Mac Deployment

Privilege Management for Mac settings can be exported from the MMC as a standalone XML configuration file, which can be distributed to macOS endpoints using your own deployment strategy.

To export the Privilege Management for Mac settings to an XML file:

  1. Select the Privilege Management Settings node.
  2. Right-click and select Export.
  3. Select an appropriate destination for the exported XML file, ensuring the file is named defendpoint.xml.

Add Privilege Management for Mac Settings to a Mac Client Computer

Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file is replaced using the following command. In this example, the source XML file is located on your Desktop:

sudo cp  ~/Desktop/local.xml /etc/defendpoint/local.xml

Privilege Management for Mac will apply the new settings immediately, and does not require any restart.

Do not delete the local.xml file as this will interfere with the client machine’s ability to enforce policy. If the local.xml file is deleted from a client machine, replace the file and restart the machine.

Mac Policy Structure and Precedence

Structure

Policies are stored in /etc/defendpoint/. For example:

  • pmc.xml
  • epo.xml
  • mdm.xml
  • local.xml
  • bi.xml

These policies are not case-sensitive. All policies stored in this location must have the following permissions to ensure policy acceptance and system security:

  • Ownership of _defendpoint user and group (for example, sudo chown _defendpoint:_defendpoint <policy path>)
  • Permission for the _defendpoint user and group to read the policy, but not other users (for example, sudo chmod 660 <policy path>

The policy or policies that are read and loaded by the dppolicyserver are dependent on the settings under the config.order in the defendpoint.plist.

If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.

Precedence

The policy precedence is determined in the defendpoint.plist which is stored in /Library/Application Support/Avecto/Defendpoint/defendpoint.plist.

The defendpoint.plist is appended or created with the precedence lists (as below) on start up or installation. But editing and saving of the list is applied immediately.

<key>config.order</key>
<array>
<string>ic3</string>
<string>epo</string>
<string>bi</string>
<string>mdm</string>
<string>local</string>
</array>

You can edit the defendpoint.plist file manually to change the policy precedence if required.

The dppolicyserverd will go through the policies under /etc/defendpoint/ by finding the first policy in the config.order, and if it can't find a policy of that name, it will progress to the next in the list.

If a policy is found with the correct name it will load it, irrespective of if it has a license.