Management of Disk Mounted Images

Privilege Management for Mac examines each Disk Mounted Image (DMG) when Privilege Management for Mac is running with a valid license. If there are one or more bundles of applications in the Disk Image, where the policy is contained within an allow rule for the Workstyle, and the install action is also set to Yes in the Application Rule, the user is allowed to copy those bundles to the System Applications folder on the endpoint.

If the applications do not have a Privilege Management Allow rule, the copying of the bundle defaults to normal macOS functionality where admin credentials are required to copy the bundle to the System Applications folder. Standard macOS functionality is used if anything other than an Allow rule is associated with the application bundle in the DMG, such as Block or Passive.

Previously to trigger copy functionality, the bundle from the DMG had to be in an Application Group with a Privilege Management Allow rule. As of version 5.4, the same condition applies, however, the bundle must also have Install Action match set to Yes in the Application matching criteria, within the Application Groups settings to right-click and Install with Defendpoint. Existing policies must be altered to reflect the changes in functionality.

For more information, please see Management of System Applications.

Configuration of the defendpoint.plist File

Management of DMGs is controlled by default, but it can be turned off by editing the defendpoint.plist file.

The location for the defendpoint.plist file is /Library/Application Support/Avecto/Defendpoint/defendpoint.plist.

The MountAssist key should be set to false to turn off the Privilege Management for Mac management of DMG files (it is set to true by default):

<key>MountAssistant</key>
<false/>

You must restart the defendpointd daemon after you have edited the defendpoint.plist file for any changes to take effect. This can either be done by restarting the machine or by running these commands from your terminal:

sudo launchctl unload /Library/LaunchDaemons/com.avecto.defendpointd.plist
sudo launchctl load /Library/LaunchDaemons/com.avecto.defendpointd.plist

If you specify the -w parameter in the command line, it will disable the daemon and a reboot will not turn it back on. Not including the parameter will allow the daemon to restart after a reboot of the endpoint.

Format of Messages

Within the defendpoint.plist file, you can also modify the string used for the messaging in the key tag.

The format of the messages is a key and string tag:

<key>MountMessageAllow</key>
<string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>

The following placeholders can be used:

  • [APP_NAME]: Replaced by the Application Name.
  • [MOUNT_NAME]: Replaced by the Volume Name of the mounted DMG.

When you enter your own strings for the above keys, the formatting is 'what you see is what you get'. For example, if you press Enter, then you will get a new line.

You can configure the message displayed to the user at the endpoint in the following scenarios:

  • MountMessageAllow: Message that appears when a DMG containing an allowed bundle, is mounted.
  • MountMessageNoteSame: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed, but the same version exists in the destination.
  • MountMessageNoteNewer: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but a newer version of the bundle exists in the destination.
  • MountMessageNoteOld: Message that appears in smaller text below the MountMessageAllow message if the bundle is allowed but an older version of it exists in the destination.
  • MountNotificationSuccess: Message that appears in the macOS notification center when the copying process succeeds.
  • MountNotificationFailure: Message that appears in the macOS notification center when the copying process fails.

If the message keys above have not been set, Privilege Management for Mac uses the default values and strings. If you enter the <key> but do not specify the <string>, then the message will be empty.

You must use escaped characters for valid XML, such as in the examples below:

Symbol Escaped Form
" &quot"
& &amp"
&apos"
< &lt"
> &gt"
The following examples show sample messages in the defendpoint.plist file.
<key>MountMessageAllow</key>
<string>Allow copying "[APP_NAME]" from "[MOUNT_NAME]" to Applications?</string>

<key>MountMessageNoteSame</key>
<string>Note: same version of the item named "[APP_NAME]" already exists in this location.</string>

<key>MountMessageNoteNewer</key>
<string>Note: a newer version of the item named "[APP_NAME]" already exists in this location.</string>

<key>MountMessageNoteOlder</key>
<string>Note: an older version of the item named "[APP_NAME]" already exists in this location.</string>

<key>MountNotificationSuccess</key>
<string>"[APP_NAME]" was successfully copied from "[MOUNT_NAME]" into the Applications older.</string>

<key>MountNotificationFailure</key>
<string>"[APP_NAME]" was not successfully copied from "[MOUNT_NAME]" into the Applications folder.</string>