Manage System Applications

Endpoint Privilege Management for Mac examines each application and, if there is an application bundle where the application is associated with an Allow rule and Install Action match of Yes, the user can right-click the application and select Install with Privilege Management. This will install the bundle in the /Applications folder on the endpoint.

Similarly, if there is an application bundle where the application is associated with an Allow rule and Delete Action match of Yes, the user can right-click the application and select Uninstall with Privilege Management. This will uninstall the bundle in the /Applications folder on the endpoint.

If the applications do not have an Allow rule with an Install Action match or Delete Action match of Yes, the management of the bundle defaults to normal macOS functionality where admin credentials are required to manage the bundle in the /Applications folder. Standard macOS functionality is used if anything other than an Allow rule with an Install Action match or Delete Action match of Yes is associated with the application bundle, such as Block or Passive.

You cannot use File Hash matching criteria to install or uninstall unsigned bundles.

Per system functionality, applications that are running or protected by System Integrity Protection (SIP) cannot be uninstalled.

For more information, please see the following:

Manage the Endpoint Privilege Management Finder Extension

To use Run with Privilege Management menu functionality to manage the System Applications folder, the Privilege Management Finder Extension must be enabled under System Preferences > Extensions > Finder Extensions.

The Finder extension allows end users to install applications. The extension works in the same way as the native macOS functionality. The following sections provide details on the Finder extension behavior.

Remove Applications From the /Applications Folder

Standard users can drag an application from the /Applications folder to the Trash.

  • If the application matches a policy entry which has Deletable set on it, then any messages configured in the policy are displayed first to the user, and the user can proceed.
  • If the policy does not contain a matching entry for the item being removed, then this is treated as a passive event and the user is prompted for an administrative user’s credentials to proceed.

Install Applications Distributed in a DMG File

The Finder extension is active within mounted DMG volumes to install applications.

As with all previous releases, if a standard user attempts to drag an application to the /Applications folder, then they are prompted for an administrator’s user name and password to proceed.

Allowing standard users to install applications using the Finder extension or MountAssist features remains, as per previous releases.

VLC media player is an example of an application distributed in a DMG volume.

Install Applications Distributed from a non-DMG File

As of version 22.7, a standard user can drag files to the /Applications folder to install applications.

This only supports application bundles which are not contained within a mounted disk (DMG).

Standard users can drag an application from the /Applications folder to the Trash.

  • Removing these file types behaves passively if the dragged item does not match any entries in the policy.
  • Allows the user to remove the application pending the completion of any configured Endpoint Privilege Management for Mac messaging.

Allow Authorization of the Console Application

Starting in version 24.1, this feature is no longer supported.

With the introduction of macOS Big Sur, standard user accounts are required to enter administrator credentials when attempting to stream logs in the Console application. This behavior does not use Apple's authorization services framework.

Access the Console application through the Endpoint Privilege Management for Mac context menu

To permit standard users access to the Console application, you can create a policy allowing access to the application from the Finder Extension context menu. The context menu is not available through the Dock or Spotlight.

When configured, a standard user can stream logs in the Console application as an administrator user, which mirrors the behavior of the Console application on macOS Catalina.

This feature explicitly works for the Console application in /System/Applications/Utilities/.

The feature is not available for any other application.

 

Configure the Authorization

Starting in version 24.1, this feature is no longer supported.

Target the Console application in an allow rule with any matching criteria. We recommend using the following:

  • Application type: Bundle
  • Matching criteria:
    • URI: com.apple.console
    • Publisher: Software Signing

Keep the following points in mind when setting up the policy:

  • If you are using a variation of the QuickStart policy for Mac, you might need to add a new rule above the (Default) Passive - System Trusted in All Users as the Console application matches within that Application Group.
  • If the allow rule is configured with a message, then the message appears when the user attempts to open the Console application in a traditional method. We recommend using an allow rule without a message so that the users can use the feature without being prompted.