Install the Privilege Management for Mac Client
The Privilege Management for Mac client enables Privilege Management settings to be applied to macOS computers.
To install Privilege Management for Mac, download and run the client installer package (*.pkg).
Privilege Management for Mac may be installed manually, but for larger installations we recommend you use a suitable third-party software deployment system.
There is no license to add during the client installation, as this is deployed with the Privilege Management Workstyles, so the client may be installed silently.
Requirements
For more information about the installation requirements, please see Privilege Management Release Notes.
Install Privilege Management for Mac
In an upgrade scenario, we recommend the following order of operations:
- Update System Preferences to enable system extensions using the configuration profile (.mobileconfig file) provided by BeyondTrust with your MDM.
- Upgrade the Privilege Management for Mac client.
If you do not use an MDM, then update System Preferences after upgrading the client.
MacOS System Settings
Privilege Management for Mac client uses system extensions for application control where available.
Configure the following macOS system settings for Privilege Management for Mac:
- System extensions require authorization
- System extensions require Full Disk Access permission
A macOS configuration profile (.mobileconfig file) is available with the Privilege Management for Mac download to apply these settings. For convenience, we recommend importing the configuration profile into MDM to enable the new functionality.
The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.
Authorization
There are two ways to configure authorization on the system extensions:
- Manually: Configure Security & Privacy in System Preferences.
- MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to auto-authorize system extensions on a system.
For more information, please see SystemExtensions.
Full Disk Access
The system extensions need to be granted Full Disk Access in Security & Privacy in System Preferences:
For more information, please see Change Privacy preferences on Mac.
Uninstall Privilege Management for Mac
The uninstall scripts must be run from their default locations.
Uninstall Privilege Management
To uninstall Privilege Management locally on a Mac, run the following command:
sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh
Uninstall the Mac Adapter
To uninstall the Mac adapter, run the following command. After running the uninstall script some related directories remain if they are not empty, such as /Library/Application Support/Avecto/iC3Adapter.
sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh
Remove the Privilege Management Policy
To remove the policy once you have uninstalled Privilege Management, run the following command:
sudo rm -rf /etc/defendpoint
Do not remove the Privilege Management policy unless you have already uninstalled Privilege Management.
The uninstall scripts must be run from their default locations.
Upgrade the Privilege Management Mac Client
This process applies to PMC. For ePO, you can manage the upgrade through ePO Server.
To upgrade Privilege Management for Mac:
- Uninstall Privilege Management (or unload daemon).
- Install the new version of Privilege Management for Mac.
- Install the new version of the PMC Mac adapter.
Your events for PMC are migrated as part of this process.
Use Anti-tamper Protection
A safety mechanism in the Privilege Management for Mac agent automatically blocks attempts to change or disable any footprint of the agent or policies. The built-in anti-tamper protection does not require adding explicit block rules.
The anti-tamper protection prevents Standard Users from tampering with the Privilege Management for Mac client, all platform adapters, policies, and settings files.
By default, anti-tamper protection is turned off.
There are two ways to turn on anti-tamper:
- Use the Rapid Deployment Tool and distribute the settings package to endpoints
- Use the tool installed with the Privilege Management for Mac.
Turn on Anti-tamper Protection
From the command line, run:
sudo pmfm protection enable
Turn off Anti-tamper Protection
From the command line, run:
sudo pmfm protection disable
Confirm the Status of the Tool
sudo pmfm status
The response indicates if the tool is on or off:
{protection":{enabled":true}