Message Design

You can configure the following aspects of a message:

  • Message Header Settings
  • User Reason Settings
  • User Authorization
  • Sudo User Authorization
  • Challenge / Response Authorization

As you change the message options, the preview message updates to show you your changes in real-time. Program and content information is shown with placeholders.

After you configure the message options, you can configure the Message Text, which includes the ability to configure different languages.

The options here are preselected based on the type of message you created but you can override those options if required.

For more information, please see Message Text.

Message Header Settings

An image depicting Message design in Privilege Management including the message header style.

The message header is highlighted here:


  • Header Style: This is preconfigured; you can choose to remove the header entirely or select from one of the templates provided. Choose from:

    • No Header
    • Privilege Management Header
    • Warning Header
    • Question Header
    • Error Header
  • Show Title Text: This check box is selected by default. You can clear it to remove the text adjacent to the icon if required.
  • Text Color: This controls the color of the text adjacent to the icon. Select the arrow to open the color picker.
  • Background Type: This option controls the color behind the text and icon. If you select Solid, then only Color 1 is available for you to change. If you select Gradient, then both Color 1 and Color 2 can be configured. If you select Custom Image, then you can't configure the colors.
  • Custom Image: This section allows you to choose from one of a number of preset custom images or you can click Manage Image to upload one of your own. The recommended image size is 450 pixels wide and 50 pixels high.
  • Color 1: This option is available if you selected Solid for the Background Type. Select Custom and choose the color you want for the background.
  • Color 2: This option is available if you selected Gradient for the Background Type. Select Custom and choose the second color you want for the background. Color 1 is the first color for Gradient backgrounds.

User Reason Settings

You can prompt end users to enter or select a reason in the following scenarios:

  • Before an application launches (Allow Execution message type)
  • Request a blocked application (Block Execution message type)

Configure the following settings:

  • User Reason Type: Select a reason type from the list. Select text box to allow the end user to enter a reason. Select drop-down to allow the end user to select a preconfigured reason from a list. Select Off if no reason is required from the end user. Configure messages on the Message Text tab.
  • Remember User Reasons (per-application): Select Yes to cache reasons provided by the end user. A user can then quickly enter a reason.

Authentication and Authorization Settings

For more information about using authentication and authorization settings, please see Authentication and Authorization Groupings in Privilege Management.

Step 1a - User Authentication

  • Authentication Type: Select from None, User must authenticate, or Designated user must authenticate.
    • User must authenticate: Select to force the user to reenter their credentials and confirm they want to run the application.
    • Designated user must authenticate: Select to designate which users can authenticatethe message. Add users from Designated Users.
  • Password or Smart Card: Select from Any, Password only, or Smart card only. Select Any to allow authentication using password or smart card / YubiKey authentication. When Password only is selected, a Username and Password field is added to the message.
  • Designated Users: If you select Designated user must authenticate, click the ... button to add the users who can authenticate the message.

If you select a method that is not available to the user, then the user cannot authenticate the message.

Step 1b - Multifactor Authentication

  • Idp Provider: To use an identity provider, select Idp - Yes from the list. If you have not already set up your global identity provider settings, then you are prompted to add these now.
  • Authentication Context Class References values (acr values): Enter the acr value. The value is optional and required only if your identity provider uses it.

For more information, please see Add an Identity Provider.

Step 1c - Authentication Grouping

  • Requirements: Select a requirement from the list. You can combine authentication methods. The authentication grouping can be and/or logic. For example, you can require that your users provide both a user name and password and authenticate with an identity provider. In this case, the end user is required to successfully authenticate with user credentials and with the identity provider. In the or scenario, the user is required to authenticate using at least one of the authentication methods.

Step 2 - Authorization

You can check the Enabled box for Challenge / Response Authorization to add a challenge code to the message. This check box is already checked if you selected a challenge message. If you have already created a Workstyle with a challenge message, then the policy will already have a challenge / response key. Select Change Key and enter a new challenge / response code twice to change it.

  • Challenge Response (C/R): Set this option to C/R - Yes to present the user with a challenge code. The user must enter a matching response code to proceed. When this option is enabled for the first time, you must enter a shared key. You can click Edit Key to change the shared key for this message.
  • Authorization Period (per-application): Set this option to determine the length of time a successfully returned challenge code is active for. Choose from:
    • Once: A persistent challenge code for an application. The code is available until used to authorize the application or the maximum retries is exceeded (if set). Once authorized, you are allowed to use the application. When you relaunch the application, you must use a new challenge code.
  • Maximum Attempts: This option determines how many attempts the user has to enter a successful response code for each new challenge. Set this option to Three Attempts to restrict the user to three attempts, otherwise set this option to Unlimited.

After the third failure to enter a valid response code, the message will be canceled and the challenge code will be rejected. The next time the user attempts to run the application, they will be presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.

Step 3 - User Authentication & Authorization Grouping

  • Requirements: Select a grouping from the list. You can use authentication and authorization settings together, grouped by and/or logic.

Sudo User Authorization

You can use the Don't ask for password if already entered dropdown to control how frequently the user has to enter a password to use the sudo command. This text option is only enabled if the User Authorization has been set to User must authorize or Designated user must authorize.

The available options are:

  • Ask every time
  • Less than 1 minute ago
  • Less than 5 minutes ago
  • Less than 15 minutes ago
  • Only ask once per session

For more information, please see Challenge / Response Authorization.

Image Manager

The Image Manager associated with message creation allows you to Add, Modify, Export, and Delete images referenced in message headers.

All images are stored inside the Workstyles as compressed and encoded images.

We strongly recommend you delete any unused images to minimize the size of the policies, as Privilege Management for Mac does not automatically delete unreferenced images.

The Image Manager is accessible from the Message Design tab. Click the Manage Images button next to the Custom Image dropdown menu.

An image of the Image Manager in Privilege Management.

To upload an image:

  1. Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the location of the file.
  2. Select the image and enter an Image Description. Click OK.
  3. The image will be uploaded into Image Manager.

Images must be *.PNG format and be sized between 450x50.


To edit an image:

  1. In the Custom Image field, select Manage Images.
  2. Select the image in the list and click Edit.
  3. The Image Properties dialog box appears.
  4. Alter the description and click OK.

To delete an image:

  1. Select the image in the list and click Delete.
  2. When prompted, click Yes to delete the image.

If an image is referenced by any messages, then you will not be allowed to delete it.