Install the Privilege Management for Mac Client
Install the Privilege Management for Mac client to apply Privilege Management policy to macOS computers.
Privilege Management for Mac can be installed manually. We recommend a third-party software deployment tool for larger installations.
There is no license to add during the client installation, as this is deployed with the Privilege Management Workstyles, so the client may be installed silently.
Requirements
For more information about the installation requirements, please see Privilege Management Release Notes.
Install Privilege Management for Mac
To install Privilege Management for Mac, download and run the client installer package (*.pkg).
During the installation, the _avectodaemon account is created and added to the local Admin group. Do not remove this account from the group.
Different Versions of Agents
In some estates, a range of different agent versions can exist together. Here are a couple of scenarios where this might occur:
- An older version of the agent might be needed for an older OS.
- A company might create a pilot group to run a newer version for agent testing while the rest of the estate runs the older version.
We always retain backwards compatibility for the policies when adding new features. This allows you to configure and use new features in your policies and use them with newer agents. On any older agents in your estate the new features will be ignored and will not affect the function of the agents.
Configure MacOS System Settings
Privilege Management for Mac client uses system extensions for application control where available.
Configure the following macOS system settings for Privilege Management for Mac:
- Authorization
- Full Disk Access permission
You can use a macOS configuration profile (.mobileconfig file) available with the Privilege Management for Mac download to apply these settings. We recommend importing the configuration profile into MDM to enable the new functionality.
To access the .mobileconfig file, you must log on to the BeyondTrust Customer Portal and go to File Downloads. Select Privilege Management for Mac and the version. The File Downloads page will look similar to the screen capture shown.
The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.
Add Authorization
There are two ways to configure authorization on system extensions:
- Manually: Configure Privacy & Security in System Settings.
- MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to auto-authorize system extensions.
For more information, please see SystemExtensions.
Grant Full Disk Access on System Extensions
The system extensions require the Full Disk Access permission. In System Settings, go to the Privacy & Security and select Full Disk Access.
Instructions to configure disk access vary depending on the version of your OS.
For more information, please see:
- our Knowledge Base article How to Enable Full Disk Access for the Privilege Management Components
- Change Privacy preferences on Mac.
Use Anti-tamper Protection
A safety mechanism in the Privilege Management for Mac agent automatically blocks attempts to change or disable any footprint of the agent or policies. The built-in anti-tamper protection does not require adding explicit block rules.
The anti-tamper protection prevents Standard Users from tampering with the Privilege Management for Mac client, all platform adapters, policies, and settings files.
By default, anti-tamper protection is turned off.
There are two ways to turn on anti-tamper:
- Use the Rapid Deployment Tool and distribute the settings package to endpoints
- Use the tool installed with the Privilege Management for Mac.
Turn on Anti-tamper Protection
From the command line, run:
sudo pmfm protection enable
Turn off Anti-tamper Protection
From the command line, run:
sudo pmfm protection disable
Confirm the Status of the Tool
sudo pmfm status
The response indicates if the tool is on or off:
{protection":{enabled":true}
Upgrade the Privilege Management Mac Client
In an upgrade scenario, we recommend the following order of operations:
- Update System Preferences to enable system extensions using the configuration profile (.mobileconfig file) provided by BeyondTrust with your MDM.
- Upgrade the Privilege Management for Mac client.
If you do not use an MDM, then update System Preferences after upgrading the client.
If you are using the install.sh or settings have been applied using the Rapid Deployment Tool, then run the installer package for the Privilege Management for Mac client.
The earlier version of the client is automatically uninstalled when you run the installer package.
Events are migrated as part of the upgrade.
If you are using ePO, you can manage the upgrade through ePO Server.
Uninstall Privilege Management for Mac
The uninstall scripts must be run from their default locations.
Uninstall Privilege Management
To uninstall Privilege Management locally on a Mac, run the following command:
sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh
Uninstall the Mac Adapter
To uninstall the Mac adapter, run the following command. After running the uninstall script some related directories remain if they are not empty, such as /Library/Application Support/Avecto/iC3Adapter.
sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh
Remove the Privilege Management Policy
To remove the policy once you have uninstalled Privilege Management, run the following command:
sudo rm -rf /etc/defendpoint
Do not remove the Privilege Management policy unless you have already uninstalled Privilege Management.
