When a sudo command is run, Privilege Management for Mac ignores any switches that have been used and will match the rest of the command against the application definition. If Privilege Management for Mac matches against a rule that allows execution, the sudo command runs with any supported switches that were used. Any switches that are not supported by Privilege Management for Mac are ignored. If Privilege Management for Mac matches on a passive rule or doesn't match any rules, then the sudo command runs with any supported or unsupported switches that have been used.
Note: Th -e switch requires configuration in Privilege Management for Mac for it to be supported. For more information, please see "Edit -e Switch" on page 48.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

47 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Note: The -l --list switch, which lists the commands the user is allowed to run, does not take into account the commands that are restricted by Privilege Management for Mac.
Edit -e Switch The -e --edit switch, also known as sudoedit, allows the user to edit one or more files using their preferred text editor. The text editor is defined by setting the SUDO_EDIT, VISUAL, or EDITOR environment variable in the user's Terminal session. Otherwise, the default editor, Vim, is used. To configure your policy to support the -e switch, you must set up a sudo command Application Rule so that:
l The File or Folder Name definition is set to sudoedit with the Perform Match Using set to Exact Match. l The Command Line Arguments definition is set to the path of the files you want to control using this rule. For example, the application definition shown in the following screenshot supports the sudo command sudo -e /etc/hosts.

The audit log will show an application of /usr/bin/sudo and the command line arguments will have -e prepended to them. Insert a System Preference Pane
Note: Matching criteria is case sensitive.
IMPORTANT! When adding the Battery preference pane to a policy, the match must include the URI and exact file path, similar to:

Failing to configure the preference correctly can result in matching unrelated authorization requests, which can lead to unexpected behavior.
Add a System Preference Pane 1. Select the Application Group you want to add the system preference pane to. 2. Right-click and select Insert Application > System Preference Pane. 3. Enter an Auth Request URI or click Template to choose a template.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

48 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all bundles. 5. You must configure the matching criteria for the system preference pane. You can configure:
l File or Folder Name Matches l File Hash (SHA-1 Fingerprint) l Source l File Version Matches l Application Requests Authorization l Publisher Matches 6. Click Finish. The System Preference Pane is added to the Application Group.
For more information, please see the following:
l "File or Folder Name Matches" on page 34 l "File Hash (SHA-1 Fingerprint)" on page 35 l "Source" on page 38 l "File Version Matches" on page 36 l "Application Requests Authorization" on page 33 l "Publisher Matches" on page 37
Insert Applications from Templates
Application templates provide a simple way to pick from a list of known applications. A standard set of templates are provided that cover basic administrative tasks. There are two ways you can insert applications into Application Groups. If you want to insert multiple applications from the BeyondTrust templates, you must add the applications from the template menu.
Use the Add Apps to Template Menu
1. Select the Application Group you want to add the application to. 2. Right-click and select Insert Application > Application Template. Choose one or more applications to add to the Application
Group. You can select multiple rows using standard Windows functionality. 3. Click Insert to add the applications.
Messages
You can define any number of end user messages. Messages are displayed when a user's action triggers a rule (application, sudo, or package installers). Rules can be triggered by an application launch, block, or when content is modified. Messages provide an effective way of alerting the user before an action is performed. For example, before elevating an application or advising an application launch. Messages give the user information about the application or content, the action taken, and can be used to request information from the user. Messages also allow authorization and authentication controls to be enforced before access to an application is granted.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

49 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Messages are customizable with visual styles, corporate branding, and display text, so you are offered a familiar and contextual experience. Messages are assigned to Application Rules. A message will display different properties depending on which of these targets it is assigned to. To view the differences, a Preview option allows you to toggle between the Application Preview and the Content Preview. This is available from the Preview dropdown menu located in the top-right corner of the details pane. Once defined, a message may be assigned to an individual rule in the Workstyles Rules tab by editing the rule. Depending on the type of Workstyle you've created, Privilege Management for Mac may auto-generate certain messages for you to use.
Create Messages
To create a message:
1. Select the Messages node in the relevant Workstyle. The right-hand pane displays the All Messages page. 2. Right-click and click New Message. 3. Select a message template from the first dropdown. You can choose from:
l Allow Message (Audit) l Allow Message (enter Reason) l Allow Message (Select Reason) l Allow Message (with Authentication) l Allow Message (with Challenge) l Block Message l Request Message (enter Reason) l Request (Select Reason) 4. You can change the other options if required to customize it to your business. 5. If you select the check box Show the details of the application being executed the Program Name, Program Publisher, and Program Path names and variables are hidden from the preview and the message displayed on the endpoint. 6. Click OK to finish creating your message.
A new message will be created. You may now further refine the message by selecting it and editing the Design and the Text options available beneath each message.
Multi-factor Authentication using an Identity Provider
Multi-factor authentication (MFA) using an identity provider can be configured for messages in Privilege Management. Identity providers supported by Privilege Management include those using OpenID Connect (OIDC) protocol. In Privilege Management, messages can be designed with a combination of authentication and authorization settings.
l Authentication: MFA with an identity provider, user credential, and smart card l Authorization: Challenge / response authorization
Authentication and Authorization Groupings in Privilege Management
Groupings support and/or logic.
l Groupings by authentication: Setting more than one way the end user can authenticate which can include the typical authentication methods (user credential, designated user, and smart card) and MFA with an identity provider.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

50 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
In the Message Designer, pair Step 1a - User Authentication with Step 1b - Multifactor Authentication. This can be and/or configuration.
l Groupings by authentication and authorization: Authentication methods paired with authorization always use or logic. Authorization applies an additional challenge / response layer to the end user accessing an application. The challenge / response provides an alternative to MFA authentication if that method is unavailable (for example, the browser is unavailable or the end user phone is not available).
Here are some grouping scenarios:
l MFA and Designated User or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional.
l MFA or Designated User or challenge / response: The end user must successfully enter either MFA or Designated User credentials. Challenge / response is optional.
l MFA and User authentication or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional. When this authentication is combined, the Step 1c - Authentication Grouping is automatically set to and logic.
l MFA or None as the Authentication Type or challenge / response: The end user must access the application through the identity provider or challenge / response method.
Workflow
The workflow depends on the combination of settings configured on the Message Design page. In the following screen capture, the authentication and authorization methods are joined with or logic. The end user must click the link which opens the default browser to the identity provider logon page. The end user must successfully authenticate with the identity provider then return to the Confirm Operation dialog box to enter the user credential. Challenge / response codes are optional.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

51 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Add an Identity Provider You can configure the identity provider in the following places:
l Privilege Management Settings node l Messages node Identity provider configuration is a global setting and applies to all messages. To add the identity provider: 1. Expand the OS X node. 2. Right-click Messages > Set Idp Authentication. 3. Enter the identity provider details:
l Authority URI: The address of your identity provider. l Client ID: Must match the same value configured for your identity provider's BeyondTrust application. l Redirect URI: Must match the same value configured for your identity provider's BeyondTrust application. The format is
http://127.0.0.1:port_number, where port_number is an open port on your network. The port_number is only needed if required by your identity provider. For macOS messages, enter the static redirect URI for messages to work correctly: com.beyondtrust.pmfm://idp
Message Name and Description
You can change the name and description of a message by right-clicking on the message and selecting Rename or Properties respectively.
Message Design
You can configure the following aspects of a message: l Message Header Settings l User Reason Settings l User Authorization l Sudo User Authorization l Challenge / Response Authorization
As you change the message options, the preview message updates to show you your changes in real-time. Program and content information is shown with placeholders. After you configure the message options, you can configure the Message Text, which includes the ability to configure different languages. The options here are preselected based on the type of message you created but you can override those options if required.
For more information, please see "Message Text" on page 56.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

52 TC: 11/3/2021

Message Header Settings The message header is highlighted here:

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l Header Style: This is preconfigured; you can choose to remove the header entirely or select from one of the templates provided. Choose from:
o No Header o Privilege Management Header o Warning Header o Question Header o Error Header l Show Title Text: This check box is selected by default. You can clear it to remove the text adjacent to the icon if required. l Text Color: This controls the color of the text adjacent to the icon. Select the arrow to open the color picker. l Background Type: This option controls the color behind the text and icon. If you select Solid, then only Color 1 is available for you to change. If you select Gradient, then both Color 1 and Color 2 can be configured. If you select Custom Image, then you can't configure the colors. l Custom Image: This section allows you to choose from one of a number of preset custom images or you can click Manage Image to upload one of your own. The recommended image size is 450 pixels wide and 50 pixels high. l Color 1: This option is available if you selected Solid for the Background Type. Select Custom and choose the color you want for the background. l Color 2: This option is available if you selected Gradient for the Background Type. Select Custom and choose the second color you want for the background. Color 1 is the first color for Gradient backgrounds.
User Reason Settings
You can prompt end users to enter or select a reason in the following scenarios:
l Before an application launches (Allow Execution message type) l Request a blocked application (Block Execution message type)
Configure the following settings:
l User Reason Type: Select a reason type from the list. Select text box to allow the end user to enter a reason. Select drop-down to allow the end user to select a preconfigured reason from a list. Select Off if no reason is required from the end user. Configure

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

53 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
messages on the Message Text tab. l Remember User Reasons (per-application): Select Yes to cache reasons provided by the end user. A user can then quickly
enter a reason.
Authentication and Authorization Settings
For more information about using authentication and authorization settings, please see "Authentication and Authorization Groupings in Privilege Management" on page 50.
Step 1a - User Authentication l Authentication Type : Select from None, User must authenticate, or Designated user must authenticate. o User must authenticate: Select to force the user to reenter their credentials and confirm they want to run the application. o Designated user must authenticate: Select to designate which users can authenticatethe message. Add users from Designated Users. l Password or Smart Card : Select from Any, Password only, or Smart card only. Select Any to allow authentication using password or smart card / YubiKey authentication. When Password only is selected, a Username and Password field is added to the message. l Designated Users: If you select Designated user must authenticate, click the ... button to add the users who can authenticate the message.
Note: If you select a method that is not available to the user, then the user cannot authenticate the message.
Step 1b - Multifactor Authentication l Idp Provider: To use an identity provider, select Idp - Yes from the list. If you have not already set up your global identity provider settings, then you are prompted to add these now. l Authentication Context Class References values (acr values): Enter the acr value. The value is optional and required only if your identity provider uses it.
For more information, please see "Add an Identity Provider" on page 52.
Step 1c - Authentication Grouping l Requirements: Select a requirement from the list. You can combine authentication methods. The authentication grouping can be and/or logic. For example, you can require that your users provide both a user name and password and authenticate with an identity provider. In this case, the end user is required to successfully authenticate with user credentials and with the identity provider. In the or scenario, the user is required to authenticate using at least one of the authentication methods.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

54 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Step 2 - Authorization You can check the Enabled box for Challenge / Response Authorization to add a challenge code to the message. This check box is already checked if you selected a challenge message. If you have already created a Workstyle with a challenge message, then the policy will already have a challenge / response key. Select Change Key and enter a new challenge / response code twice to change it.
l Challenge Response (C/R): Set this option to C/R - Yes to present the user with a challenge code. The user must enter a matching response code to proceed. When this option is enabled for the first time, you must enter a shared key. You can click Edit Key to change the shared key for this message.
l Authorization Period (per-application): Set this option to determine the length of time a successfully returned challenge code is active for. Choose from: l Once: A persistent challenge code for an application. The code is available until used to authorize the application or the maximum retries is exceeded (if set). Once authorized, you are allowed to use the application. When you relaunch the application, you must use a new challenge code. l Forever: A new challenge code is presented to the user on the first attempt to run the application. After a valid response code is entered, the user will not be presented with a new challenge code again.
l Maximum Attempts: This option determines how many attempts the user has to enter a successful response code for each new challenge. Set this option to Three Attempts to restrict the user to three attempts, otherwise set this option to Unlimited.
Note: After the third failure to enter a valid response code, the message will be canceled and the challenge code will be rejected. The next time the user attempts to run the application, they will be presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.
Step 3 - User Authentication & Authorization Grouping
l Requirements: Select a grouping from the list. You can use authentication and authorization settings together, grouped by and/or logic.
Sudo User Authorization
You can use the Don't ask for password if already entered dropdown to control how frequently the user has to enter a password to use the sudo command. This text option is only enabled if the User Authorization has been set to User must authorize or Designated user must authorize. The available options are:
l Ask every time l Less than 1 minute ago l Less than 5 minutes ago l Less than 15 minutes ago l Only ask once per session
For more information, please see "Challenge / Response Authorization" on page 58.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

55 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Image Manager
The Image Manager associated with message creation allows you to Add, Modify, Export, and Delete images referenced in message headers. All images are stored inside the Workstyles as compressed and encoded images. We strongly recommend you delete any unused images to minimize the size of the policies, as Privilege Management for Mac does not automatically delete unreferenced images. The Image Manager is accessible from the Message Design tab. Click the Manage Images button next to the Custom Image dropdown menu. To upload an image:
1. Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the location of the file.
2. Select the image and enter an Image Description. Click OK. 3. The image will be uploaded into Image Manager.
Note: Images must be *.PNG format and be sized between 450x50.

To edit an image: 1. In the Custom Image field, select Manage Images. 2. Select the image in the list and click Edit. 3. The Image Properties dialog box appears. 4. Alter the description and click OK.
To delete an image: 1. Select the image in the list and click Delete. 2. When prompted, click Yes to delete the image.
Note: If an image is referenced by any messages, then you will not be allowed to delete it.
Message Text After you have made a change to the message text, click Update to see your changes applied to the preview message.
Note: Mac does not support multiple languages.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

56 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

General
l Header Message: Controls the text to the right of the icon in the header if it's shown. l Body Message: Controls the text at the top of the main message.
Publisher
l Verification Failure: Controls the text displayed next to the Publisher if the publisher verification fails.
Privilege Management for Mac verifies the publisher by checking there is a publisher and also checking the certificate associated with that publisher is signed. Privilege Management for Mac does not check to see if the certificate has been revoked due to the length of the lookup process that would rely on network connectivity. Instead, Privilege Management for Mac relies on the certificate store to be kept up to date with revoked certificates, which would be a standard operation as the full chain should be in the local certificate store.
User Reason
Configure the following settings:
l Reason: Enter the text that displays to indicate a reason is required before the end user can proceed. The Yes button is disabled until a reason is entered.
l Reason Error Message: Enter the text displayed to the end user when they fail to select a reason. l Drop-down list prompt: Enter the text that displays in the dropdown. l User Reason List: To add a custom reason, click the ellipsis (...) button. On the Approved Reasons dialog box, click Add and
enter the reason text. Click OK.
Reason settings can also be applied in sudo policies. The example screen capture shows a list of reasons. The user must enter the number corresponding to the reason to proceed.

User Authentication
l User name: Controls the text adjacent to the field where the user would enter their user name. l Password: Controls the text adjacent to the field where the user would enter their password.
Challenge / Response Authorization
l Header text: Controls the text that introduces the challenge / response authorization. l Hint text: Controls the text in the response code field for challenge / response messages. l Information Tip Text: Controls the text above the challenge and response code fields.
Buttons
l OK Button controls the text displayed on the button that appears on the bottom right. l Cancel Button controls the text displayed on the button that appears next to the Yes button. Depending on the message options, the message box will have either one or two buttons:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

57 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

l For an Allow Message (Audit), the message box will have Yes and No buttons. l For an Allow Message (enter Reason), the message box will have OK and Cancel buttons. l For an Allow Message (with Authentication), the message box will have OK and Cancel buttons. l For an Allow Message (with Challenge), the message box will have Authorize and Cancel buttons. l For a Block Message, the message box will have an OK button. l For a Request Message (enter Reason), the message box will have Submit and Cancel buttons.
You can change the OK Button and Cancel Button text. For instance, you can change it to Yes and No if you are asking the end user a question.
Challenge / Response Authorization
Challenge / Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in an end user message. In order for the user to progress, they must enter a corresponding response code into the message. Any policy that has a message with challenge / response needs a shared key. This key is defined when you set up the first challenge / response message in your policy, although you can change it later if required. If you create a Workstyle containing a challenge / response message or you create a new challenge / response message and you are not prompted to create a shared key, then there is already a shared key for the policy. You cannot view this shared key, however you can change it here if required. Challenge / Response authorization is configured as part of end user messages, and can be used in combination with any other authorization and authentication features of Privilege Management for Mac messaging. Users are presented with a different, unique challenge code each time a challenge / response message is displayed. Challenge and response codes are presented as an 8 digit number, to minimize the possibility of incorrect entry. When a user is presented with a challenge code, the message may be canceled without invalidating the code. A new challenge code will be generated every time the user runs the application.
For more information on configuring challenge / response authorization enabled end user messages, please see "Message Design" on page 52.
Shared Key
The first time you create a Privilege Management for Mac end user message with a challenge, you are asked to create a shared key. The shared key is used by Privilege Management for Mac to generate challenge codes at the endpoint. Once you have entered a shared key, it will be applied to all end user messages that have challenge / response authorization enabled in the same Privilege Management for Mac settings. To change the shared key:
1. Right-click Privilege Management Settings and select Set Challenge / Response Shared Key. 2. In the Challenge / Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new Shared Key. 3. Click OK to complete. If the key entered is not exact, you will be presented with a warning message.
Note: We recommend your shared key is at least 15 characters and includes a combination of alphanumeric, symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed periodically.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

58 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Generate a Response Code
There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Privilege Management Policy Editor, or you can generate them directly within the MMC.
Note: In order to generate a response code, you must have set a Challenge / Response Shared Key. You are prompted to do this when you create any policy that has a Challenge / Response message assigned to it. Alternatively, you can set the Challenge / Response Shared Key from the home page of the Privilege Management Settings node by clicking Set Challenge / Response Shared Key.
You can generate a response code from the Privilege Management Policy Editor. This launches a tool called PGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of the Privilege Management Policy Editor. The tool is installed to the path <Installation Dir>\Avecto\Privilege Guard Privilege Management Policy Editors\. To generate a response code in the Privilege Management Policy Editor:
1. Click the Privilege Management Settings node, and then Tools on the right-hand side. 2. Click Response Code Generator. 3. Enter the shared key you have defined and the challenge code from the end user. 4. The response code is generated once both the Shared Key and the 8 character challenge code have been entered.
The response value can then be sent to the end user to enter into their challenge dialog.
Use TouchID Authentication with Allow Messages
Note: Privilege Management for Mac 21.2 includes an MVP version of TouchID authentication. A fully functional TouchID feature will be available in a future release.
When an end user activates TouchID, their fingerprint can be used for authentication rather than a password. In a Privilege Management for Mac implementation, TouchID authentication can be used in place of password authentication on a Privilege Management message dialog box, as shown here.

When creating a message, keep the following in mind: l An Allow message template must be used. l Authentication Method must be set to Password Only or Any. l The message cannot be combined with any other message types.
When TouchID is not activated or available on the user's machine, then the user is presented with a message to enter their password.
Activate TouchID Authentication Update the defendpointd.plist:

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

59 TC: 11/3/2021

<key>BiometricAuthenticationEnabled</key> <true/>
Change the value to false to turn off the feature.

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

60 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Mac Deployment
Privilege Management for Mac settings can be exported from the MMC as a standalone XML configuration file, which can be distributed to macOS endpoints using your own deployment strategy. To export the Privilege Management for Mac settings to an XML file:
1. Select the Privilege Management Settings node. 2. Right-click and select Export. 3. Select an appropriate destination for the exported XML file, ensuring the file is named defendpoint.xml.
Add Privilege Management for Mac Settings to a Mac Client Computer
Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file is replaced using the following command. In this example, the source XML file is located on your Desktop:
sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml
Privilege Management for Mac will apply the new settings immediately, and does not require any restart. Do not delete the local.xml file as this will interfere with the client machine's ability to enforce policy. If the local.xml file is deleted from a client machine, replace the file and restart the machine.
Mac Policy Structure and Precedence
Structure Policies are stored in /etc/defendpoint/. For example:
l ic3.xml l epo.xml l mdm.xml l local.xml l bi.xml These policies are not case-sensitive. All policies stored in this location must have the following permissions to ensure policy acceptance and system security: l Ownership of _defendpoint user and group (for example, sudo chown _defendpoint:_defendpoint <policy path>) l Permission for the _defendpoint user and group to read the policy, but not other users (for example, sudo chmod 660 <policy
path> The policy or policies that are read and loaded by the dppolicyserver are dependent on the settings under the config.order in the defendpoint.plist.
Note: If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

61 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Precedence The policy precedence is determined in the defendpoint.plist which is stored in /Library/Application Support/Avecto/Defendpoint/defendpoint.plist. The defendpoint.plist is appended or created with the precedence lists (as below) on start up or installation. But editing and saving of the list is applied immediately.
<key>config.order</key> <array> <string>ic3</string> <string>epo</string> <string>bi</string> <string>mdm</string> <string>local</string> </array>
You can edit the defendpoint.plist file manually to change the policy precedence if required. The dppolicyserverd will go through the policies under /etc/defendpoint/ by finding the first policy in the config.order, and if it can't find a policy of that name, it will progress to the next in the list. If a policy is found with the correct name it will load it, irrespective of if it has a license.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

62 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Audits and Reports
Privilege Management for Mac sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Privilege Management for Mac policy. Additionally, BeyondTrust also provides an enterprise level, scalable reporting solution in Privilege Management Reporting. Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Privilege Management for Mac activity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host, and Workstyle usage.
For more information, please contact BeyondTrust.

Events

The following events are logged by Privilege Management for Mac:

Event ID
100 106 116 120 130
131

Description
Process has started with admin rights added to token. Process has started with no change to the access token (passive mode). Process execution was blocked. Process execution was canceled by the user An application bundle that can be installed into the /Applications folder by a user that is not a member of the Administrator group. An application bundle that can be deleted from the /Applications folder by a user that is not a member of the Administrator group.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

63 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

Use Smart Card Authentication
If multi-factor authentication (MFA) using smart cards is implemented in your environment, you can configure Privilege Management for Mac to work with your MFA implementation. Privilege Management for Mac supports smart card and Yubikey.
Predeployment Setup To use Privilege Management for Mac with a policy that enforces using smart cards on a local machine, you must configure the endpoints to allow unmapped users to authenticate using passwords only.
IMPORTANT!
Failure to configure endpoints to allow users to authenticate using passwords only will prevent Privilege Management for Mac from authorizing controlled rights on behalf of the user.
Run the following command on the endpoint. You can run the command manually or run a script distributed by an MDM solution. If running the command manually, prepend sudo to the line.
defaults write /Library/Preferences/com.apple.security.smartcard allowUnmappedUsers -int 1
Configure Privilege Management for Mac Messaging After your estate is set up to use MFA, and Privilege Management for Mac is successfully deployed, you can require users to enter their smart card PIN for any action which can be controlled by Privilege Management for Mac. MFA with smart card supports the following authorization types:
l User Must Authorize: The user must authenticate before proceeding. l Designated user must authorize: A designated user must authenticate an action. The designated user authorization type cannot
be used with sudo rules.
For more information, please see " Authentication and Authorization Settings " on page 54
For example, to enforce low flexibility users to authenticate using their smart card PIN if they want to install a downloaded application to /Applications. You can create a message in the Policy Editor and assign a name such as Authorize Application Install (PIN required). To configure messaging on a policy for MFA:
1. Go to the Message Designer. 2. Set the Authorization Type setting to one of the following: User Must Authorize or Designated user must authorize. 3. Set the Authentication Method setting to Any or Smart card only to enable smart card messages. 4. After you create the message, find your existing application assignment in your Workstyle which prompts the user for installing
application bundles in to /Applications. 5. Select your message from the End User Message setting.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

64 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
MFA Support in Privilege Management for Mac sudo Rules Smart card support can also be implemented in a command line scenario. You can configure a Privilege Management for Mac Workstyle with a sudo command Application Rule. When there is a match on the rule, the user must correctly enter their smart card PIN before they can proceed. The high-level overview to set up smart card authentication with a sudo rule:
l Create your Application Group. Add the application you want to run using sudo. l Customize your message in the Message Designer. Be sure to set
the following: o Authentication type: User must authorize o Authentication Method: Smart card only
l Create the Application Rule in Workstyles. Set up the Application Rule and select the message you created.
The following screen capture shows an example where nvim is configured to run with sudo and smart card authentication. Access is only permitted after the user correctly enters the smart card PIN.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

65 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
ServiceNow User Request Integration
You can configure a new message type in Privilege Management Cloud that allows end users to raise a request for access to an application or installer directly in ServiceNow. This ticket can then be reviewed and approved (or denied) in ServiceNow. On the next check-in from the endpoint to Privilege Management Cloud, this exception is automatically applied and the end user is approved to perform their action. (Or if the Service Desk operator denied the request, the user is not allowed to continue the action). Typically an endpoint checks in with Privilege Management Cloud every 60 minutes, and receives any ticket decisions at this point. If you want to get the update immediately to the endpoint, you can attempt to launch the application again to get an immediate update of that request. All Privilege Management configuration occurs in the Privilege Management Cloud application.
For more information, please see "ServiceNow User Request Integration" in the Privilege Management Cloud Administration Guide.
Restrict Access to Applications In the ServiceNow authorization request workflow, you can restrict access to application requests. On an approved request, Help Desk can set a time limit in the ServiceNow ticket. The time limit is the length of time the user can use the application before the approval automatically expires. Under the Application, Policy, or Decision tab, select a Duration.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

66 TC: 11/3/2021

Access time limit can be one of the following:
l Once: Permits access to the application only one time. l Hour: Enter the number of hours the user will be permitted access,
between 1 and 24. l Day: Enter a day between 1 and 31. l Forever: Access to the application never expires.
Click Approve.

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

After the time expires, the user can no longer access that application. The user must go through the request workflow again, with the Help Desk personnel approving and selecting a duration time for access.
Duration settings are included in the authorization auditing.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

67 TC: 11/3/2021

When using the duration settings to restrict access, a message displays to the end user indicating the request must be approved on the ticket in ServiceNow.
To proceed with the authorization, the user must select a reason from the list, then click Request.

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE

A pending message displays to the end user until a decision on their request is made in ServiceNow.
To view the status on their ServiceNow ticket, the end user can click the request reference link.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

68 TC: 11/3/2021

PRIVILEGE MANAGEMENT FOR MAC 21.6 ADMINISTRATION GUIDE
Troubleshoot
Check Privilege Management for Mac is Installed and Functioning
If you are having problems, the first step is to verify you have installed the client and the client is functioning. l Privilege Management for Mac: The graphical interface of Privilege Management for Mac on the toolbar for messages and end user interaction l defendpointd: The Privilege Management for Mac daemon that manages interaction with Privilege Management for Mac l dppolicyserverd: Manages policy and communicates with defendpointd l Custodian: Manages authentication as required by Privilege Management for Mac
Note: The Privilege Management for Mac service requires MSXML6 in order to load the Privilege Management for Mac settings, but the service will still run even if MSXML6 is not present. Windows 7 and Windows Server 2008 R2 already include MSXML6.
Check Settings are Deployed
Assuming Privilege Management for Mac is installed and functioning, the next step is to verify you have deployed settings to the computer or user.
Check Privilege Management for Mac is Licensed
One of the most common reasons for Privilege Management for Mac not functioning, is the omission of a valid license from the Privilege Management for Mac settings. If you create multiple policies, then you must ensure the computer or user receives at least one policy containing a valid license. To avoid problems, it is simpler to add a valid license to every set of Privilege Management for Mac settings that you create.
Check Workstyle Precedence
Assuming Privilege Management for Mac is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems. Once an application matches an Application Group entry in the Application Rules, then processing will not continue for that application. Therefore, it is vital you order your entries correctly:
l If you create multiple Workstyles, Workstyles higher in the list have a higher precedence. l If you have multiple rules in the Application Rules section of a Workstyle, entries higher in the list have a higher precedence. Application Rules are applied to applications launched either directly by the user or by a running process. If you have multiple policies applying to a user, computer, or both, then you should ensure policy precedence rules are not causing the problem. If multiple policies are applied to a computer or user, then Privilege Management for Mac will apply the policies based on alphanumeric order with the precedence list in defendpoint.plist.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs �2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

69 TC: 11/3/2021