Management of System Applications

Privilege Management for Mac examines each application and, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Install Action match of Yes, the user can right-click the application and select Install with Privilege Management. This will install the bundle in the /Applications folder on the endpoint.

Similarly, if there is an application bundle where the application is associated with a Privilege Management Allow rule and Delete Action match of Yes, the user can right-click the application and select Uninstall with Privilege Management. This will uninstall the bundle in the /Applications folder on the endpoint.

If the applications do not have a Privilege Management Allow rule with an Install Action match or Delete Action match of Yes, the management of the bundle defaults to normal macOS functionality where admin credentials are required to manage the bundle in the /Applications folder. Standard macOS functionality is used if anything other than an Allow rule with an Install Action match or Delete Action match of Yes is associated with the application bundle, such as Block or Passive.

You cannot use File Hash matching criteria to install or uninstall unsigned bundles.

Per system functionality, applications that are running or protected by System Integrity Protection (SIP) cannot be uninstalled.

For more information, please see the following:

Manage the Privilege Management Finder Extension

To use Run with Privilege Management menu functionality to manage the System Applications folder, the Privilege Management Finder Extension must be enabled under System Preferences > Extensions > Finder Extensions.

Allow Authorization of the Console Application

With the introduction of macOS Big Sur, standard user accounts are required to enter administrator credentials when attempting to stream logs in the Console application. This behavior does not use Apple's authorization services framework.

Access the Console application through the Privilege Management for Mac context menu

To permit standard users access to the Console application, you can create a policy allowing access to the application from the Finder Extension context menu. The context menu is not available through the Dock or Spotlight.

When configured, a standard user can stream logs in the Console application as an administrator user, which mirrors the behavior of the Console application on macOS Catalina.

This feature explicitly works for the Console application in /System/Applications/Utilities/.

The feature is not available for any other application.

 

Configure the Authorization

Target the Console application in an allow rule with any matching criteria. We recommend using the following:

  • Application type: Bundle
  • Matching criteria:
    • URI: com.apple.console
    • Publisher: Software Signing

Keep the followoing points in mind when setting up the policy:

  • If you are using a variation of the QuickStart policy for Mac, you might need to add a new rule above the (Default) Passive - System Trusted in All Users as the Console application matches within that Application Group.
  • If the allow rule is configured with a message, then the message appears when the user attempts to open the Console application in a traditional method. We recommend using an allow rule without a message so that the users can use the feature without being prompted.