Events in Privilege Management for macOS

Privilege Management for Mac sends events to ePO using the McAfee Agent, and also to the local application event log, depending on the audit and privilege monitoring settings within the Privilege Management for Mac policy.

The following events are logged by Privilege Management for Mac :

Mac Process Events

ePO ID (Event ID) Description
202250 (100) Process has started with admin rights added to token.
202256 (106) Process has started with no change to the access token (passive mode).
202266 (116) Process execution was blocked.
202270 (120) Process execution was canceled by the user
203051 (130) A bundle was installed.
203052 (131) A bundle was deleted.

Each process event contains the following information:

  • Command line for the process
  • Process ID for the process (if applicable)
  • Parent process ID of the process
  • Workstyle that applied
  • Application group that contained the process
  • End user reason (if applicable)
  • Custom access token (if applicable)
  • File hash
  • Certificate (if applicable)

Each process event also contains product properties, where applicable, but these can only be viewed in the Privilege Management Reporting Console.