Install the Privilege Management for Mac Client

The Privilege Management for Mac client enables Privilege Management settings to be applied to macOS computers.

To install Privilege Management for Mac, download and run the client installer package (*.pkg).

Privilege Management for Mac may be installed manually, but for larger installations we recommend you use a suitable third-party software deployment system.

There is no license to add during the client installation, as this is deployed with the Privilege Management Workstyles, so the client may be installed silently.

Requirements

For more information about the installation requirements, please see Privilege Management Release Notes.

Install Privilege Management for Mac

In an upgrade scenario, we recommend the following order of operations:

  1. Update System Preferences to enable system extensions using the configuration profile (.mobileconfig file) provided by BeyondTrust with your MDM.
  2. Upgrade the Privilege Management for Mac client.

If you do not use an MDM, then update System Preferences after upgrading the client.

Different Versions of Agents

In some estates, a range of different agent versions can exist together. Here are a couple of scenarios where this might occur:

  • An older version of the agent might be needed for an older OS. For example, agent version 21.7 does not support 10.14 Mojave so an earlier version is required.
  • A company might create a pilot group to run a newer version for agent testing while the rest of the estate runs the older version.

We always retain backwards compatibility for the policies when adding new features. This allows you to configure and use new features in your policies and use them with newer agents. On any older agents in your estate the new features will be ignored and will not affect the function of the agents.

MacOS System Settings

Privilege Management for Mac client uses system extensions for application control where available.

Configure the following macOS system settings for Privilege Management for Mac:

  • System extensions require authorization
  • System extensions require Full Disk Access permission

A macOS configuration profile (.mobileconfig file) is available with the Privilege Management for Mac download to apply these settings. For convenience, we recommend importing the configuration profile into MDM to enable the new functionality.

The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.

Authorization

There are two ways to configure authorization on the system extensions:

  • Manually: Configure Security & Privacy in System Preferences.
  • MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to auto-authorize system extensions on a system.

For more information, please see SystemExtensions.

Full Disk Access

The system extensions need to be granted Full Disk Access in Security & Privacy in System Preferences:

For more information, please see Change Privacy preferences on Mac.

Uninstall Privilege Management for Mac

The uninstall scripts must be run from their default locations.

Uninstall Privilege Management

To uninstall Privilege Management locally on a Mac, run the following command:

sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh

Uninstall the Mac Adapter

To uninstall the Mac adapter, run the following command. After running the uninstall script some related directories remain if they are not empty, such as /Library/Application Support/Avecto/iC3Adapter.

sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh

Remove the Privilege Management Policy

To remove the policy once you have uninstalled Privilege Management, run the following command:

sudo rm -rf /etc/defendpoint

Do not remove the Privilege Management policy unless you have already uninstalled Privilege Management.

The uninstall scripts must be run from their default locations.

Upgrade the Privilege Management Mac Client

This process applies to PMC. For ePO, you can manage the upgrade through ePO Server.

To upgrade Privilege Management for Mac:

  1. Uninstall Privilege Management (or unload daemon).
  2. Install the new version of Privilege Management for Mac.
  3. Install the new version of the PMC Mac adapter.

Your events for PMC are migrated as part of this process.

Use Anti-tamper Protection

A safety mechanism in the Privilege Management for Mac agent automatically blocks attempts to change or disable any footprint of the agent or policies. The built-in anti-tamper protection does not require adding explicit block rules.

The anti-tamper protection prevents Standard Users from tampering with the Privilege Management for Mac client, all platform adapters, policies, and settings files.

By default, anti-tamper protection is turned off.

There are two ways to turn on anti-tamper:

  • Use the Rapid Deployment Tool and distribute the settings package to endpoints
  • Use the tool installed with the Privilege Management for Mac.

Turn on Anti-tamper Protection

From the command line, run:

sudo pmfm protection enable

Turn off Anti-tamper Protection

From the command line, run:

sudo pmfm protection disable

Confirm the Status of the Tool

sudo pmfm status

The response indicates if the tool is on or off:

{protection":{enabled":true}