Events in Endpoint Privilege Management for MacOS
Endpoint Privilege Management
The following events are logged by Endpoint Privilege Management
Mac Process Events
ePO ID (Event ID) | Description |
---|---|
202250 (100) | Process has started with admin rights added to token. |
202256 (106) | Process has started with no change to the access token (passive mode). |
202266 (116) | Process execution was blocked. |
202270 (120) | Process execution was canceled by the user |
203051 (130) | A bundle was installed. |
203052 (131) | A bundle was deleted. |
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.