Install the Privilege Management for Mac Client

The Privilege Management for Mac client enables Privilege Management settings to be applied to Mac computers.

To install Privilege Management for Mac, download and run the client installer package (*.pkg).

Privilege Management for Mac may be installed manually, but for larger installations we recommend you use a suitable third party software deployment system.

There is no license to add during the client installation, as this is deployed with the Privilege Management Workstyles, so the client may be installed silently.

Install Privilege Management for Mac

To upgrade to Privilege Management for Mac, we recommend the following order of operations:

  1. Update System Preferences to enable system extensions using the configuration profile (.mobileconfig file) provided by BeyondTrust with your MDM.
  2. Upgrade the Privilege Management for Mac client.

If you do not use an MDM, then update System Preferences after upgrading the client.

MacOS System Settings

Privilege Management for Mac client uses system extensions for application control where available.

Configure the following macOS system settings for Privilege Management for Mac:

  • System extensions require authorization
  • System extensions require Full Disk Access permission

A macOS configuration profile (.mobileconfig file) is available with the Privilege Management for Mac download to apply these settings. For convenience, we recommend importing the configuration profile into MDM to enable the new functionality.

The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.

Authorization

There are two ways to configure authorization on the system extensions:

  • Manually: Configure Security & Privacy in System Preferences.
  • MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to auto authorize system extensions on a system.

For more information, please see SystemExtensions.

Full Disk Access

The system extensions need to be granted Full Disk Access in Security & Privacy in System Preferences:

For more information, please see Change Privacy preferences on Mac.

Uninstall Privilege Management for Mac

The uninstall scripts must be run from their default locations.

Uninstall Privilege Management

To uninstall Privilege Management locally on a Mac, run the following command:

sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh

Uninstall the Privilege Management ePO Adapter

To uninstall the Privilege Management ePO Adapter locally on a Mac, run the following command:

sudo /usr/local/libexec/avecto/ePOAdapter/1.0/uninstall_epo_adapter.sh

Uninstall Privilege Management and the Privilege Management ePO Adapter

To uninstall Privilege Management and the Privilege Management ePO Adapter locally on a Mac, run the following command.

sudo /usr/local/libexec/avecto/ePOAdapter/1.0/uninstall_epo_deployment.sh

Uninstall the Mac Adapter

To uninstall the Mac adapter, run the following command. After running the uninstall script some related directories remain if they are not empty, such as /Library/Application Support/Avecto/iC3Adapter.

sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh

Remove the Privilege Management Policy

To remove the policy once you have uninstalled Privilege Management, run the following command:

sudo rm -rf /etc/defendpoint

Do not remove the Privilege Management policy unless you have already uninstalled Privilege Management.

The uninstall scripts must be run from their default locations.

Upgrade the Privilege Management Mac Client

This process applies to PMC. For ePO, you can manage the upgrade through ePO Server.

To upgrade Privilege Management for Mac:

  1. Uninstall Privilege Management (or unload daemon).
  2. Install the new version of Privilege Management for Mac.
  3. Install the new version of the PMC Mac adapter.

Your events for PMC are migrated as part of this process.