Templates

Templates can be imported into your Endpoint Privilege Management for Mac settings. You can choose to merge them into your existing policy; otherwise, the template overwrites your existing policy.

Be careful when merging policies with production policies. If No is selected, then the existing policy settings and license information are removed. If Yes is selected, then the template is added to the existing policy.

macOS QuickStart

The QuickStart for macOS policy contains Workstyles, Application Groups, and Messages configured with Endpoint Privilege Management for Mac and Application Control. The QuickStart policy has been designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.

This template policy contains the following elements:

Workstyles

  • All Users
  • High Flexibility
  • Medium Flexibility
  • Low Flexibility

Application Groups

  • (Default) Any Application
  • (Default) Any Authorization Prompt
  • (Default) Any Signed Authorization Prompt
  • (Default) Any Sudo Command
  • (Default) Any Trusted & Signed Authorization Prompt
  • (Default) Authorize - Delete from /Applications
  • (Default) Authorize - Install to /Applications
  • (Default) Authorize - System Trusted
  • (Default) Passive - System Trusted
  • (Default) Endpoint Privilege Management Tools
  • (Recommended) Restricted Functions
  • Authorize - All Users (Business Apps)
  • Authorize - All Users (macOS Functions)
  • Authorize - High Flexibility
  • Authorize - Medium Flexibility
  • Authorize - Low Flexibility
  • Block - Blocked Apps
  • Passive - Allowed Function & Apps
  • Passive - High Flexibility (Business Apps)
  • Passive - Low Flexibility (Business Apps)
  • Passive - Medium Flexibility (Business Apps)

Messages

  • Allow Message (Authentication & Reason)
  • Allow Message (Support Desk)
  • Allow Message (Yes / No)
  • Allow Message (select Reason)
  • Block Message

QuickStart Policy Summary

By using and building on the QuickStart policy, you can quickly improve your organization's security without having to monitor and analyze your users' behavior first and then design and create your Endpoint Privilege Management for Mac configuration.

After the QuickStart policy has been deployed to groups within your organization, you can start to gather information on your users' behavior. This will provide you with a better understanding of the applications being used within your organization, and whether they require admin rights, need to be blocked, or need authorization for specific users.

This data can then be used to further refine the QuickStart policy to provide more a tailored Endpoint Privilege Management for Mac solution for your organization.

macOS Workstyles

The QuickStart policy contains four Workstyles that should be used together to manage all users in your organization.

All Users

This Workstyle contains a set of default rules that apply to all standard users regardless of what level of flexibility they need.

The All Users Workstyle contains rules to:

  • Block any applications that are in the Block Applications group.
  • Allow BeyondTrust Support tools.
  • Allow approved standard user applications to run passively.
  • Allow and authorize the install and delete of bundles to the /Applications/ directory.

High Flexibility

This Workstyle is designed for users that require a lot of flexibility such as developers.

The High Flexibility Workstyle contains rules to:

  • Allow known allowed business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights.
  • Allow users to run unknown applications with admin rights once they have confirmed the application should be elevated.
  • Allow unknown business application and operating system functions to run on-demand.

Medium Flexibility

This Workstyle is designed for users that require some flexibility such as sales engineers.

The Medium Flexibility Workstyle contains rules to:

  • Allow known allowed business applications and operating system functions to run.
  • Allow users to run signed applications with admin rights once they have confirmed the application should be elevated.
  • Prompt users to provide a reason before they can run unknown applications with admin rights.
  • Allow unknown business application and operating system functions to run on-demand.
  • Restricted OS functions that require admin rights are prevented and require support interaction.

Low Flexibility

This Workstyle is designed for users that don't require much flexibility such as helpdesk operators.

The Low Flexibility Workstyle contains rules to:

  • Prompt users to contact support if a trusted or untrusted application requests admin rights.
  • Prompt users to contact support if an unknown application tries to run with support authorization.
  • Allow known approved business applications and operating system functions to run.

macOS Workstyle Parameters

You can customize text and strings used for end user messaging and auditing.

Parameters are identified as any string surrounded by brackets ([ ]), and if detected, the Endpoint Privilege Management client attempts to expand the parameter. If successful, the parameter is replaced with the expanded property. If unsuccessful, the parameter remains part of the string. The table below shows a summary of available parameters.

Parameter Description
[PG_APP_DEF] The name of the Application Rule that matched the application
[PG_APP_GROUP] The name of the Application Group that contained a matching Application Rule
[PG_COMPUTER_NAME] The NetBIOS name of the host computer
[PG_PROG_CMD_LINE] The command line of the application being run
[PG_PROG_NAME] The program name of the application
[PG_PROG_PATH] The full path of the application file
[PG_PROG_PROD_VERSION] The product version of the application being run
[PG_PROG_PUBLISHER] The publisher of the application
[PG_PROG_TYPE] The type of application being run
[PG_WORKSTYLE_NAME] The name of the Workstyle

macOS Application Groups

  • (Default) Any Application: Contains all application types and is used as a catch-all for unknown applications.
  • (Default) General - Any Authorization Prompt: This group contains application types that request admin rights regardless of trust or code signature.
  • (Default) General - Any Signed Authorization Prompt: This group contains application types that request admin rights and meet macOS code signature requirements
  • (Default) General - Any Trusted & Signed Authorization Prompt: This group contains macOS built-in applications that request admin rights and meet macOS code signature requirements
  • (Default) Passive - System Trusted: This group contains system applications that are allowed for all users.
  • (Default) Authorize - System Trusted: This group contains system applications requiring authorization that are allowed for all users.
  • (Default) Any Sudo Commands: Contains all sudo commands and is used as a catch-all for unknown sudo commands.
  • (Default) Privilege Management Tools: Contains BeyondTrust binaries and application bundles used to gather logging or otherwise modify Endpoint Privilege Management for Mac settings.
  • (Default) Authorize - System Trusted: Contains operating system functions that are authorized for all users.
  • (Recommended) Restricted Functions: This group contains OS functions that are used for system administration and trigger an authorization prompt when they are executed.
  • Authorize – All Users (Business Apps): Contains applications such as line-of-business applications that are authorized for all users, regardless of their flexibility level.
  • Authorize – All Users (macOS Functions): This group is designed to contain system preferences and other built-in macOS functions that trigger an authorization prompt when they are executed, regardless of the user’s flexibility level.
  • Authorize - High Flexibility: Contains the applications that require authorization that should only be provided to high flexibility users.
  • Authorize - Low Flexibility: Contains the applications that require authorization that should only be provided to low flexibility users.
  • Authorize - Medium Flexibility: Contains the applications that require authorization that should only be provided to medium flexibility users.
  • Block – Blocked Apps: This group contains applications that are blocked for all users.
  • Passive – Allowed Functions & Apps: This group contains applications that are allowed for all users.
  • Passive – High Flexibility (Business Apps): This group contains applications that are allowed for High Flexibility users without providing admin authorization.
  • Passive – Low Flexibility (Business Apps): This group contains applications that are allowed for Low Flexibility users without providing admin authorization.
  • Passive – Medium Flexibility (Business Apps): This group contains applications that are allowed for Medium Flexibility users without providing admin authorization.

macOS Messages

The following messages are created as part of the QuickStart policy and are used by some of the Application Rules:

  • Allow Authorize (Authentication & Reason): Asks the user to enter their password and provide a reason before the application is authorized to run.
  • Allow Message (Yes / No): Asks the user to confirm that they want to proceed to authorize an application to run.
  • Allow Message (Select Reason): Asks the user to select a reason from a drop-down list before the application is authorized to run.
  • Allow Message (Support Desk): Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
  • Block Message: Warns the user that an application has been blocked.

Customize the QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.

At a minimum you need to:

  • Configure the users or groups that can authorize requests that trigger messages.
  • Customize the messaging with you company logo and wording
  • Assign users and groups to the high, medium, and low flexibility Workstyles.
  • Populate the Block Applications Application Group with any applications you want to block for all users.
  • Set your shared key so you can generate an Endpoint Privilege Management for Mac Response code.