Mac Specific
Multiple Mac Policies
For Mac estates being managed by ePO, multiple policies being applied simultaneously is supported, for example:
- epo.xml
- epo001.xml
- epo002.xml
In the example above, if the policy precedence is set for ePO policies, then rules processing will first check the rules in epo.xml. If no rules are found for the process in this policy, then it will go through the epo001.xml. Each policy is processed in an alpha-numeric/C locale order. This continues until the process hits a rule or the dppolicyserverd reads all of the policies without finding a match.
If multiple policies are loaded, only one of them requires an Endpoint Privilege Management for Mac license. We recommend you do not use multiple licenses in this configuration. Each policy can have a different Challenge-Response key.
Copy and pasted policies with altered rules are still processed, the dppolicyserverd log outputs whether it replaced GUIDs when loading them into memory if it was a duplicate.
Mac Application Templates
Endpoint Privilege Management for Mac ships with some standard application templates to simplify the definition of applications that are part of the operating system. The standard application templates are split into categories:
- System Preference Panes
- Bundles
- Binaries
Each category then has a list of applications for that category. Picking an application will cause the application to be prepopulated with the appropriate information.
Add Endpoint Privilege Management for Mac Settings to a Mac Client Computer
Endpoint Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file be replaced using the following command. In this example, the source XML file is located on your Desktop:
sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml
Endpoint Privilege Management for Mac will apply the new settings immediately, and does not require a restart.
If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.
Mac Sudo Command Arguments Not Supported
The following arguments are not supported by Endpoint Privilege Management for Mac when you're using sudo:
Option (single dash) | Option (double dash) | Description |
---|---|---|
-A | --askpass | use a helper program for password prompting |
-C num | --close-from=num | close all file descriptors >= num |
-E | --preserve-env | preserve user environment when running command |
-g group | --group=group | run command as the specified group name or ID |
-H | --set-home | set HOME variable to target user's home dir |
-h host | --host=host | run command on host (if supported by plugin) |
-K | --remove-timestamp | remove timestamp file completely |
-k | --reset-timestamp | invalidate timestamp file |
-l | --list | list user's privileges or check a specific command; use twice for longer format |
-n | --non-interactive | non-interactive mode, no prompts are used |
-P | --preserve-groups | preserve group vector instead of setting to target's |
-p prompt | --prompt=prompt | use the specified password prompt |
-U user | --other-user=user | in list mode, display privileges for user |
-u user | --user=user | run command (or edit file) as specified user name or ID |
-v | --validate | update user's timestamp without running a command |
Use Centrify
If you are using Centrify to bind macOS endpoints to Active Directory, contact BeyondTrust Technical Support for assistance.