Manage System Applications

Privilege Management for Mac examines each application and, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Install Action match of Yes, the user can right-click the application and select Install with Privilege Management. This will install the bundle in the /Applications folder on the endpoint.

Similarly, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Delete Action match of Yes, the user can right-click the application and select Uninstall with Privilege Management. This will uninstall the bundle in the /Applications folder on the endpoint.

If the applications do not have a Privilege Management Allow rule with an Install Action match or Delete Action match of Yes, the management of the bundle defaults to normal macOS functionality where admin credentials are required to manage the bundle in the /Applications folder. Standard macOS functionality is used if anything other than an Allow rule with an Install Action match or Delete Action match of Yes is associated with the application bundle, such as Block or Passive.

You cannot use File Hash matching criteria to install or uninstall unsigned bundles.

Per system functionality, applications that are running or protected by System Integrity Protection (SIP) cannot be uninstalled.

For more information, please see the following:

Manage the Privilege Management Finder Extension

To use Run with Privilege Management menu functionality to manage the System Applications folder, the Privilege Management Finder Extension must be enabled under System Preferences > Extensions > Finder Extensions.

The Privilege Management for Mac Finder extension allows end users to install applications. The extension works in the same way as the native macOS functionality. The following sections provide details on the Privilege Management for Mac Finder extension behavior.

Remove Applications From the /Applications Folder

Standard users can drag an application from the /Applications folder to the Trash.

  • If the application matches a Privilege Management for Mac policy entry which has Deletable set on it, then any messages configured in the policy are displayed first to the user, and the user can proceed.
  • If the Privilege Management for Mac policy does not contain a matching entry for the item being removed, then this is treated as a passive event and the user is prompted for an administrative user’s credentials to proceed.

Install Applications Distributed in a DMG File

The Privilege Management for Mac Finder extension is active within mounted DMG volumes to install applications.

As with all previous releases, if a standard user attempts to drag an application to the /Applications folder, then they are prompted for an administrator’s user name and password to proceed.

Allowing standard users to install applications using the Finder extension or MountAssist features remains, as per previous releases.

VLC media player is an example of an application distributed in a DMG volume.

Install Applications Distributed from a non-DMG File

As of Privilege Management for Mac 22.7, a standard user can drag files to the /Applications folder to install applications.

This only supports application bundles which are not contained within a mounted disk (DMG).

Standard users can drag an application from the /Applications folder to the Trash.

  • Removing these file types behaves passively if the dragged item does not match any entries in the policy.
  • Allows the user to remove the application pending the completion of any configured Privilege Management for Mac messaging.

Allow Authorization of the Console Application

With the introduction of macOS Big Sur, standard user accounts are required to enter administrator credentials when attempting to stream logs in the Console application. This behavior does not use Apple's authorization services framework.

Access the Console application through the Privilege Management for Mac context menu

To permit standard users access to the Console application, you can create a policy allowing access to the application from the Finder Extension context menu. The context menu is not available through the Dock or Spotlight.

When configured, a standard user can stream logs in the Console application as an administrator user, which mirrors the behavior of the Console application on macOS Catalina.

This feature explicitly works for the Console application in /System/Applications/Utilities/.

The feature is not available for any other application.

 

Configure the Authorization

Target the Console application in an allow rule with any matching criteria. We recommend using the following:

  • Application type: Bundle
  • Matching criteria:
    • URI: com.apple.console
    • Publisher: Software Signing

Keep the followoing points in mind when setting up the policy:

  • If you are using a variation of the QuickStart policy for Mac, you might need to add a new rule above the (Default) Passive - System Trusted in All Users as the Console application matches within that Application Group.
  • If the allow rule is configured with a message, then the message appears when the user attempts to open the Console application in a traditional method. We recommend using an allow rule without a message so that the users can use the feature without being prompted.